CVE-2022-35289 A write-what-where condition in hermes caused by an integer overflow allows attackers to execute arbitrary code.

However, if your application permits arbitrary JavaScript to be executed on the client-side, then this vulnerability can be exploited. To learn more about securing applications against JavaScript vulnerabilities, see our guide. Additionally, applications that permit untrusted data to be sent to the client-side (e.g. via XHR) may also be vulnerable to a write-what-where condition due to integer overflow. What's the risk? Prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374, Hermitary was vulnerable to a write-what-where condition due to an integer overflow in the handling of a JavaScript property. What's done to mitigate this? Since this was a security-related issue, the security team took immediate action to patch the issue. How to stay safe? - Make sure application code (e.g. server-side) doesn’t allow untrusted data to be sent via XHR.

- Make sure JavaScript code (e.g. client-side) doesn’t allow arbitrary JavaScript to be executed. - Make sure application code is written in a way that prevents integer overflows. What about updates? With the fast-paced pace of modern software development, applications may not always be able to update as soon as a new version of an application is released.

What’s the risk?

Prior to commit 5b6255ae049fa4641791e47fad994e8e8c4da374, Hermitary was vulnerable to a write-what-where condition due to an integer overflow in the handling of a JavaScript property. What's done to mitigate this? Since this was a security-related issue, the security team took immediate action to patch the issue. How to stay safe? - Make sure application code (e.g. server-side) doesn’t allow untrusted data to be sent via XHR.
- Make sure JavaScript code (e.g. client-side) doesn’t allow arbitrary JavaScript to be executed. - Make sure application code is written in a way that prevents integer overflows. What about updates? With the fast-paced pace of modern software development, applications may not always be able to update as soon as a new version of an application is released.

Timeline

Published on: 10/11/2022 02:15:00 UTC
Last modified on: 10/11/2022 19:09:00 UTC

References