Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU50404
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-27618
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package glibc to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 9
SUSE Linux Enterprise Software Development Kit: 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP4
SUSE Linux Enterprise Server: 12-SP4-LTSS - 12-SP5
SUSE OpenStack Cloud: 9
glibc-devel-static: before 2.22-114.8.3
glibc-info: before 2.22-114.8.3
glibc-i18ndata: before 2.22-114.8.3
glibc-html: before 2.22-114.8.3
nscd-debuginfo: before 2.22-114.8.3
nscd: before 2.22-114.8.3
glibc-profile-32bit: before 2.22-114.8.3
glibc-profile: before 2.22-114.8.3
glibc-locale-debuginfo-32bit: before 2.22-114.8.3
glibc-locale-debuginfo: before 2.22-114.8.3
glibc-locale-32bit: before 2.22-114.8.3
glibc-locale: before 2.22-114.8.3
glibc-devel-debuginfo-32bit: before 2.22-114.8.3
glibc-devel-debuginfo: before 2.22-114.8.3
glibc-devel-32bit: before 2.22-114.8.3
glibc-devel: before 2.22-114.8.3
glibc-debugsource: before 2.22-114.8.3
glibc-debuginfo-32bit: before 2.22-114.8.3
glibc-debuginfo: before 2.22-114.8.3
glibc-32bit: before 2.22-114.8.3
glibc: before 2.22-114.8.3
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211165-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU49670
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-29562
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when converting UCS4 text containing an irreversible character in the iconv function in the GNU C Library (aka glibc or libc6). A remote attacker can pass specially crafted data to the library, trigger an assertion failure and preform a denial of service attack.
Update the affected package glibc to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 9
SUSE Linux Enterprise Software Development Kit: 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP4
SUSE Linux Enterprise Server: 12-SP4-LTSS - 12-SP5
SUSE OpenStack Cloud: 9
glibc-devel-static: before 2.22-114.8.3
glibc-info: before 2.22-114.8.3
glibc-i18ndata: before 2.22-114.8.3
glibc-html: before 2.22-114.8.3
nscd-debuginfo: before 2.22-114.8.3
nscd: before 2.22-114.8.3
glibc-profile-32bit: before 2.22-114.8.3
glibc-profile: before 2.22-114.8.3
glibc-locale-debuginfo-32bit: before 2.22-114.8.3
glibc-locale-debuginfo: before 2.22-114.8.3
glibc-locale-32bit: before 2.22-114.8.3
glibc-locale: before 2.22-114.8.3
glibc-devel-debuginfo-32bit: before 2.22-114.8.3
glibc-devel-debuginfo: before 2.22-114.8.3
glibc-devel-32bit: before 2.22-114.8.3
glibc-devel: before 2.22-114.8.3
glibc-debugsource: before 2.22-114.8.3
glibc-debuginfo-32bit: before 2.22-114.8.3
glibc-debuginfo: before 2.22-114.8.3
glibc-32bit: before 2.22-114.8.3
glibc: before 2.22-114.8.3
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211165-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50362
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-29573
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary within the sysdeps/i386/ldbl2mpn.c in the GNU C Library on x86 systems. A remote attacker can pass specially crafted data to the application that uses the vulnerable version of glibc and crash it.
Update the affected package glibc to the latest version.
Vulnerable software versionsSUSE OpenStack Cloud Crowbar: 9
SUSE Linux Enterprise Software Development Kit: 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP4
SUSE Linux Enterprise Server: 12-SP4-LTSS - 12-SP5
SUSE OpenStack Cloud: 9
glibc-devel-static: before 2.22-114.8.3
glibc-info: before 2.22-114.8.3
glibc-i18ndata: before 2.22-114.8.3
glibc-html: before 2.22-114.8.3
nscd-debuginfo: before 2.22-114.8.3
nscd: before 2.22-114.8.3
glibc-profile-32bit: before 2.22-114.8.3
glibc-profile: before 2.22-114.8.3
glibc-locale-debuginfo-32bit: before 2.22-114.8.3
glibc-locale-debuginfo: before 2.22-114.8.3
glibc-locale-32bit: before 2.22-114.8.3
glibc-locale: before 2.22-114.8.3
glibc-devel-debuginfo-32bit: before 2.22-114.8.3
glibc-devel-debuginfo: before 2.22-114.8.3
glibc-devel-32bit: before 2.22-114.8.3
glibc-devel: before 2.22-114.8.3
glibc-debugsource: before 2.22-114.8.3
glibc-debuginfo-32bit: before 2.22-114.8.3
glibc-debuginfo: before 2.22-114.8.3
glibc-32bit: before 2.22-114.8.3
glibc: before 2.22-114.8.3
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211165-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.