Exploit

CVE-2024-7254

Improper Input Validation (CWE-20)

Published: Sep 19, 2024 / Updated: 2mo ago

Oracle Id: cpuoct2024 Release Date: 2024-10-15 Update Date: 2024-10-15 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to “Critical Patch Updates, Security Alerts and Bulletins” for information about Oracle Security advisories. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.

This vulnerability can lead to stack overflow attacks, potentially causing application crashes or allowing arbitrary code execution. Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can be corrupted by exceeding the stack limit i.e. StackOverflow.

The vulnerability exists due to a boundary error when processing TIFF images within the rotateImage() function in /libtiff/tools/tiffcrop.c. A remote attacker can pass a specially crafted image to the application, trigger memory corruption and perform a denial of service (DoS) attack. The vulnerability exists due to heap-based buffer overflow in ChopUpSingleUncompressedStrip in tif_dirread.c. A remote unauthenticated attacker can trick the victim into opening a specially crafted crafted TIFF file, trigger memory corruption and cause the affected software to crash, resulting in a DoS condition.

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, contains a vulnerability in the Google Protocol Buffers (protobuf) library with the grpc-1.0 or grpcClient-1.0 feature enabled. Vulnerability Details Refer to the security bulletin(s) listed in the Remediation/Fixes section Affected Products and Versions Affected Product(s) and Version(s) Affecting Product(s) and Version(s) --- --- IBM WebSphere Hybrid Edition 5.1 IBM WebSphere Application Server Liberty 20.0.0.12 - 24.0.0.10 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH63533, as described in Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google Protocol Buffers (CVE-2024-7254). Workarounds and Mitigations...

Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow.

Red Hat Security Advisory 2024-9571-03 - Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal. Issues addressed include denial of service and man-in-the-middle vulnerabilities.

Moderate: Streams for Apache Kafka 2.8.0 release and security update Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"

A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack. The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.