#VU111757 Infinite loop in tcl - CVE-2007-4772


Vulnerability identifier: #VU111757

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2007-4772

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tcl
Other software / Other software solutions

Vendor: tcl.sourceforge.net

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

tcl: 8.0.2 - 8.4.16

External links
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
https://lists.opensuse.org/opensuse-security-announce/2008-02/msg00000.html
https://lists.opensuse.org/opensuse-security-announce/2016-02/msg00049.html
https://lists.opensuse.org/opensuse-security-announce/2016-02/msg00052.html
https://lists.opensuse.org/opensuse-security-announce/2016-02/msg00054.html
https://lists.opensuse.org/opensuse-security-announce/2016-02/msg00056.html
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html
https://rhn.redhat.com/errata/RHSA-2013-0122.html
https://security.gentoo.org/glsa/glsa-200801-15.xml
https://securitytracker.com/id?1019157
https://sourceforge.net/project/shownotes.php?release_id=565440&group_id=10894
https://sourceforge.net/tracker/index.php?func=detail&aid=1810264&group_id=10894&atid=110894
https://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1
https://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1
https://www.debian.org/security/2008/dsa-1460
https://www.debian.org/security/2008/dsa-1463
https://www.mandriva.com/security/advisories?name=MDVSA-2008:004
https://www.mandriva.com/security/advisories?name=MDVSA-2008:059
https://www.postgresql.org/about/news.905
https://www.redhat.com/support/errata/RHSA-2008-0038.html
https://www.redhat.com/support/errata/RHSA-2008-0040.html
https://www.redhat.com/support/errata/RHSA-2008-0134.html
https://www.securityfocus.com/archive/1/485864/100/0/threaded
https://www.securityfocus.com/archive/1/486407/100/0/threaded
https://www.securityfocus.com/archive/1/493080/100/0/threaded
https://www.securityfocus.com/bid/27163
https://www.vmware.com/security/advisories/VMSA-2008-0009.html
https://www.vupen.com/english/advisories/2008/0061
https://www.vupen.com/english/advisories/2008/0109
https://www.vupen.com/english/advisories/2008/1071/references
https://www.vupen.com/english/advisories/2008/1744
https://exchange.xforce.ibmcloud.com/vulnerabilities/39497
https://issues.rpath.com/browse/RPL-1768
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11569
https://usn.ubuntu.com/568-1/
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00397.html
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00469.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for PostgreSQL
Denial of service in TCL
Multiple vulnerabilities in PostgreSQL