Lucene search

K
amazonAmazonALAS-2018-1132
HistoryDec 20, 2018 - 12:01 a.m.

Medium: python34, python36

2018-12-2000:01:00
alas.aws.amazon.com
292

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.5%

Issue Overview:

Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM.(CVE-2018-14647)

Affected Packages:

python34, python36

Issue Correction:
Run yum update python34 to update your system.
Run yum update python36 to update your system.

New Packages:

i686:  
    python34-devel-3.4.9-1.40.amzn1.i686  
    python34-tools-3.4.9-1.40.amzn1.i686  
    python34-test-3.4.9-1.40.amzn1.i686  
    python34-debuginfo-3.4.9-1.40.amzn1.i686  
    python34-3.4.9-1.40.amzn1.i686  
    python34-libs-3.4.9-1.40.amzn1.i686  
    python36-debug-3.6.7-1.10.amzn1.i686  
    python36-tools-3.6.7-1.10.amzn1.i686  
    python36-debuginfo-3.6.7-1.10.amzn1.i686  
    python36-test-3.6.7-1.10.amzn1.i686  
    python36-libs-3.6.7-1.10.amzn1.i686  
    python36-3.6.7-1.10.amzn1.i686  
    python36-devel-3.6.7-1.10.amzn1.i686  
  
src:  
    python34-3.4.9-1.40.amzn1.src  
    python36-3.6.7-1.10.amzn1.src  
  
x86_64:  
    python34-libs-3.4.9-1.40.amzn1.x86_64  
    python34-3.4.9-1.40.amzn1.x86_64  
    python34-debuginfo-3.4.9-1.40.amzn1.x86_64  
    python34-tools-3.4.9-1.40.amzn1.x86_64  
    python34-devel-3.4.9-1.40.amzn1.x86_64  
    python34-test-3.4.9-1.40.amzn1.x86_64  
    python36-3.6.7-1.10.amzn1.x86_64  
    python36-debug-3.6.7-1.10.amzn1.x86_64  
    python36-devel-3.6.7-1.10.amzn1.x86_64  
    python36-tools-3.6.7-1.10.amzn1.x86_64  
    python36-test-3.6.7-1.10.amzn1.x86_64  
    python36-libs-3.6.7-1.10.amzn1.x86_64  
    python36-debuginfo-3.6.7-1.10.amzn1.x86_64  

Additional References

Red Hat: CVE-2018-14647

Mitre: CVE-2018-14647

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

74.5%