製品・ソフトウェアに関する情報

JVN脆弱性詳細

NTP におけるサービス運用妨害 (DoS) の脆弱性

Title	NTP におけるサービス運用妨害 (DoS) の脆弱性
Summary	NTP には、サービス運用妨害 (スタックの枯渇) 状態にされる脆弱性が存在します。
Possible impacts	リモートの攻撃者により、ntpdc relist コマンドを介して、制限リストの再帰トラバーサルを誘発されることで、サービス運用妨害 (スタックの枯渇) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 16, 2015, midnight
Registration Date	Feb. 14, 2017, 7:49 p.m.
Last Update	Feb. 14, 2017, 7:49 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

NTP Project

NTP 4.2.8p6 未満

NTP 4.3.0 以上 4.3.90 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-7978	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
National Vulnerability Database (NVD)
2	CVE-2015-7978	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-400	https://cwe.mitre.org/data/definitions/400.html

ベンダー情報

No	Name	URL
Cisco Security Advisory
1	cisco-sa-20160127-ntpd	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd
ntp.org
2	NTP Bug 2940	http://support.ntp.org/bin/view/Main/NtpBug2940
Red Hat Security Advisory
3	RHSA-2016:0780	http://rhn.redhat.com/errata/RHSA-2016-0780.html
4	RHSA-2016:2583	http://rhn.redhat.com/errata/RHSA-2016-2583.html
Security Advisories
5	SA113	https://bto.bluecoat.com/security-advisory/sa113
Security Notice
6	January 2016 NTP-4.2.8p6 Security Vulnerability Announcement (Medium)	http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit

その他

No	Name	URL
JVN
1	JVNVU#91176422	https://jvn.jp/vu/JVNVU91176422/
US-CERT Vulnerability Note
2	VU#718152	https://www.kb.cert.org/vuls/id/718152

Change Log

No	Changed Details	Date of change
0	[2017年02月14日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-7978

Summary	NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.
Publication Date	Jan. 31, 2017, 6:59 a.m.
Registration Date	Jan. 26, 2021, 2:57 p.m.
Last Update	Nov. 21, 2024, 11:37 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp:4.3.80:::::::*
cpe:2.3:a:ntp:ntp:4.3.51:::::::*
cpe:2.3:a:ntp:ntp:4.3.17:::::::*
cpe:2.3:a:ntp:ntp:4.3.30:::::::*
cpe:2.3:a:ntp:ntp:4.3.74:::::::*
cpe:2.3:a:ntp:ntp:4.3.67:::::::*
cpe:2.3:a:ntp:ntp:4.3.14:::::::*
cpe:2.3:a:ntp:ntp:4.3.27:::::::*
cpe:2.3:a:ntp:ntp:4.3.13:::::::*
cpe:2.3:a:ntp:ntp:4.3.36:::::::*
cpe:2.3:a:ntp:ntp:4.3.16:::::::*
cpe:2.3:a:ntp:ntp:4.3.35:::::::*
cpe:2.3:a:ntp:ntp:4.3.53:::::::*
cpe:2.3:a:ntp:ntp:4.3.64:::::::*
cpe:2.3:a:ntp:ntp:4.3.20:::::::*
cpe:2.3:a:ntp:ntp:4.3.40:::::::*
cpe:2.3:a:ntp:ntp:4.3.68:::::::*
cpe:2.3:a:ntp:ntp:4.3.46:::::::*
cpe:2.3:a:ntp:ntp:4.3.77:::::::*
cpe:2.3:a:ntp:ntp:4.3.1:::::::*
cpe:2.3:a:ntp:ntp:4.3.6:::::::*
cpe:2.3:a:ntp:ntp:4.3.2:::::::*
cpe:2.3:a:ntp:ntp:4.3.78:::::::*
cpe:2.3:a:ntp:ntp:4.3.79:::::::*
cpe:2.3:a:ntp:ntp:4.3.61:::::::*
cpe:2.3:a:ntp:ntp:4.3.42:::::::*
cpe:2.3:a:ntp:ntp:4.3.10:::::::*
cpe:2.3:a:ntp:ntp:4.3.88:::::::*
cpe:2.3:a:ntp:ntp:4.3.69:::::::*
cpe:2.3:a:ntp:ntp:4.3.65:::::::*
cpe:2.3:a:ntp:ntp:4.3.48:::::::*
cpe:2.3:a:ntp:ntp:4.3.71:::::::*
cpe:2.3:a:ntp:ntp:4.3.11:::::::*
cpe:2.3:a:ntp:ntp:4.3.34:::::::*
cpe:2.3:a:ntp:ntp:4.3.58:::::::*
cpe:2.3:a:ntp:ntp:4.3.31:::::::*
cpe:2.3:a:ntp:ntp:4.3.86:::::::*
cpe:2.3:a:ntp:ntp:4.3.85:::::::*
cpe:2.3:a:ntp:ntp:4.3.57:::::::*
cpe:2.3:a:ntp:ntp:4.3.83:::::::*
cpe:2.3:a:ntp:ntp:4.3.22:::::::*
cpe:2.3:a:ntp:ntp:4.3.56:::::::*
cpe:2.3:a:ntp:ntp:4.3.25:::::::*
cpe:2.3:a:ntp:ntp:4.3.70:::::::*
cpe:2.3:a:ntp:ntp:4.3.59:::::::*
cpe:2.3:a:ntp:ntp:4.3.21:::::::*
cpe:2.3:a:ntp:ntp:4.3.39:::::::*
cpe:2.3:a:ntp:ntp:4.3.4:::::::*
cpe:2.3:a:ntp:ntp:4.3.49:::::::*
cpe:2.3:a:ntp:ntp:4.3.50:::::::*
cpe:2.3:a:ntp:ntp:4.3.60:::::::*
cpe:2.3:a:ntp:ntp:4.3.54:::::::*
cpe:2.3:a:ntp:ntp:4.3.15:::::::*
cpe:2.3:a:ntp:ntp:4.3.12:::::::*
cpe:2.3:a:ntp:ntp:4.3.43:::::::*
cpe:2.3:a:ntp:ntp:4.3.45:::::::*
cpe:2.3:a:ntp:ntp:4.3.66:::::::*
cpe:2.3:a:ntp:ntp:4.3.0:::::::*
cpe:2.3:a:ntp:ntp:4.3.3:::::::*
cpe:2.3:a:ntp:ntp:4.3.81:::::::*
cpe:2.3:a:ntp:ntp:4.3.84:::::::*
cpe:2.3:a:ntp:ntp:4.3.24:::::::*
cpe:2.3:a:ntp:ntp:4.3.28:::::::*
cpe:2.3:a:ntp:ntp:4.3.18:::::::*
cpe:2.3:a:ntp:ntp:4.3.76:::::::*
cpe:2.3:a:ntp:ntp:4.3.33:::::::*
cpe:2.3:a:ntp:ntp:4.3.7:::::::*
cpe:2.3:a:ntp:ntp:4.3.38:::::::*
cpe:2.3:a:ntp:ntp:4.3.72:::::::*
cpe:2.3:a:ntp:ntp:4.3.87:::::::*
cpe:2.3:a:ntp:ntp:4.3.29:::::::*
cpe:2.3:a:ntp:ntp:4.3.23:::::::*
cpe:2.3:a:ntp:ntp:4.3.63:::::::*
cpe:2.3:a:ntp:ntp:4.3.52:::::::*
cpe:2.3:a:ntp:ntp:4.3.41:::::::*
cpe:2.3:a:ntp:ntp:4.3.47:::::::*
cpe:2.3:a:ntp:ntp:4.3.37:::::::*
cpe:2.3:a:ntp:ntp:4.3.73:::::::*
cpe:2.3:a:ntp:ntp:4.3.5:::::::*
cpe:2.3:a:ntp:ntp:4.3.82:::::::*
cpe:2.3:a:ntp:ntp:4.3.75:::::::*
cpe:2.3:a:ntp:ntp::p5::::::*		4.2.8
cpe:2.3:a:ntp:ntp:4.3.32:::::::*
cpe:2.3:a:ntp:ntp:4.3.19:::::::*
cpe:2.3:a:ntp:ntp:4.3.44:::::::*
cpe:2.3:a:ntp:ntp:4.3.55:::::::*
cpe:2.3:a:ntp:ntp:4.3.26:::::::*
cpe:2.3:a:ntp:ntp:4.3.62:::::::*
cpe:2.3:a:ntp:ntp:4.3.8:::::::*
cpe:2.3:a:ntp:ntp:4.3.89:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html	Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html	Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html	Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html	Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html	Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html	Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html	Third Party Advisory
13	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html	Third Party Advisory
14	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html	Third Party Advisory
15	http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html	Third Party Advisory
16	http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html	Third Party Advisory
17	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html	Third Party Advisory
18	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html	Third Party Advisory
19	http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html	Third Party Advisory
20	http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html	Third Party Advisory
21	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
22	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
23	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
24	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
25	http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security	Vendor Advisory
26	http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security	Vendor Advisory
27	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd	Third Party Advisory
28	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd	Third Party Advisory
29	http://www.debian.org/security/2016/dsa-3629	Third Party Advisory
30	http://www.debian.org/security/2016/dsa-3629	Third Party Advisory
31	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
32	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
33	http://www.securityfocus.com/bid/81962	Third Party Advisory VDB Entry
34	http://www.securityfocus.com/bid/81962	Third Party Advisory VDB Entry
35	http://www.securitytracker.com/id/1034782	Third Party Advisory VDB Entry
36	http://www.securitytracker.com/id/1034782	Third Party Advisory VDB Entry
37	http://www.ubuntu.com/usn/USN-3096-1	Third Party Advisory
38	http://www.ubuntu.com/usn/USN-3096-1	Third Party Advisory
39	https://bto.bluecoat.com/security-advisory/sa113	Third Party Advisory
40	https://bto.bluecoat.com/security-advisory/sa113	Third Party Advisory
41	https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
42	https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
43	https://security.gentoo.org/glsa/201607-15	Third Party Advisory
44	https://security.gentoo.org/glsa/201607-15	Third Party Advisory
45	https://security.netapp.com/advisory/ntap-20171031-0001/
46	https://security.netapp.com/advisory/ntap-20171031-0001/
47	https://www.kb.cert.org/vuls/id/718152	Third Party Advisory US Government Resource
48	https://www.kb.cert.org/vuls/id/718152	Third Party Advisory US Government Resource

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-400	リソースの枯渇	https://cwe.mitre.org/data/definitions/400.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp:4.3.80:::::::*
cpe:2.3:a:ntp:ntp:4.3.51:::::::*
cpe:2.3:a:ntp:ntp:4.3.17:::::::*
cpe:2.3:a:ntp:ntp:4.3.30:::::::*
cpe:2.3:a:ntp:ntp:4.3.74:::::::*
cpe:2.3:a:ntp:ntp:4.3.67:::::::*
cpe:2.3:a:ntp:ntp:4.3.14:::::::*
cpe:2.3:a:ntp:ntp:4.3.27:::::::*
cpe:2.3:a:ntp:ntp:4.3.13:::::::*
cpe:2.3:a:ntp:ntp:4.3.36:::::::*
cpe:2.3:a:ntp:ntp:4.3.16:::::::*
cpe:2.3:a:ntp:ntp:4.3.35:::::::*
cpe:2.3:a:ntp:ntp:4.3.53:::::::*
cpe:2.3:a:ntp:ntp:4.3.64:::::::*
cpe:2.3:a:ntp:ntp:4.3.20:::::::*
cpe:2.3:a:ntp:ntp:4.3.40:::::::*
cpe:2.3:a:ntp:ntp:4.3.68:::::::*
cpe:2.3:a:ntp:ntp:4.3.46:::::::*
cpe:2.3:a:ntp:ntp:4.3.77:::::::*
cpe:2.3:a:ntp:ntp:4.3.1:::::::*
cpe:2.3:a:ntp:ntp:4.3.6:::::::*
cpe:2.3:a:ntp:ntp:4.3.2:::::::*
cpe:2.3:a:ntp:ntp:4.3.78:::::::*
cpe:2.3:a:ntp:ntp:4.3.79:::::::*
cpe:2.3:a:ntp:ntp:4.3.61:::::::*
cpe:2.3:a:ntp:ntp:4.3.42:::::::*
cpe:2.3:a:ntp:ntp:4.3.10:::::::*
cpe:2.3:a:ntp:ntp:4.3.88:::::::*
cpe:2.3:a:ntp:ntp:4.3.69:::::::*
cpe:2.3:a:ntp:ntp:4.3.65:::::::*
cpe:2.3:a:ntp:ntp:4.3.48:::::::*
cpe:2.3:a:ntp:ntp:4.3.71:::::::*
cpe:2.3:a:ntp:ntp:4.3.11:::::::*
cpe:2.3:a:ntp:ntp:4.3.34:::::::*
cpe:2.3:a:ntp:ntp:4.3.58:::::::*
cpe:2.3:a:ntp:ntp:4.3.31:::::::*
cpe:2.3:a:ntp:ntp:4.3.86:::::::*
cpe:2.3:a:ntp:ntp:4.3.85:::::::*
cpe:2.3:a:ntp:ntp:4.3.57:::::::*
cpe:2.3:a:ntp:ntp:4.3.83:::::::*
cpe:2.3:a:ntp:ntp:4.3.22:::::::*
cpe:2.3:a:ntp:ntp:4.3.56:::::::*
cpe:2.3:a:ntp:ntp:4.3.25:::::::*
cpe:2.3:a:ntp:ntp:4.3.70:::::::*
cpe:2.3:a:ntp:ntp:4.3.59:::::::*
cpe:2.3:a:ntp:ntp:4.3.21:::::::*
cpe:2.3:a:ntp:ntp:4.3.39:::::::*
cpe:2.3:a:ntp:ntp:4.3.4:::::::*
cpe:2.3:a:ntp:ntp:4.3.49:::::::*
cpe:2.3:a:ntp:ntp:4.3.50:::::::*
cpe:2.3:a:ntp:ntp:4.3.60:::::::*
cpe:2.3:a:ntp:ntp:4.3.54:::::::*
cpe:2.3:a:ntp:ntp:4.3.15:::::::*
cpe:2.3:a:ntp:ntp:4.3.12:::::::*
cpe:2.3:a:ntp:ntp:4.3.43:::::::*
cpe:2.3:a:ntp:ntp:4.3.45:::::::*
cpe:2.3:a:ntp:ntp:4.3.66:::::::*
cpe:2.3:a:ntp:ntp:4.3.0:::::::*
cpe:2.3:a:ntp:ntp:4.3.3:::::::*
cpe:2.3:a:ntp:ntp:4.3.81:::::::*
cpe:2.3:a:ntp:ntp:4.3.84:::::::*
cpe:2.3:a:ntp:ntp:4.3.24:::::::*
cpe:2.3:a:ntp:ntp:4.3.28:::::::*
cpe:2.3:a:ntp:ntp:4.3.18:::::::*
cpe:2.3:a:ntp:ntp:4.3.76:::::::*
cpe:2.3:a:ntp:ntp:4.3.33:::::::*
cpe:2.3:a:ntp:ntp:4.3.7:::::::*
cpe:2.3:a:ntp:ntp:4.3.38:::::::*
cpe:2.3:a:ntp:ntp:4.3.72:::::::*
cpe:2.3:a:ntp:ntp:4.3.87:::::::*
cpe:2.3:a:ntp:ntp:4.3.29:::::::*
cpe:2.3:a:ntp:ntp:4.3.23:::::::*
cpe:2.3:a:ntp:ntp:4.3.63:::::::*
cpe:2.3:a:ntp:ntp:4.3.52:::::::*
cpe:2.3:a:ntp:ntp:4.3.41:::::::*
cpe:2.3:a:ntp:ntp:4.3.47:::::::*
cpe:2.3:a:ntp:ntp:4.3.37:::::::*
cpe:2.3:a:ntp:ntp:4.3.73:::::::*
cpe:2.3:a:ntp:ntp:4.3.5:::::::*
cpe:2.3:a:ntp:ntp:4.3.82:::::::*
cpe:2.3:a:ntp:ntp:4.3.75:::::::*
cpe:2.3:a:ntp:ntp::p5::::::*		4.2.8
cpe:2.3:a:ntp:ntp:4.3.32:::::::*
cpe:2.3:a:ntp:ntp:4.3.19:::::::*
cpe:2.3:a:ntp:ntp:4.3.44:::::::*
cpe:2.3:a:ntp:ntp:4.3.55:::::::*
cpe:2.3:a:ntp:ntp:4.3.26:::::::*
cpe:2.3:a:ntp:ntp:4.3.62:::::::*
cpe:2.3:a:ntp:ntp:4.3.8:::::::*
cpe:2.3:a:ntp:ntp:4.3.89:::::::*