製品・ソフトウェアに関する情報

JVN脆弱性詳細

FreeRADIUS における証明書検証に関する脆弱性

Title	FreeRADIUS における証明書検証に関する脆弱性
Summary	FreeRADIUS には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 22, 2015, midnight
Registration Date	May 10, 2017, 3:30 p.m.
Last Update	May 10, 2017, 3:30 p.m.

Affected System

FreeRADIUS

FreeRADIUS 2.2.8 未満の 2.2.x

FreeRADIUS 3.0.9 未満の 3.0.x

SUSE

SUSE Linux Enterprise Server 12-SP1

SUSE Linux Enterprise Server 12-SP2

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2

SUSE Linux Enterprise Software Development Kit 12-SP1

SUSE Linux Enterprise Software Development Kit 12-SP2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-4680	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4680
National Vulnerability Database (NVD)
2	CVE-2015-4680	https://nvd.nist.gov/vuln/detail/CVE-2015-4680

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
FreeRADIUS
1	Security Contact	http://freeradius.org/security.html#eap-pwd-2015
opensuse-security-announce
2	SUSE-SU-2017:0102	https://lists.opensuse.org/opensuse-security-announce/2017-01/msg00010.html
Red Hat Bugzilla
3	Bug 1234975	https://bugzilla.redhat.com/show_bug.cgi?id=1234975

Change Log

No	Changed Details	Date of change
0	[2017年05月10日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-4680

Summary	FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates.
Publication Date	April 6, 2017, 2:59 a.m.
Registration Date	Jan. 26, 2021, 2:51 p.m.
Last Update	Nov. 21, 2024, 11:31 a.m.

Affected software configurations

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp2::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:sp2:::::raspberry_pi:*
cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:sp2::::::

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00010.html	Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00010.html	Third Party Advisory
3	http://packetstormsecurity.com/files/132415/FreeRADIUS-Insufficient-CRL-Application.html	Patch Third Party Advisory VDB Entry
4	http://packetstormsecurity.com/files/132415/FreeRADIUS-Insufficient-CRL-Application.html	Patch Third Party Advisory VDB Entry
5	http://www.ocert.org/advisories/ocert-2015-008.html	Patch Third Party Advisory
6	http://www.ocert.org/advisories/ocert-2015-008.html	Patch Third Party Advisory
7	http://www.securityfocus.com/archive/1/535810/100/0/threaded
8	http://www.securityfocus.com/archive/1/535810/100/0/threaded
9	http://www.securityfocus.com/bid/75327	Third Party Advisory VDB Entry
10	http://www.securityfocus.com/bid/75327	Third Party Advisory VDB Entry
11	http://www.securitytracker.com/id/1032690	Third Party Advisory VDB Entry
12	http://www.securitytracker.com/id/1032690	Third Party Advisory VDB Entry
13	https://bugzilla.redhat.com/show_bug.cgi?id=1234975	Issue Tracking Patch
14	https://bugzilla.redhat.com/show_bug.cgi?id=1234975	Issue Tracking Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html