#VU43427 Resource management error in Python - CVE-2012-0845

Cybersecurity Help s.r.o.

Published: 2012-10-06 | Updated: 2020-08-11

Vulnerability identifier: #VU43427

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-0845

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 0.9.0 - 0.9.1, 1.2 - 1.6.1, 2.0 - 2.0.1, 2.1 - 2.1.3, 2.2 - 2.2.3, 2.3.1 - 2.3.7, 2.4.1 - 2.4.6, 2.5.1 - 2.5.150, 2.6.1 - 2.6.6150, 2.7.1 - 2.7.2150, 3.0 - 3.0.1, 3.1 - 3.1.4, 3.2 - 3.2.2150

External links
https://bugs.python.org/issue14001
https://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
https://python.org/download/releases/2.6.8/
https://python.org/download/releases/2.7.3/
https://python.org/download/releases/3.1.5/
https://python.org/download/releases/3.2.3/
https://secunia.com/advisories/50858
https://secunia.com/advisories/51024
https://secunia.com/advisories/51040
https://secunia.com/advisories/51087
https://secunia.com/advisories/51089
https://www.openwall.com/lists/oss-security/2012/02/13/4
https://www.securitytracker.com/id?1026689
https://www.ubuntu.com/usn/USN-1592-1
https://www.ubuntu.com/usn/USN-1596-1
https://www.ubuntu.com/usn/USN-1613-1
https://www.ubuntu.com/usn/USN-1613-2
https://www.ubuntu.com/usn/USN-1615-1
https://www.ubuntu.com/usn/USN-1616-1
https://bugzilla.redhat.com/show_bug.cgi?id=789790

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Python

Amazon Linux AMI update for python26

Amazon Linux AMI update for python27

Amazon Linux AMI update for python26

Fedora EPEL 5 update for python26