Public Date:
1665296: CVE-2018-20217 krb5: Reachable assertion in the KDC using S4U2Self requests

The MITRE CVE dictionary describes this issue as:

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Find out more about CVE-2018-20217 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat JBoss EWS 2 krb5 Under investigation
Red Hat JBoss EAP 6 krb5 Under investigation
Red Hat JBoss Core Services 1 krb5 Under investigation
Red Hat Enterprise Linux 8 krb5 Affected
Red Hat Enterprise Linux 7 krb5 Affected
Red Hat Enterprise Linux 6 krb5 Will not fix
Red Hat Enterprise Linux 5 krb5 Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation