Red Hat update for libtirpc
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-14622 |
| CWE-ID | CWE-476 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux Server Operating systems & Components / Operating system Red Hat Enterprise Linux EUS Compute Node Operating systems & Components / Operating system Red Hat Enterprise Linux for Power Operating systems & Components / Operating system Red Hat Enterprise Linux for Scientific Computing Operating systems & Components / Operating system Red Hat Enterprise Linux Desktop Operating systems & Components / Operating system Red Hat Enterprise Linux Workstation Operating systems & Components / Operating system |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Memory corruption
EUVDB-ID: #VU14577
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-14622
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to boundary error when checking the return value of the makefd_xprt() function, as defined in the svc_vc.csource code. A remote attacker can flood a targeted system with new connections, exhaust the maximum number of available file descriptors, trigger NULL pointer dereference and cause the affected software to terminate abnormally.
MitigationInstall update from vendor's website.
Vulnerable software versionsRed Hat Enterprise Linux for IBM z Systems: 7 - 7.5
Red Hat Enterprise Linux Server: 7 - 7.5
Red Hat Enterprise Linux EUS Compute Node: 7.4 - 7.5
Red Hat Enterprise Linux for Power: 7 - 7.5
Red Hat Enterprise Linux for Scientific Computing: 7
Red Hat Enterprise Linux Desktop: 7
Red Hat Enterprise Linux Workstation: 7
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:7.5:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_server:7.5:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_eus_compute_node:7.5:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power:7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power:7.4:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_scientific_computing:7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_desktop:7:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_workstation:7:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHBA-2017:1991
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
