製品・ソフトウェアに関する情報

JVN脆弱性詳細

Linux Kernel における境界外書き込みに関する脆弱性

Title	Linux Kernel における境界外書き込みに関する脆弱性
Summary	Linux Kernel には、境界外書き込みに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 11, 2017, midnight
Registration Date	Jan. 23, 2018, 3:25 p.m.
Last Update	Jan. 23, 2018, 3:25 p.m.

CVSS3.0 : 警告
Score	6.6
Vector	CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 危険
Score	7.2
Vector	AV:L/AC:L/Au:N/C:C/I:C/A:C

Affected System

SUSE

SUSE Linux Enterprise Server

Linux

Linux Kernel 4.14.5 まで

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-17558	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558
National Vulnerability Database (NVD)
2	CVE-2017-17558	https://nvd.nist.gov/vuln/detail/CVE-2017-17558

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
Linux Kernel
1	Linux Kernel Archives	http://www.kernel.org
opensuse-security-announce
2	SUSE-SU-2018:0011	https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html

その他

No	Name	URL
関連文書
1	[PATCH] USB: core: only clean up what we allocated	https://www.spinics.net/lists/linux-usb/msg163644.html

Change Log

No	Changed Details	Date of change
0	[2018年01月23日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-17558

Summary	The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.
Publication Date	Dec. 13, 2017, 12:29 a.m.
Registration Date	Jan. 26, 2021, 1:19 p.m.
Last Update	Nov. 21, 2024, 12:18 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:linux:linux_kernel::::::::			4.14.5

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_server:11:sp4::::::
cpe:2.3:o:suse:linux_enterprise_server:11:extra::::::

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html	Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html	Third Party Advisory
3	http://openwall.com/lists/oss-security/2017/12/12/7	Mailing List Third Party Advisory
4	http://openwall.com/lists/oss-security/2017/12/12/7	Mailing List Third Party Advisory
5	https://access.redhat.com/errata/RHSA-2018:0676
6	https://access.redhat.com/errata/RHSA-2018:0676
7	https://access.redhat.com/errata/RHSA-2018:1062
8	https://access.redhat.com/errata/RHSA-2018:1062
9	https://access.redhat.com/errata/RHSA-2019:1170
10	https://access.redhat.com/errata/RHSA-2019:1170
11	https://access.redhat.com/errata/RHSA-2019:1190
12	https://access.redhat.com/errata/RHSA-2019:1190
13	https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html
14	https://lists.debian.org/debian-lts-announce/2018/01/msg00004.html
15	https://usn.ubuntu.com/3619-1/
16	https://usn.ubuntu.com/3619-1/
17	https://usn.ubuntu.com/3619-2/
18	https://usn.ubuntu.com/3619-2/
19	https://usn.ubuntu.com/3754-1/
20	https://usn.ubuntu.com/3754-1/
21	https://www.debian.org/security/2017/dsa-4073	Third Party Advisory
22	https://www.debian.org/security/2017/dsa-4073	Third Party Advisory
23	https://www.debian.org/security/2018/dsa-4082
24	https://www.debian.org/security/2018/dsa-4082
25	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
26	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
27	https://www.spinics.net/lists/linux-usb/msg163644.html	Issue Tracking Patch
28	https://www.spinics.net/lists/linux-usb/msg163644.html	Issue Tracking Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html