openEuler 20.03 LTS SP4 update for zeromq

1) Resource management error

EUVDB-ID: #VU46682

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15166

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application when processing TCP requests. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP4

zeromq-help: before 4.3.4-1

zeromq-devel: before 4.3.4-1

zeromq-debugsource: before 4.3.4-1

zeromq-debuginfo: before 4.3.4-1

cppzmq-devel: before 4.3.4-1

zeromq: before 4.3.4-1

External links

http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1133

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.