CVE-2014-4344

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 (aka krb5) versions 1.5.x through 1.12.x before 1.12.2

Description The issue allows remote attackers to cause a denial of service, resulting in a NULL pointer dereference and application crash, via an empty continuation token during a SPNEGO negotiation. This can be exploited by an unauthenticated or partially authenticated remote attacker by sending an empty token as the second or later context token from initiator to acceptor. The exploitation of this issue may lead to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For versions 1.5.x through 1.12.x before 1.12.2, update to version 1.12.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SPNEGO negotiation functionality until a patch is available.