CVE Details

Release Date:2017-05-03


rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

See more information about CVE-2017-8779 from MITRE CVE dictionary and NIST NVD

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score:7.8 Base Metrics:AV:N/AC:L/Au:N/C:N/I:N/A:C
Access Vector: Network Confidentiality Impact: None
Access Impact: Low Integrity Impact: None
Authentication: None required Availability Impact: Complete

Errata information

PlatformErrataRelease Date
Oracle Linux version 6 (libtirpc)ELSA-2017-12682017-05-23
Oracle Linux version 6 (rpcbind)ELSA-2017-12672017-05-23
Oracle Linux version 7 (libtirpc)ELSA-2017-12632017-05-22
Oracle Linux version 7 (rpcbind)ELSA-2017-12622017-05-22
Oracle VM version 3.3 (libtirpc)OVMSA-2017-01082017-05-23
Oracle VM version 3.3 (rpcbind)OVMSA-2017-01072017-05-23
Oracle VM version 3.4 (libtirpc)OVMSA-2017-01082017-05-23
Oracle VM version 3.4 (rpcbind)OVMSA-2017-01072017-05-23

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team