#VU16549 Improper input validation in SpamAssassin - CVE-2017-15705

Cybersecurity Help s.r.o.

Published: 2018-12-15 | Updated: 2018-12-17

Vulnerability identifier: #VU16549

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15705

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SpamAssassin
Server applications / DLP, anti-spam, sniffers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in Apache SpamAssassin, using HTML::Parser due to an the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed when an object and hook are setup into the begin and end tag event handlers. A remote attacker can supply certain unclosed tags in specially crafted emails that cause markup to be handled incorrectly leading to scan timeouts.

Mitigation
Update to version 3.4.2.

Vulnerable software versions

SpamAssassin: 2.1.0 - 3.4.1

External links
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cann...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for spamassassin

Gentoo update for SpamAssassin

Amazon Linux AMI update for spamassassin

Red Hat update for spamassassin

Improper input validation in spamassassin (Alpine package)