製品・ソフトウェアに関する情報

JVN脆弱性詳細

NTP の ntpd の ntp_openssl.m4 におけるサービス運用妨害 (DoS) の脆弱性

Title	NTP の ntpd の ntp_openssl.m4 におけるサービス運用妨害 (DoS) の脆弱性
Summary	NTP の ntpd の ntp_openssl.m4 には、サービス運用妨害 (セグメンテーション違反) 状態にされる脆弱性が存在します。
Possible impacts	リモートの攻撃者により、コンパイル中は無効になっている巧妙に細工された statistics または filegen 設定コマンドを介して、サービス運用妨害 (セグメンテーション違反) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 18, 2015, midnight
Registration Date	Aug. 15, 2017, 4:56 p.m.
Last Update	Aug. 15, 2017, 4:56 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

レッドハット

Red Hat Enterprise Linux Desktop

Red Hat Enterprise Linux HPC Node

Red Hat Enterprise Linux Server

Red Hat Enterprise Linux Workstation

NTP Project

NTP 4.2.7p112 未満

Debian

Debian GNU/Linux

Fedora Project

Fedora

Canonical

Ubuntu

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-5195	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195
National Vulnerability Database (NVD)
2	CVE-2015-5195	https://nvd.nist.gov/vuln/detail/CVE-2015-5195

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3388	https://www.debian.org/security/2015/dsa-3388
Fedora Update Notification
2	FEDORA-2015-14212	https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169167.html
3	FEDORA-2015-14213	https://lists.fedoraproject.org/pipermail/package-announce/2015-September/166992.html
4	FEDORA-2015-77bfbc1bcd	https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html
GitHub
5	[Bug 1773] openssl not detected during ./configure.	https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be
IBM Support Document
6	1985122	https://www-01.ibm.com/support/docview.wss?uid=swg21985122
7	1986956	https://www-01.ibm.com/support/docview.wss?uid=swg21986956
8	1988706	https://www-01.ibm.com/support/docview.wss?uid=swg21988706
9	1989542	https://www-01.ibm.com/support/docview.wss?uid=swg21989542
10	T1024157	https://www-01.ibm.com/support/docview.wss?uid=isg3T1024157
Red Hat Bugzilla
11	Bug 1254544	https://bugzilla.redhat.com/show_bug.cgi?id=1254544
Red Hat Security Advisory
12	RHSA-2016:0780	https://access.redhat.com/errata/RHSA-2016:0780
13	RHSA-2016:2583	https://access.redhat.com/errata/RHSA-2016:2583
Ubuntu Security Notice
14	USN-2783-1	https://usn.ubuntu.com/usn/USN-2783-1/

Change Log

No	Changed Details	Date of change
0	[2017年08月15日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-5195

Summary	ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
Publication Date	July 21, 2017, 11:29 p.m.
Registration Date	Jan. 26, 2021, 2:52 p.m.
Last Update	Nov. 21, 2024, 11:32 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:22:::::::*
cpe:2.3:o:fedoraproject:fedora:23:::::::*
cpe:2.3:o:fedoraproject:fedora:21:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp::p111::::::*			4.2.7

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169167.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169167.html	Third Party Advisory
5	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166992.html	Third Party Advisory
6	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166992.html	Third Party Advisory
7	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
8	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
9	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
10	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
11	http://www.debian.org/security/2015/dsa-3388	Third Party Advisory
12	http://www.debian.org/security/2015/dsa-3388	Third Party Advisory
13	http://www.openwall.com/lists/oss-security/2015/08/25/3	Mailing List Patch Third Party Advisory
14	http://www.openwall.com/lists/oss-security/2015/08/25/3	Mailing List Patch Third Party Advisory
15	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
16	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
17	http://www.securityfocus.com/bid/76474	Third Party Advisory VDB Entry
18	http://www.securityfocus.com/bid/76474	Third Party Advisory VDB Entry
19	http://www.ubuntu.com/usn/USN-2783-1	Third Party Advisory
20	http://www.ubuntu.com/usn/USN-2783-1	Third Party Advisory
21	https://bugzilla.redhat.com/show_bug.cgi?id=1254544	Issue Tracking
22	https://bugzilla.redhat.com/show_bug.cgi?id=1254544	Issue Tracking
23	https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be	Issue Tracking Patch Third Party Advisory
24	https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be	Issue Tracking Patch Third Party Advisory
25	https://www-01.ibm.com/support/docview.wss?uid=isg3T1024157	Third Party Advisory
26	https://www-01.ibm.com/support/docview.wss?uid=isg3T1024157	Third Party Advisory
27	https://www-01.ibm.com/support/docview.wss?uid=swg21985122	Third Party Advisory
28	https://www-01.ibm.com/support/docview.wss?uid=swg21985122	Third Party Advisory
29	https://www-01.ibm.com/support/docview.wss?uid=swg21986956	Third Party Advisory
30	https://www-01.ibm.com/support/docview.wss?uid=swg21986956	Third Party Advisory
31	https://www-01.ibm.com/support/docview.wss?uid=swg21988706	Third Party Advisory
32	https://www-01.ibm.com/support/docview.wss?uid=swg21988706	Third Party Advisory
33	https://www-01.ibm.com/support/docview.wss?uid=swg21989542	Third Party Advisory
34	https://www-01.ibm.com/support/docview.wss?uid=swg21989542	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*