Vulnerability Details : CVE-2017-15130
A denial of service flaw was found in dovecot before 2.2.34. An attacker able to generate random SNI server names could exploit TLS SNI configuration lookups, leading to excessive memory usage and the process to restart.
Vulnerability category: Denial of service
Products affected by CVE-2017-15130
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:dovecot:dovecot:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15130
0.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15130
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2017-15130
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-15130
-
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
[Dovecot-news] v2.2.34 releasedRelease Notes;Vendor Advisory
-
http://seclists.org/oss-sec/2018/q1/205
oss-sec: Dovecot Security Advisory: CVE-2017-15130 TLS SNI config lookups are inefficient and can be used for DoSMailing List;Third Party Advisory
-
https://usn.ubuntu.com/3587-1/
USN-3587-1: Dovecot vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4130
Debian -- Security Information -- DSA-4130-1 dovecotThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1532356
1532356 – (CVE-2017-15130) CVE-2017-15130 dovecot: TLS SNI config lookups are inefficient and can be used for DoSIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/03/msg00036.html
[SECURITY] [DLA 1333-1] dovecot security update
-
https://usn.ubuntu.com/3587-2/
USN-3587-2: Dovecot vulnerabilities | Ubuntu security notices
Jump to