Published: 12/09/2018 Updated: 19/11/2018

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

An issue exists in OpenAFS prior to 1.6.23 and 1.8.x prior to 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openafs openafs
debian debian linux 9.0
debian debian linux 8.0

Debian Bug report logs - #908616 OpenAFS security release Package: src:openafs; Maintainer for src:openafs is Benjamin Kaduk <kaduk@mitedu>; Reported by: Benjamin Kaduk <kaduk@mitedu> Date: Tue, 11 Sep 2018 19:39:01 UTC Severity: serious Tags: security Found in versions openafs/169-1, openafs/169-2+deb8u7 Fixe ...

Several vulnerabilities were discovered in openafs, an implementation of the distributed filesystem AFS The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16947 Jeffrey Altman reported that the backup tape controller (butc) process does accept incoming RPCs but does not require (or allow for) ...

CWE-200 http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt https://lists.debian.org/debian-lts-announce/2018/09/msg00024.html https://www.debian.org/security/2018/dsa-4302 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908616 https://nvd.nist.gov https://www.debian.org/security/./dsa-4302

CVE-2018-16948

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect