CVE-2024-0397

EUVD-2024-16193

17.06.2024, 16:15

A defect was discovered in the Python “ssl” module where there is a memory
race condition with the ssl.SSLContext methods “cert_store_stats()” and
“get_ca_certs()”. The race condition can be triggered if the methods are
called at the same time as certificates are loaded into the SSLContext,
such as during the TLS handshake with a certificate directory configured.
This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CISA-ADP	ADP	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 59%

Debian Releases

Debian Product

Codename

pypy3

bookworm	no-dsa
bullseye	ignored
bullseye (security)	vulnerable
forky	7.3.20+dfsg-4 fixed
sid	7.3.20+dfsg-4 fixed
trixie	7.3.19+dfsg-2 fixed

python2.7

bookworm	no-dsa
bullseye	vulnerable

python3.11

bookworm	3.11.2-6+deb12u6 no-dsa
bookworm (security)	3.11.2-6+deb12u3 fixed
bullseye	ignored

python3.13

bookworm	no-dsa
bullseye	ignored
forky	3.13.11-1 fixed
sid	3.13.11-1 fixed
trixie	3.13.5-2 fixed

python3.9

bookworm	no-dsa
bullseye	ignored
bullseye (security)	3.9.2-1+deb11u3 fixed

Ubuntu Releases

Ubuntu Product

Codename

python2.7

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	needs-triage
xenial	needs-triage

python3.4

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	needs-triage

python3.5

focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	not-affected
xenial	not-affected

python3.6

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.7

bionic	needs-triage
focal	dne
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.8

bionic	needs-triage
focal	Fixed 3.8.10-0ubuntu1~20.04.11 released
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.9

focal	needs-triage
jammy	dne
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.10

focal	dne
jammy	Fixed 3.10.12-1~22.04.5 released
mantic	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.11

focal	dne
jammy	needs-triage
mantic	ignored
noble	dne
oracular	dne
plucky	dne
questing	dne

python3.12

focal	dne
jammy	dne
mantic	ignored
noble	not-affected
oracular	not-affected
plucky	dne
questing	dne

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

http://www.openwall.com/lists/oss-security/2024/06/17/2

https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d

https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524

https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e

https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286

https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa

https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab

https://github.com/python/cpython/issues/114572

https://github.com/python/cpython/pull/114573

https://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/