CVE-2014-4343: Double Free
First published: Tue Jul 22 2014(Updated: )
A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. It is reported that this issue affects version 1.10 and later. Upstream commit and further details: <a href="https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f">https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =7.0 | |
| Kerberos 5 (libkrb5) | =1.10 | |
| Kerberos 5 (libkrb5) | =1.10.1 | |
| Kerberos 5 (libkrb5) | =1.10.2 | |
| Kerberos 5 (libkrb5) | =1.10.3 | |
| Kerberos 5 (libkrb5) | =1.10.4 | |
| Kerberos 5 (libkrb5) | =1.11 | |
| Kerberos 5 (libkrb5) | =1.11.1 | |
| Kerberos 5 (libkrb5) | =1.11.2 | |
| Kerberos 5 (libkrb5) | =1.11.3 | |
| Kerberos 5 (libkrb5) | =1.11.4 | |
| Kerberos 5 (libkrb5) | =1.11.5 | |
| Kerberos 5 (libkrb5) | =1.12 | |
| Kerberos 5 (libkrb5) | =1.12.1 | |
| redhat enterprise Linux desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1121879
- https://rhn.redhat.com/errata/RHSA-2014-1389.html
- https://rhn.redhat.com/errata/RHSA-2015-0439.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1121876
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7969
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136360.html
- http://rhn.redhat.com/errata/RHSA-2015-0439.html
- http://secunia.com/advisories/59102
- http://secunia.com/advisories/60082
- http://secunia.com/advisories/60448
- http://secunia.com/advisories/61052
- http://security.gentoo.org/glsa/glsa-201412-53.xml
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html
- http://www.debian.org/security/2014/dsa-3000
- http://www.osvdb.org/109390
- http://www.securityfocus.com/bid/69159
- http://www.securitytracker.com/id/1030706
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95211
Frequently Asked Questions
What is the severity of CVE-2014-4343?
CVE-2014-4343 is classified as a medium severity vulnerability due to its potential to cause application crashes.
How do I fix CVE-2014-4343?
To fix CVE-2014-4343, upgrade your MIT Kerberos 5 implementation to version 1.12.1 or later.
Which versions of MIT Kerberos are affected by CVE-2014-4343?
CVE-2014-4343 affects MIT Kerberos 5 versions 1.10 and later, including various versions up to 1.12.
What impact does CVE-2014-4343 have on applications?
CVE-2014-4343 can cause crashes in client applications that use MIT Kerberos when the flawed function is invoked.
Is there a workaround for CVE-2014-4343?
There is no reliable workaround for CVE-2014-4343; updating to an unimpacted version is the recommended solution.
- collector/redhat-bugzilla
- alias/CVE-2014-4343
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/references
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian
- version/debian/7.0
- vendor/mit
- canonical/kerberos 5 (libkrb5)
- version/kerberos 5 (libkrb5)/1.10
- version/kerberos 5 (libkrb5)/1.10.1
- version/kerberos 5 (libkrb5)/1.10.2
- version/kerberos 5 (libkrb5)/1.10.3
- version/kerberos 5 (libkrb5)/1.10.4
- version/kerberos 5 (libkrb5)/1.11
- version/kerberos 5 (libkrb5)/1.11.1
- version/kerberos 5 (libkrb5)/1.11.2
- version/kerberos 5 (libkrb5)/1.11.3
- version/kerberos 5 (libkrb5)/1.11.4
- version/kerberos 5 (libkrb5)/1.11.5
- version/kerberos 5 (libkrb5)/1.12
- version/kerberos 5 (libkrb5)/1.12.1
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0