Home > Vulnerability Database > CVE-2018-0739

Mend.io Vulnerability Database

CVE-2018-0739

Good to know:

Date: March 27, 2018

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

Language: C

Severity Score

6.5

Related Resources (37)

Url: https://security.netapp.com/advisory/ntap-20180726-0002/

Url: https://access.redhat.com/errata/RHSA-2019:0367

Url: https://access.redhat.com/errata/RHSA-2018:3505

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: https://security.gentoo.org/glsa/201811-21

Url: https://access.redhat.com/errata/RHSA-2019:0366

Url: https://access.redhat.com/errata/RHSA-2018:3090

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: https://www.openssl.org/news/secadv/20180327.txt

Url: https://securityadvisories.paloaltonetworks.com/Home/Detail/133

Url: http://www.securityfocus.com/bid/105609

Url: https://security.netapp.com/advisory/ntap-20180330-0002/

Url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Url: https://security.gentoo.org/glsa/202007-53

Url: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Url: https://access.redhat.com/security/cve/CVE-2018-0739

Url: https://usn.ubuntu.com/3611-2/

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Url: https://www.debian.org/security/2018/dsa-4158

Url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-0739

Url: https://www.debian.org/security/2018/dsa-4157

Url: https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9310d45087ae546e27e61ddf8f6367f29848220d

Url: http://www.securitytracker.com/id/1040576

Url: https://access.redhat.com/errata/RHSA-2019:1712

Url: https://www.oracle.com//security-alerts/cpujul2021.html

Url: https://access.redhat.com/errata/RHSA-2019:1711

Url: https://www.tenable.com/security/tns-2018-04

Url: https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33

Url: https://usn.ubuntu.com/3611-1/

Url: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

Url: https://access.redhat.com/errata/RHSA-2018:3221

Url: https://www.tenable.com/security/tns-2018-06

Url: http://www.securityfocus.com/bid/103518

Url: https://lists.debian.org/debian-lts-announce/2018/03/msg00033.html

Url: https://www.tenable.com/security/tns-2018-07

Url: https://www.mend.io/vulnerability-database/CVE-2018-0739

Severity Score

6.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Uncontrolled Recursion

CWE-674

Top Fix

Upgrade Version

Upgrade to version nodejs - 8.11.1;nodejs - 9.11.0;finsec.poco-basic-windows-v140 - no_fix;OpenSSL.Static.Uwp - no_fix;finsec.poco-windows-v141 - no_fix;OpenSSL.Windows-1.0.2n - no_fix;openssl.v140_xp.windesktop.msvcstl.dyn.rt-static.x86 - no_fix;PicoTorrent.Libs - 0.12.0;PicoTorrent.Libs - 0.6.0;z3/t3build-node - 1.0.11;combat-dev-mingw64 - no_fix;emersonfxbx.openssl.v140.desktop.x86 - no_fix;emersonfxbx.openssl.v140.desktop.x64 - no_fix;rtools - no_fix;openssl-android - no_fix;zeroc.openssl.v140 - 1.0.2.5;openssl.v140.windesktop.msvcstl.static.rt-dyn.x86 - no_fix;openssl.v140_xp.windesktop.msvcstl.static.rt-static.x86 - no_fix;openssl.v140.windesktop.msvcstl.static.rt-dyn.x64 - no_fix;OpenSSL.Uwp - no_fix;cmake-binary - 3.9.1;openssl.v120.dyn-rt.static - no_fix;m2w64-openssl - no_fix;openssl-src - 110.0.2+1.1.0h;openssl - 1.0.2o;openssl.v140.windesktop.msvcstl.dyn.rt-dyn.x64 - no_fix;rmt_openssl - 1.1.0.3;openssl - 1.1.1d;openssl.v120.windesktop.msvcstl.dyn.rt-dyn.x86 - no_fix;openssl.v140.windesktop.msvcstl.dyn.rt-dyn.x86 - no_fix;finsec.poco-windows-v140 - no_fix;open_ssl - 1.1.0;Universal.OpenSSL - no_fix;StrawberryPerl64 - no_fix;hadouken.openssl - no_fix;openssl - 1.1.0.h-1;rmt.openssl - no_fix;grpc.dependencies.openssl - no_fix;openssl.v120.windesktop.msvcstl.static.rt-dyn.x64 - no_fix;epsitec-openssl - 1.0.2.1;zeroc.openssl.v120 - 1.0.2.5;grpc.experimentaldependencies.openssl - no_fix;luminix.openssl.android - no_fix;aerospike-client-c-dependencies - no_fix;openssl.v120.windesktop.msvcstl.dyn.rt-dyn.x64 - no_fix;openssl.v120.windesktop.msvcstl.static.rt-dyn.x86 - no_fix;org.webjars.npm:nodegit:no_fix

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-0739

Good to know:

Date: March 27, 2018

Language: C

Severity Score

Related Resources (37)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?