CVE-2019-13132
Published: 8 July 2019
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
From the Ubuntu Security Team
It was discovered that ZeroMQ incorrectly handled certain application metadata. A remote attacker could use this issue to cause ZeroMQ to crash, or possibly execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
zeromq3 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.2.5-1ubuntu0.2)
|
cosmic |
Released
(4.2.5-2ubuntu0.2)
|
|
disco |
Released
(4.3.1-3ubuntu2.1)
|
|
eoan |
Released
(4.3.1-3ubuntu2.1)
|
|
focal |
Released
(4.3.1-3ubuntu2.1)
|
|
groovy |
Released
(4.3.1-3ubuntu2.1)
|
|
hirsute |
Released
(4.3.1-3ubuntu2.1)
|
|
impish |
Released
(4.3.1-3ubuntu2.1)
|
|
jammy |
Released
(4.3.1-3ubuntu2.1)
|
|
trusty |
Released
(4.0.4+dfsg-2ubuntu0.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Pending
(4.3.2,4.1.7,4.0.9)
|
|
xenial |
Released
(4.1.4-7ubuntu0.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |