SB2018080403 - OpenSUSE Linux update for wireshark

Main Vulnerability Database SB2018080403

SB2018080403 - OpenSUSE Linux update for wireshark

Published: August 4, 2018

Security Bulletin ID SB2018080403

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2018-14339)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file, trigger infinite loop and cause the MMSE dissector to crash.

2) Improper input validation (CVE-ID: CVE-2018-14340)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the dissectors that support zlib decompression to crash.

3) Infinite loop (CVE-ID: CVE-2018-14341)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an infinite loop when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file, consume excessive CPU resources and cause the DICOM dissector to crash.

4) Resource exhaustion (CVE-ID: CVE-2018-14342)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file, consume excessive CPU resources and cause the BGP dissector to crash.

5) Improper input validation (CVE-ID: CVE-2018-14343)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the ASN.1 BER dissector to crash.

6) Improper input validation (CVE-ID: CVE-2018-14344)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the ISMP dissector to crash.

7) Improper input validation (CVE-ID: CVE-2018-14367)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the CoAP protocol dissector to crash.

8) Infinite loop (CVE-ID: CVE-2018-14368)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an infinite loop when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file, consume excessive CPU resources and cause the Bazaar protocol dissector to crash.

9) Improper input validation (CVE-ID: CVE-2018-14369)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the HTTP2 protocol dissector to crash.

10) Improper input validation (CVE-ID: CVE-2018-14370)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to a flaw when handling malicious input. A remote attacker can inject a malformed packet onto the wire or trick the victim into reading a malformed packet trace file and cause the IEEE 802.11 protocol dissector to crash.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00004.html