CVE-2016-3120

CVE Details

Release Date:2016-07-19

Description


The validate_as_request function in kdc_util.c in the Key DistributionCenter (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

See more information about CVE-2016-3120 from MITRE CVE dictionary and NIST NVD


CVSS v2 metrics


NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score:3.5 Base Metrics:AV:N/AC:M/Au:S/C:N/I:N/A:P
Access Vector: Network Confidentiality Impact: None
Access Impact: Medium Integrity Impact: None
Authentication: Requires single instance Availability Impact: Partial

Errata information


PlatformErrataRelease Date
Oracle Linux version 7 (krb5)ELSA-2016-25912016-11-09



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete