Lucene search

K
amazonAmazonALAS2-2018-1132
HistoryDec 17, 2018 - 7:14 p.m.

Medium: python3

2018-12-1719:14:00
alas.aws.amazon.com
24
python3
expat
denial of service
amazon linux 2
update
vulnerability
cve-2018-14647

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

Low

EPSS

0.006

Percentile

79.3%

Issue Overview:

Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM.(CVE-2018-14647)

Affected Packages:

python3

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python3 to update your system.

New Packages:

aarch64:  
    python3-3.7.1-9.amzn2.0.1.aarch64  
    python3-libs-3.7.1-9.amzn2.0.1.aarch64  
    python3-devel-3.7.1-9.amzn2.0.1.aarch64  
    python3-tools-3.7.1-9.amzn2.0.1.aarch64  
    python3-tkinter-3.7.1-9.amzn2.0.1.aarch64  
    python3-test-3.7.1-9.amzn2.0.1.aarch64  
    python3-debug-3.7.1-9.amzn2.0.1.aarch64  
    python3-debuginfo-3.7.1-9.amzn2.0.1.aarch64  
  
i686:  
    python3-3.7.1-9.amzn2.0.1.i686  
    python3-libs-3.7.1-9.amzn2.0.1.i686  
    python3-devel-3.7.1-9.amzn2.0.1.i686  
    python3-tools-3.7.1-9.amzn2.0.1.i686  
    python3-tkinter-3.7.1-9.amzn2.0.1.i686  
    python3-test-3.7.1-9.amzn2.0.1.i686  
    python3-debug-3.7.1-9.amzn2.0.1.i686  
    python3-debuginfo-3.7.1-9.amzn2.0.1.i686  
  
src:  
    python3-3.7.1-9.amzn2.0.1.src  
  
x86_64:  
    python3-3.7.1-9.amzn2.0.1.x86_64  
    python3-libs-3.7.1-9.amzn2.0.1.x86_64  
    python3-devel-3.7.1-9.amzn2.0.1.x86_64  
    python3-tools-3.7.1-9.amzn2.0.1.x86_64  
    python3-tkinter-3.7.1-9.amzn2.0.1.x86_64  
    python3-test-3.7.1-9.amzn2.0.1.x86_64  
    python3-debug-3.7.1-9.amzn2.0.1.x86_64  
    python3-debuginfo-3.7.1-9.amzn2.0.1.x86_64  

Additional References

Red Hat: CVE-2018-14647

Mitre: CVE-2018-14647

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

Low

EPSS

0.006

Percentile

79.3%