CVE-2017-8821
Publication date 3 December 2017
Last updated 25 August 2025
Ubuntu priority
Description
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011.
From the Ubuntu Security Team
It was discovered that Tor incorrectly handled PEM input. An attacker could possibly use this to cause a denial of service.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tor | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 0.2.9.14-1ubuntu1~16.04.2
|
|
| 14.04 LTS trusty |
Fixed 0.2.4.27-1ubuntu0.1
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |