Fluid Attacks Database

Description

Pyopenssl Incorrect Memory Management It was discovered that pyOpenSSL incorrectly handled memory when performing operations on a PKCS #12 store. A remote attacker could possibly use this issue to cause pyOpenSSL to consume resources, resulting in a denial of service.

This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection that would cause the calling application to reload certificates from a PKCS #12 store. This vulnerability appears to have been fixed in 17.5.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.8	py-openssl	=0.13-r0 \|\| =0.14-r0 \|\| =0.15.1-r0 \|\| =16.0.0-r0 \|\| =16.0.0-r1 \|\| =16.0.0-r2 \|\| =16.1.0-r0 \|\| =16.1.0-r1 \|\| =17.0.0-r0 \|\| =17.1.0-r0 \|\| =17.2.0-r0 \|\| >=0 <17.5.0-r0	17.5.0-r0
alpine v3.6	py-openssl	=0.13-r0 \|\| =0.14-r0 \|\| =0.15.1-r0 \|\| =16.0.0-r0 \|\| =16.0.0-r1 \|\| =16.0.0-r2 \|\| =16.1.0-r0 \|\| =16.1.0-r1 \|\| =17.0.0-r0 \|\| >=0 <17.5.0-r0	17.5.0-r0
pypi	pyopenssl	>=0 <17.5.0	17.5.0
alpine v3.7	py-openssl	=0.13-r0 \|\| =0.14-r0 \|\| =0.15.1-r0 \|\| =16.0.0-r0 \|\| =16.0.0-r1 \|\| =16.0.0-r2 \|\| =16.1.0-r0 \|\| =16.1.0-r1 \|\| =17.0.0-r0 \|\| =17.1.0-r0 \|\| =17.2.0-r0 \|\| >=0 <17.5.0-r0	17.5.0-r0
debian 14	pyopenssl	>=0 <17.5.0-1	17.5.0-1
debian 11	pyopenssl	>=0 <17.5.0-1	17.5.0-1
debian 12	pyopenssl	>=0 <17.5.0-1	17.5.0-1
debian 13	pyopenssl	>=0 <17.5.0-1	17.5.0-1
rpm rhel5	pyOpenSSL	-	-
rpm rhel7	pyOpenSSL	-	-

1-10 of 11

Aliases

1. CVE-2018-10008082. NVD-2018-10008083. OSV-ALPINE-2018-10008084. OSV-2018-10008085. OSV-DEBIAN-2018-10008086. GHSA-2rcm-phc9-39457. GCVE-2018-10008088. SECURITY-CVE-2018-10008089. access.redhat.com10. SECURITY-TRACKER-CVE-2018-1000808

References

1. https://github.com/pyca/pyopenssl/pull/7232. https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c35093. https://github.com/pypa/advisory-database/tree/main/vulns/pyopenssl/PYSEC-2018-24.yaml4. https://usn.ubuntu.com/3813-15. http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.