[Bug 1893728] [NEW] Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive

Jani Flaaming 1893728 at bugs.launchpad.net
Tue Sep 1 04:54:37 UTC 2020 

Public bug reported:

Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

Based on Debian bug report, this is already fixed in 1.16.2 version:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387

Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
https://launchpad.net/ubuntu/focal/+source/krb5

Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

Steps to reproduce:
This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

It can be seen from the scan that the Docker image included krb5
bversion 1.17-6.

Expected:
No vulnerability finding.

Actual:
krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1893728

Title:
  Ubuntu CVE Tracker krb5 1.17-6ubuntu4 CVE-2018-20217 false positive

Status in krb5 package in Ubuntu:
  New

Bug description:
  Information in shows that krb5 versions before 1.17 are vulnerable to CVE-2018-20217.
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

  Based on Debian bug report, this is already fixed in 1.16.2 version:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387

  Ubuntu 20.04 LTS (Focal Fossa) includes version krb5 1.17.6:
  https://launchpad.net/ubuntu/focal/+source/krb5

  Ubuntu CVE Tracker page shows that Ubuntu 20.04 LTS (Focal Fossa) doesn't have a package where CVE-2018-20217 is fixed.
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html

  Steps to reproduce:
  This was found when examining AWS Elastic Container Registry Vulnerability scanning results for a Docker image based on latest Ubuntu 20.04: Here is the complete line from the report:
  krb5:1.17-6ubuntu4 MEDIUM A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

  It can be seen from the scan that the Docker image included krb5
  bversion 1.17-6.

  Expected:
  No vulnerability finding.

  Actual:
  krb5 bversion 1.17-6ubuntu4 is reported as vulnerable to CVE-2018-20217.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1893728/+subscriptions

More information about the foundations-bugs mailing list