CVE-2017-14992

Publication date 1 November 2017

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
docker.io	24.04 LTS noble	Fixed 18.06.1-0ubuntu2
	23.10 mantic	Fixed 18.06.1-0ubuntu2
	23.04 lunar	Fixed 18.06.1-0ubuntu2
	22.10 kinetic	Fixed 18.06.1-0ubuntu2
	22.04 LTS jammy	Fixed 18.06.1-0ubuntu2
	21.10 impish	Fixed 18.06.1-0ubuntu2
	21.04 hirsute	Fixed 18.06.1-0ubuntu2
	20.10 groovy	Fixed 18.06.1-0ubuntu2
	20.04 LTS focal	Fixed 18.06.1-0ubuntu2
	19.10 eoan	Fixed 18.06.1-0ubuntu2
	19.04 disco	Fixed 18.06.1-0ubuntu2
	18.10 cosmic	Fixed 18.06.1-0ubuntu1
	18.04 LTS bionic	Fixed 18.06.1-0ubuntu1~18.04.1
	17.10 artful	Ignored
	17.04 zesty	Ignored
	16.04 LTS xenial	Fixed 18.06.1-0ubuntu1~16.04.2
	14.04 LTS trusty	Not in release
golang-github-vbatts-tar-split	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Not in release

Notes

mdeslaur

docker.io in Ubuntu doesn't appear to use the golang-github-vbatts-tar-split package during build, uses embedded one.

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H