{ "threat_severity" : "Moderate", "public_date" : "2018-09-22T00:00:00Z", "bugzilla" : { "description" : "python: Missing salt initialization in _elementtree.c module", "id" : "1631822", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1631822" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-909", "details" : [ "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM." ], "acknowledgement" : "Red Hat would like to thank the Python Security Response Team for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-34/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-35/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2030", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "python-0:2.7.5-86.el7" }, { "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date" : "2020-04-07T00:00:00Z", "advisory" : "RHSA-2020:1346", "cpe" : "cpe:/o:redhat:rhel_aus:7.4", "package" : "python-0:2.7.5-63.el7_4" }, { "product_name" : "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date" : "2020-04-07T00:00:00Z", "advisory" : "RHSA-2020:1346", "cpe" : "cpe:/o:redhat:rhel_tus:7.4", "package" : "python-0:2.7.5-63.el7_4" }, { "product_name" : "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date" : "2020-04-07T00:00:00Z", "advisory" : "RHSA-2020:1346", "cpe" : "cpe:/o:redhat:rhel_e4s:7.4", "package" : "python-0:2.7.5-63.el7_4" }, { "product_name" : "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date" : "2020-04-01T00:00:00Z", "advisory" : "RHSA-2020:1268", "cpe" : "cpe:/o:redhat:rhel_eus:7.5", "package" : "python-0:2.7.5-74.el7_5" }, { "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date" : "2020-04-14T00:00:00Z", "advisory" : "RHSA-2020:1462", "cpe" : "cpe:/o:redhat:rhel_eus:7.6", "package" : "python-0:2.7.5-83.el7_6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "python27-python-0:2.7.16-4.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "python27-python-jinja2-0:2.6-12.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3725", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-python36-python-0:3.6.9-2.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-0:2.7.16-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-jinja2-0:2.6-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3725", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python36-python-0:3.6.9-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-0:2.7.16-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-jinja2-0:2.6-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-0:2.7.16-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-jinja2-0:2.6-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3725", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python36-python-0:3.6.9-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-0:2.7.16-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-05-22T00:00:00Z", "advisory" : "RHSA-2019:1260", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "python27-python-jinja2-0:2.6-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3725", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python36-python-0:3.6.9-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3725", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-python36-python-0:3.6.9-2.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python27:2.7/python2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python3", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python36:3.6/python36", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-python35-python", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-14647\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14647\nhttps://bugs.python.org/issue34623" ], "name" : "CVE-2018-14647", "csaw" : false }