CVE-2018-1000808 — Improper Resource Shutdown or Release in Project Pyopenssl

CWE-404 — Improper Resource Shutdown or Release CWE-401 — Missing Release of Memory after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption12 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 63.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyopenssl Pyopenssl Project Pyopenssl Canonical Ubuntu Linux +5 more

Timeline

PublishedOct 8

Latest updateNov 8

Description

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability…

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

▶PyPIpyopenssl/pyopenssl< 17.5.0

▶NVDpyopenssl_project/pyopenssl< 17.5.0

▶Debianpyopenssl/pyopenssl< 17.5.0-1+3

▶NVDredhat/openstack13

▶NVDredhat/gluster_storage3.0

Also affects: Ubuntu Linux 16.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

pyopenssl vulnerabilities↗2018-11-08

▶

OSV

Pyopenssl Incorrect Memory Management↗2018-10-10

▶

GHSA

Pyopenssl Incorrect Memory Management↗2018-10-10

▶

CVEList

CVE-2018-1000808: Python Cryptographic Authority pyopenssl version Before 17↗2018-10-08

▶

OSV

CVE-2018-1000808: Python Cryptographic Authority pyopenssl version Before 17↗2018-10-08

▶

📋Vendor Advisories

Ubuntu

pyOpenSSL vulnerabilities↗2018-11-08

▶

Debian

CVE-2018-1000808: pyopenssl - Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - ...↗2018

▶

Red Hat

pyOpenSSL: Failure to release memory before removing last reference in PKCS #12 Store↗2017-11-29

▶

💬Community

Bugzilla

CVE-2018-1000807 CVE-2018-1000808 pyOpenSSL: various flaws [fedora-28]↗2018-10-17

▶

Bugzilla

CVE-2018-1000808 pyOpenSSL: Failure to release memory before removing last reference in PKCS #12 Store↗2018-10-17

▶

Bugzilla

CVE-2018-1000807 CVE-2018-1000808 pyOpenSSL: various flaws [openstack-rdo]↗2018-10-17

▶