CVE-2018-0739 — Uncontrolled Recursion in Openssl
CWE-674 — Uncontrolled RecursionCWE-320CWE-400 — Uncontrolled Resource Consumption14 documents10 sources
Severity
6.5MEDIUMNVD
EPSS
14.4%
top 5.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 17
Description
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages7 packages
▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n), Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g)+1
Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10
Patches
🔴Vulnerability Details
2📋Vendor Advisories
8💬Community
3Bugzilla▶
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service↗2018-03-28
Bugzilla▶
CVE-2018-0739 mingw-openssl: openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service [epel-7]↗2018-03-28
Bugzilla▶
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service [fedora-all]↗2018-03-28