SB2019121311 - Multiple vulnerabilities in Apache SpamAssassin
Published: December 13, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-12420)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing multipart email messages. A remote attacker can send a specially crafted email message and consume all available resources on the system.
2) OS Command Injection (CVE-ID: CVE-2018-11805)
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to nefarious CF files can be configured to run system commands without any output. A local user can inject arbitrary commands into nefarious CF files and compromise the system or execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2019/12/12/2
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747
- https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda91695c62041de@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011fe4b2699f0fe9@%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe717ccd1be940c92@%3Cannounce.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b66b793cceefa7b6ea9dcd162db4c4b@%3Cdev.spamassassin.apache.org%3E
- https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
- http://www.openwall.com/lists/oss-security/2019/12/12/1
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647
- https://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7dc6b5e76dfc18@%3Cannounce.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/6f89f82a573ea616dce53ec67e52d963618a9f9ac71da5c1efdbd166@%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/bc58907171c6585e5875a3ce86066d4956c218911cb74e3156de4433@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/d015dc5b4f24fd6777a85d068502a9c5d58d69d877ed5b0eb9a22cd5@%3Cdev.spamassassin.apache.org%3E
- https://seclists.org/oss-sec/2019/q4/154