by using the ImageIO API. The vulnerability can be exploited by an unauthenticated attacker. In order to exploit this vulnerability, the attacker must be able to read or write to the directory that contains an image in memory. If the image is a GIF image, the image can be changed to look like an animated GIF image. If the image is a JPEG image, the image can be changed to look like a GIF animation. If the image is a PNG image, the image can be changed to look like a GIF animation. An attacker can do this by using a malicious GIF image and a special JavaScript function called “PNGOut”. The attacker can then submit the image to the component via a web browser. Since the component is running in a web browser, the component will run the malicious image in a web browser instead of in the component. The malicious image will be able to cause a Denial of Service (DoS) attack. An attacker can use a malicious GIF image to change the image in memory to look like an animated GIF. An attacker can use special JavaScript function called “PNGOut” to convert the image in memory to a GIF and change the image in memory to look like an animated GIF.
Vulnerability Symptoms:
The vulnerability is present in the component if an image from the ImageIO API is uploaded to the component via a web browser.
If you are using a vulnerable version of the component, you will be able to see a different GIF animation in memory for each JPEG or PNG image. If you are using a non-vulnerable version of the component, you will only see one GIF animation in memory for each JPEG or PNG image.
An attacker can use this vulnerability to cause a Denial of Service (DoS) attack by uploading an animated GIF image and changing that animated GIF into an animated GIF image.
Vulnerability Description
CVE-2022-21365 is an information exposure vulnerability in the ImageIO module that allows attackers to change the image in memory to look like a GIF animation. An attacker can do this by using a malicious GIF image and a special JavaScript function called “PNGOut”. The attack uses a Denial of Service (DoS) technique to cause the component to run the malicious image instead of the original image. This vulnerability was disclosed on December 26, 2018.
Vulnerability Details
CVE-2022-21365 is a vulnerability in the ImageIO API. This vulnerability allows an unauthenticated attacker to execute arbitrary code in the victim’s server. The attacker must be able to read or write to the directory that contains the image memory. If it is a GIF image, the image can be changed to look like an animated GIF image. If it is a JPEG image, the image can be changed to look like a GIF animation. If it is a PNG image, the image can be changed to look like a GIF animation. An attacker can do this by using a malicious GIF and special JavaScript function called “PNGOut”. The malicious PNG will then execute via web browser instead of being executed inside of the component.
The vulnerability exists because of bad input validation in the ImageIO API when processing invalid data types for images stored on disk, which leads to attackers executing arbitrary code with user privileges in their servers by using specially crafted data and methods where input validation does not occur correctly
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 05/13/2022 14:50:00 UTC
References
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.netapp.com/advisory/ntap-20220121-0007/
- https://www.debian.org/security/2022/dsa-5057
- https://www.debian.org/security/2022/dsa-5058
- https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21365