Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Ubuntu CVE Tracker |
Fix Released
|
Undecided
|
Unassigned | |||
krb5 (Ubuntu) | ||||||
Focal |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
https:/
Based on Debian bug report, this is already fixed in 1.16.2 version:
https:/
Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
https:/
Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
https:/
Steps to reproduce:
This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
It can be seen from the scan that the Docker image included krb5 bversion 1.17-6.
Expected:
No vulnerability finding.
Actual:
krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.
Changed in krb5 (Ubuntu): | |
status: | New → Fix Released |
This was fixed in the https:/ /launchpad. net/ubuntu- cve-tracker in commit https:/ /git.launchpad. net/ubuntu- cve-tracker/ commit/ ?id=6d3a00335ca 58346a10a09ad3c 94046820490f8f