CVE-2017-7652

moderate-risk
Published 2018-04-25

In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / HIGH complexity

Affected Products (4)

Affected Vendors

Debian Eclipse

References (10)

Issue Tracking https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102
Mailing List https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html
Mailing List https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html
Patch https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652...
Third Party Advisory https://www.debian.org/security/2018/dsa-4325
Issue Tracking https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102
Mailing List https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html
Mailing List https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html
Patch https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652...
Third Party Advisory https://www.debian.org/security/2018/dsa-4325
35
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 3/34 · Minimal
Exposure 10/34 · Low