CVE-2019-13132
Publication date 8 July 2019
Last updated 24 July 2024
Ubuntu priority
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
From the Ubuntu Security Team
It was discovered that ZeroMQ incorrectly handled certain application metadata. A remote attacker could use this issue to cause ZeroMQ to crash, or possibly execute arbitrary code.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| zeromq3 | 22.04 LTS jammy |
Fixed 4.3.1-3ubuntu2.1
|
| 20.04 LTS focal |
Fixed 4.3.1-3ubuntu2.1
|
|
| 18.04 LTS bionic |
Fixed 4.2.5-1ubuntu0.2
|
|
| 16.04 LTS xenial |
Fixed 4.1.4-7ubuntu0.1
|
|
| 14.04 LTS trusty |
Fixed 4.0.4+dfsg-2ubuntu0.1+esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4050-1
- ZeroMQ vulnerability
- 8 July 2019
- USN-4920-1
- ZeroMQ vulnerabilities
- 15 June 2022