Is there any resolution for CVE-2014-4344 ?
Environment
-
Red Hat Enterprise Linux 5
-
Red Hat Enterprise Linux 6
-
Red Hat Enterprise Linux 7
Issue
- How to deal with CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens ?
Resolution
-
This issue affects the versions of krb5 as shipped with Red Hat Enterprise Linux 5, 6 and 7.
-
This issue has been addressed in Red Hat Enterprise Linux 5 Via RHSA-2014:1245.
-
For RHEL 6 refer RHSA-2014:1389.
-
A future update may address this issue for RHEL7.
Root Cause
- The MITRE CVE dictionary describes this issue as: The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
Diagnostic Steps
References
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments