Vulnerability Name:

CVE-2020-27618 (CCN-196446)

Assigned:2020-07-09
Published:2020-07-09
Updated:2022-10-28
Summary:The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-835
Vulnerability Consequences:Data Manipulation
References:Source: MITRE
Type: CNA
CVE-2020-27618

Source: CCN
Type: Red Hat Bugzilla – Bug 1893708
(CVE-2020-27618) - CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop

Source: XF
Type: UNKNOWN
glibc-iconv-cve202027618-dos(196446)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202107-07

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210401-0006/

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=19519#c21

Source: CCN
Type: Sourceware Bugzilla – Bug 26224
(CVE-2020-27618) - iconv hangs when converting some invalid inputs from several IBM character sets (CVE-2020-27618)

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=26224

Source: CCN
Type: glibc GIT Repository
iconv: Accept redundant shift sequences in IBM1364 [BZ #26224]

Source: CCN
Type: IBM Security Bulletin 6470873 (Elastic Storage System)
glibc vulnerability affects IBM Elastic Storage System (CVE-2020-27618)

Source: CCN
Type: IBM Security Bulletin 6479657 (Watson Speech Services)
A vulnerability in glibc impacts IBM Watson Speech Services

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6520474 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6536648 (App Connect Professional)
App Connect Professional is affected by GNU C Library vulnerability.

Source: CCN
Type: IBM Security Bulletin 6538418 (Security Verify Access)
Multiple Security Vulnerabilities fixed in IBM Security Verify Access

Source: CCN
Type: IBM Security Bulletin 6608642 (Cloud Pak System)
Vulnerability in glibc affect OS Image for Red Hat Enterprise Linux shipped with Cloud Pak System (CVE-2020-27618)

Source: CCN
Type: IBM Security Bulletin 6853463 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6982841 (Netcool Operations Insight)
Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-27618

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:glibc:*:*:*:*:*:*:*:* (Version <= 2.32)

    • Configuration 2:
  • cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:netapp:a250_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:a250:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:netapp:500f_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:500f:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h410c:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h300s:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h500s:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h700s:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h300e:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h500e:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h700e:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:h410s:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:gnu:glibc:2.31:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_system:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8010
    P
    		glibc-devel-32bit-2.31-150300.46.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7510
    P
    		glibc-2.31-150300.46.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:93158
    P
    		 (Important)
    2022-07-14
    oval:org.opensuse.security:def:93311
    P
    		 (Important)
    2022-07-08
    oval:org.opensuse.security:def:3568
    P
    		libXv1-1.0.10-7.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3385
    P
    		tpm2.0-tools-3.1.4-1.12 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94680
    P
    		libp11-kit0-0.23.22-150400.1.10 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95015
    P
    		glibc-devel-32bit-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94946
    P
    		libical-devel-3.0.10-150400.1.8 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2935
    P
    		glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94565
    P
    		glibc-2.31-150300.20.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:68
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:101659
    P
    		Security update for python-libxml2-python (Important)
    2022-03-10
    oval:org.opensuse.security:def:99203
    P
    		 (Important)
    2022-01-25
    oval:org.opensuse.security:def:112305
    P
    		glibc-2.34-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:997
    P
    		Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container (Important)
    2022-01-10
    oval:org.opensuse.security:def:4537
    P
    		Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP5) (Important)
    2021-12-14
    oval:org.opensuse.security:def:102214
    P
    		Security update for util-linux (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:105828
    P
    		glibc-2.34-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:101393
    P
    		python3-virt-bootstrap-1.0.0-5.3.124 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:1919
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63008
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71827
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100844
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72727
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101266
    P
    		glibc-devel-32bit-2.31-7.20 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62086
    P
    		glibc-2.31-7.30 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:99398
    P
    		 (Moderate)
    2021-07-20
    oval:com.redhat.rhsa:def:20211585
    P
    		RHSA-2021:1585: glibc security, bug fix, and enhancement update (Moderate)
    2021-05-18
    oval:org.opensuse.security:def:59455
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:88411
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:33890
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:125515
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:23882
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:59713
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:89110
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:34404
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:5014
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:126686
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:26027
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:60227
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:89368
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:51870
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:88099
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:127083
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:33632
    P
    		Security update for glibc (Important)
    2021-04-13
    oval:org.opensuse.security:def:111242
    P
    		Security update for glibc (Important)
    2021-02-27
    oval:org.opensuse.security:def:9454
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:92253
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:117839
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:108880
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:67042
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:99796
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:10398
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:8707
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:93005
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:70348
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:74694
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:9648
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:92448
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:69594
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:97247
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:100108
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:8897
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:70538
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:108059
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:64657
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:76110
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:9847
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:95501
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:92647
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:69788
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:9092
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:92058
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:117573
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:108325
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:65626
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:99597
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:10208
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:5953
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:92846
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:69987
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:73779
    P
    		Security update for glibc (Important)
    2021-02-26
    oval:org.opensuse.security:def:99008
    P
    		Security update for glibc (Important)
    2021-02-26
    BACK
    gnu glibc *
    netapp ontap select deploy administration utility -
    netapp a250 firmware -
    netapp a250 -
    netapp 500f firmware -
    netapp 500f -
    netapp h410c firmware -
    netapp h410c -
    netapp h300s firmware -
    netapp h300s -
    netapp h500s firmware -
    netapp h500s -
    netapp h700s firmware -
    netapp h700s -
    netapp h300e firmware -
    netapp h300e -
    netapp h500e firmware -
    netapp h500e -
    netapp h700e firmware -
    netapp h700e -
    netapp h410s firmware -
    netapp h410s -
    oracle communications cloud native core service communication proxy 1.14.0
    debian debian linux 10.0
    gnu glibc 2.31
    ibm qradar security information and event manager 7.3
    ibm cloud pak system 2.3
    ibm elastic storage server 6.0.0
    ibm qradar security information and event manager 7.4 -
    ibm security verify access 10.0.0
    ibm security verify access 10.0.2.0
    ibm elastic storage system 6.0.0
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm security verify access 10.0.1.0
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm robotic process automation for cloud pak 21.0.3
    ibm robotic process automation for cloud pak 21.0.5
    ibm robotic process automation for cloud pak 21.0.4