CVE-2017-15705

A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html
http://www.securityfocus.com/bid/105347	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2018:2916	Third Party Advisory
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html	Third Party Advisory
https://security.gentoo.org/glsa/201812-07
https://usn.ubuntu.com/3811-1/	Third Party Advisory
https://usn.ubuntu.com/3811-2/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

History

No history.

Information

Published : 2018-09-17 14:29

Updated : 2023-11-07 02:40

NVD link : CVE-2017-15705

Mitre link : CVE-2017-15705

CVE.ORG link : CVE-2017-15705

JSON object : View

Products Affected

redhat

enterprise_linux_server
enterprise_linux_desktop
enterprise_linux_eus
enterprise_linux_workstation

canonical

ubuntu_linux

apache

spamassassin

debian

debian_linux

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2017-15705", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-09-17T14:29:00.293", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html", "source": "security@apache.org"}, {"url": "http://www.securityfocus.com/bid/105347", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2916", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://security.gentoo.org/glsa/201812-07", "source": "security@apache.org"}, {"url": "https://usn.ubuntu.com/3811-1/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://usn.ubuntu.com/3811-2/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the \"open\" event is immediately followed by a \"close\" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the \"text\" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en Apache SpamAssassin en versiones anteriores a la 3.4.2. La vulnerabilidad ocurre con ciertas etiquetas no cerradas en correos electr\u00f3nicos que provocan que las marcas se manejen incorrectamente, lo que conduce al agotamiento del tiempo de escaneo. En Apache SpamAssassin, empleando HTML::Parser, se establece un objeto y se engancha a los manejadores de etiqueta de inicio y final. En ambos casos, el evento \"open\" est\u00e1 inmediatamente seguido por un evento \"close\"; incluso si la etiqueta *no* se cierra en el HTML que se est\u00e1 analizando. Debido a esto, falta que el evento \"text\" gestione el objeto de forma normal. Esto puede provocar que los correos electr\u00f3nicos cuidadosamente manipulados tarden m\u00e1s tiempo en escanearse del planeado, lo que conduce a una denegaci\u00f3n de servicio (DoS). El problema es posiblemente un error o decisi\u00f3n en HTML::Parser que impacta en la forma en la que Apache SpamAssassin emplea el m\u00f3dulo con HTML mal formado. El exploit se ha visto \"in the wild\", pero no se cree que haya sido parte a prop\u00f3sito de un intento de denegaci\u00f3n de servicio (DoS). Se cree que podr\u00edan haber intentos de abusar de la vulnerabilidad en el futuro."}], "lastModified": "2023-11-07T02:40:21.557", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B11FE5D-8764-42A3-A534-0EBA21F550D6", "versionEndExcluding": "3.4.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "vulnerable": true, "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991"}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084"}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B"}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D"}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CF73560-2F5B-4723-A8A1-9AADBB3ADA00"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2017-15705

5.3^/10

5.0^/10

Attach tags to `CVE-2017-15705`