CVE-2018-1000030

Name of the Vulnerable Software and Affected Versions: Python versions prior to 2.7.14 Python versions 2.7.14 through 2.7.17

Description: The issue is related to a Heap-Buffer-Overflow and a Heap-Use-After-Free, which can occur when multiple threads handle large amounts of data, resulting in a race condition. This can lead to memory corruption. In the case of the Heap-Buffer-Overflow, one thread may write to a buffer without knowing its size, while in the case of the Use-After-Free, memory is freed and then reused, potentially allowing an attacker to violate a trust boundary in certain situations, such as function-as-a-service. The vulnerability can be exploited by a remote attacker to cause a denial of service or execute arbitrary code.

Recommendations: For versions prior to 2.7.14, update to a version that is not affected by this issue. For versions 2.7.14 through 2.7.17, consider disabling multi-threading for handling large data until a patch is available. As a temporary workaround, restrict access to functions that handle large amounts of data in multi-threaded environments to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.