CVE-2017-14032
Publication date 30 August 2017
Last updated 24 July 2024
Ubuntu priority
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mbedtls | ||
| 16.04 LTS xenial |
Fixed 2.2.1-2ubuntu0.2
|
|
| 14.04 LTS trusty | Not in release | |
| polarssl | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
- https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
- https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc
- https://bugs.debian.org/873557
- https://www.cve.org/CVERecord?id=CVE-2017-14032