CVE-2018-8015 - OpenCVE

In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Orc

Configuration 1 [-]

cpe:2.3:a:apache:orc:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/104215	Third Party Advisory VDB Entry
https://orc.apache.org/security/CVE-2018-8015/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2018-05-17T00:00:00

Updated: 2018-05-22T09:57:01

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-8015

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-05-18T17:29:00.353

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-8015

JSON object: View

Redhat Information

No data.

CWE

CWE-674

{"containers": {"cna": {"affected": [{"product": "Apache ORC", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "1.0.0 to 1.4.3"}]}], "datePublic": "2018-05-17T00:00:00", "descriptions": [{"lang": "en", "value": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-22T09:57:01", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://orc.apache.org/security/CVE-2018-8015/"}, {"name": "104215", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104215"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2018-05-17T00:00:00", "ID": "CVE-2018-8015", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache ORC", "version": {"version_data": [{"version_value": "1.0.0 to 1.4.3"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "https://orc.apache.org/security/CVE-2018-8015/", "refsource": "CONFIRM", "url": "https://orc.apache.org/security/CVE-2018-8015/"}, {"name": "104215", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104215"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2018-8015", "datePublished": "2018-05-17T00:00:00", "dateReserved": "2018-03-09T00:00:00", "dateUpdated": "2018-05-22T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:orc:*:*:*:*:*:*:*:*", "matchCriteriaId": "428A2534-6C8A-4C8F-B141-D21D242752CE", "versionEndIncluding": "1.4.3", "versionStartExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack."}, {"lang": "es", "value": "En Apache ORC, de la versi\u00f3n 1.0.0 a la 1.4.3, un archivo ORC mal formado puede desencadenar una llamada de funci\u00f3n recursiva infinita en el analizador C++ o Java. El impacto de este error es, probablemente, una denegaci\u00f3n de servicio (DoS) contra el software que emplea el analizador de archivos ORC. Con el analizador C++, el desbordamiento de pila podr\u00eda corromper la pila."}], "id": "CVE-2018-8015", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-18T17:29:00.353", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104215"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://orc.apache.org/security/CVE-2018-8015/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}]}