製品・ソフトウェアに関する情報

JVN脆弱性詳細

file の ELF パーサにおけるサービス運用妨害 (DoS) の脆弱性

Title	file の ELF パーサにおけるサービス運用妨害 (DoS) の脆弱性
Summary	file の ELF パーサ (readelf.c) には、サービス運用妨害 (CPU 資源の消費またはクラッシュ) 状態にされる脆弱性が存在します。
Possible impacts	第三者により、大量の (1) プログラム、(2) セクションヘッダまたは (3) 不正な機能を介して、サービス運用妨害 (CPU 資源の消費またはクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 22, 2014, midnight
Registration Date	Dec. 19, 2014, 5:29 p.m.
Last Update	April 27, 2015, 4:17 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

FreeBSD

file project

file 5.21 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-8116	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116
National Vulnerability Database (NVD)
2	CVE-2014-8116	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8116

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-399	https://jvndb.jvn.jp/ja/cwe/CWE-399.html

ベンダー情報

No	Name	URL
FreeBSD Security Advisory
1	FreeBSD-SA-14:28.file	https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc
GitHub
2	file/ChangeLog	https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog
3	limit the number of program and section header number of sections to be processed to avoid excessive processing time.	https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8
4	Stop reporting bad capabilities after the first few.	https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6

その他

No	Name	URL
関連文書
1	MGASA-2015-0040	http://advisories.mageia.org/MGASA-2015-0040.html

Change Log

No	Changed Details	Date of change
0	[2014年12月19日] 掲載 [2015年04月27日] 参考情報：関連文書 (MGASA-2015-0040) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-8116

Summary	The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
Publication Date	Dec. 18, 2014, 4:59 a.m.
Registration Date	Jan. 26, 2021, 3:19 p.m.
Last Update	Nov. 21, 2024, 11:18 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:freebsd:freebsd::::::::
cpe:2.3:a:file_project:file:5.20:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:mageia:mageia:4.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:10.04::::lts:::

Related information, measures and tools

No	URL	タグ
1	http://advisories.mageia.org/MGASA-2015-0040.html	Third Party Advisory
2	http://advisories.mageia.org/MGASA-2015-0040.html	Third Party Advisory
3	http://rhn.redhat.com/errata/RHSA-2016-0760.html
4	http://rhn.redhat.com/errata/RHSA-2016-0760.html
5	http://seclists.org/oss-sec/2014/q4/1056	Mailing List Third Party Advisory
6	http://seclists.org/oss-sec/2014/q4/1056	Mailing List Third Party Advisory
7	http://secunia.com/advisories/61944
8	http://secunia.com/advisories/61944
9	http://secunia.com/advisories/62081
10	http://secunia.com/advisories/62081
11	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
12	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
13	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
14	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
15	http://www.securityfocus.com/bid/71700
16	http://www.securityfocus.com/bid/71700
17	http://www.securitytracker.com/id/1031344	Third Party Advisory VDB Entry
18	http://www.securitytracker.com/id/1031344	Third Party Advisory VDB Entry
19	http://www.ubuntu.com/usn/USN-2494-1	Third Party Advisory
20	http://www.ubuntu.com/usn/USN-2494-1	Third Party Advisory
21	https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog	Issue Tracking Patch
22	https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog	Issue Tracking Patch
23	https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8	Issue Tracking Patch
24	https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8	Issue Tracking Patch
25	https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6	Issue Tracking Patch
26	https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6	Issue Tracking Patch
27	https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc	Vendor Advisory
28	https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-399	リソース管理の問題	https://cwe.mitre.org/data/definitions/399.html