CVE-2018-14647

Description

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 1.25%• Percentile: 80%

Techniques & Countermeasures

• CWE-909•Missing Initialization of Resource

  The product does not initialize a critical resource.

• CWE-665•Improper Initialization

  The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

• CWE-335•Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04

• debian•debian_linux

  8.0 | 9.0

• fedoraproject•fedora

  30

• opensuse•leap

  15.1

• python•python

  ≥ 2.7.0, ≤ 2.7.15 | ≥ 3.4.0, ≤ 3.4.9 | ≥ 3.5.0, ≤ 3.5.6 | ≥ 3.6.0, ≤ 3.6.6 | 3.7.0

• redhat•enterprise_linux_desktop

  7.0

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_workstation

  7.0

• the python project•python

  3.8, 3.7, 3.6, 3.5, 3.4, 2.7

References (16)

• https://www.debian.org/security/2018/dsa-4306
• https://usn.ubuntu.com/3817-2/
• http://www.securitytracker.com/id/1041740
• http://www.securityfocus.com/bid/105396
• https://www.debian.org/security/2018/dsa-4307
• https://bugs.python.org/issue34623
• https://usn.ubuntu.com/3817-1/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/
• https://access.redhat.com/errata/RHSA-2019:1260
• https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
• https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
• https://access.redhat.com/errata/RHSA-2019:2030
• https://access.redhat.com/errata/RHSA-2019:3725
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
• https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E