CVE-2014-4608
high-risk
Published 2014-07-03
Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype.
Do I need to act?
~
8.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.3/10
High
NETWORK
/ LOW complexity
Affected Products (8)
References (44)
Third Party Advisory
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0062.html
Third Party Advisory
http://secunia.com/advisories/60011
Third Party Advisory
http://secunia.com/advisories/60174
Third Party Advisory
http://secunia.com/advisories/62633
Third Party Advisory
http://www.oberhumer.com/opensource/lzo/
Third Party Advisory
http://www.securityfocus.com/bid/68214
Third Party Advisory
http://www.ubuntu.com/usn/USN-2416-1
Third Party Advisory
http://www.ubuntu.com/usn/USN-2417-1
Third Party Advisory
http://www.ubuntu.com/usn/USN-2418-1
Third Party Advisory
http://www.ubuntu.com/usn/USN-2419-1
Third Party Advisory
http://www.ubuntu.com/usn/USN-2420-1
Third Party Advisory
http://www.ubuntu.com/usn/USN-2421-1
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1113899
and 24 more references
50
/ 100
high-risk
Severity
26/34 · High
Exploitability
10/34 · Low
Exposure
14/34 · Moderate