製品・ソフトウェアに関する情報

JVN脆弱性詳細

NTP における入力確認に関する脆弱性

Title	NTP における入力確認に関する脆弱性
Summary	NTP には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Oct. 23, 2015, midnight
Registration Date	Aug. 28, 2017, 6:06 p.m.
Last Update	Aug. 28, 2017, 6:06 p.m.

CVSS3.0 : 重要
Score	7.4
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS2.0 : 警告
Score	5.8
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:P

Affected System

NTP Project

NTP 4.2.8p4 未満の 4.2.x

NTP 4.3.77 未満の 4.3.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-7703	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703
National Vulnerability Database (NVD)
2	CVE-2015-7703	https://nvd.nist.gov/vuln/detail/CVE-2015-7703

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Red Hat Bugzilla
1	Bug 1254547	https://bugzilla.redhat.com/show_bug.cgi?id=1254547
Security Notice
2	NTP Bug 2902	http://support.ntp.org/bin/view/Main/NtpBug2902

Change Log

No	Changed Details	Date of change
0	[2017年08月28日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-7703

Summary	The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command.
Publication Date	July 24, 2017, 11:29 p.m.
Registration Date	Jan. 26, 2021, 2:56 p.m.
Last Update	Nov. 21, 2024, 11:37 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp:4.2.8:p2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1::::::
cpe:2.3:a:ntp:ntp::::::::	4.3.0			4.3.77
cpe:2.3:a:ntp:ntp:4.2.8:-::::::
cpe:2.3:a:ntp:ntp::::::::	4.2.0			4.2.8

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:oracle:linux:6:-::::::

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:netapp:clustered_data_ontap:-:::::::*
cpe:2.3:o:netapp:data_ontap:-:::::7-mode::
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::clustered_data_ontap::
cpe:2.3:a:netapp:oncommand_performance_manager:-:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*

Related information, measures and tools

No	URL	タグ
1	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
2	http://rhn.redhat.com/errata/RHSA-2016-0780.html	Third Party Advisory
3	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
4	http://rhn.redhat.com/errata/RHSA-2016-2583.html	Third Party Advisory
5	http://support.ntp.org/bin/view/Main/NtpBug2902	Vendor Advisory
6	http://support.ntp.org/bin/view/Main/NtpBug2902	Vendor Advisory
7	http://www.debian.org/security/2015/dsa-3388	Third Party Advisory
8	http://www.debian.org/security/2015/dsa-3388	Third Party Advisory
9	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
10	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
11	http://www.securityfocus.com/bid/77278	Third Party Advisory VDB Entry
12	http://www.securityfocus.com/bid/77278	Third Party Advisory VDB Entry
13	http://www.securitytracker.com/id/1033951	Third Party Advisory VDB Entry
14	http://www.securitytracker.com/id/1033951	Third Party Advisory VDB Entry
15	https://bugzilla.redhat.com/show_bug.cgi?id=1254547	Issue Tracking Third Party Advisory VDB Entry
16	https://bugzilla.redhat.com/show_bug.cgi?id=1254547	Issue Tracking Third Party Advisory VDB Entry
17	https://security.gentoo.org/glsa/201607-15	Third Party Advisory
18	https://security.gentoo.org/glsa/201607-15	Third Party Advisory
19	https://security.netapp.com/advisory/ntap-20171004-0001/	Third Party Advisory
20	https://security.netapp.com/advisory/ntap-20171004-0001/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp:4.2.8:p2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2::::::
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1::::::
cpe:2.3:a:ntp:ntp::::::::	4.3.0			4.3.77
cpe:2.3:a:ntp:ntp:4.2.8:-::::::
cpe:2.3:a:ntp:ntp::::::::	4.2.0			4.2.8

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*