CVE-2018-0487 Common Vulnerabilities and Exposures

Upstream information

CVE-2018-0487 at MITRE

Description

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	Partial
Availability Impact	Partial

CVSS v3 Scores
	National Vulnerability Database
Base Score	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High
CVSSv3 Version	3

SUSE Bugzilla entry: 1080826 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2018:0488-1 openSUSE-SU-2018:0491-1

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	`libmbedtls9 >= 1.3.19-11.1` `mbedtls-devel >= 1.3.19-11.1`	Patchnames: openSUSE-2018-186
openSUSE Tumbleweed	`libmbedcrypto7 >= 2.27.0-1.2` `libmbedcrypto7-32bit >= 2.27.0-1.2` `libmbedtls13 >= 2.27.0-1.2` `libmbedtls13-32bit >= 2.27.0-1.2` `libmbedx509-1 >= 2.27.0-1.2` `libmbedx509-1-32bit >= 2.27.0-1.2` `mbedtls-devel >= 2.27.0-1.2`	Patchnames: openSUSE-Tumbleweed-2024-11043

SUSE Timeline for this CVE

CVE page created: Tue Feb 13 14:00:10 2018
CVE page last modified: Tue Sep 3 18:57:48 2024