Your submission was sent successfully! Close

CVE-2017-7479

Published: 11 May 2017

OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.

From the Ubuntu security team

It was discovered that OpenVPN improperly triggered an assert when packet ids rolled over. An authenticated remote attacker could use this to cause a denial of service (application crash).

Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
openvpn
Launchpad, Ubuntu, Debian
artful Not vulnerable
(2.4.0-5ubuntu1)
bionic Not vulnerable
(2.4.0-5ubuntu1)
cosmic Not vulnerable
(2.4.0-5ubuntu1)
disco Not vulnerable
(2.4.0-5ubuntu1)
eoan Not vulnerable
(2.4.0-5ubuntu1)
focal Not vulnerable
(2.4.0-5ubuntu1)
groovy Not vulnerable
(2.4.0-5ubuntu1)
hirsute Not vulnerable
(2.4.0-5ubuntu1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (2.3.2-7ubuntu3.2)
upstream
Released (2.4.0-5)
xenial
Released (2.3.10-1ubuntu2.1)
yakkety
Released (2.3.11-1ubuntu2.1)
zesty
Released (2.4.0-4ubuntu1.2)
Patches:
upstream: https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3)
upstream: https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4)