CVE-2022-38306 LIEF's CoreInfo component had a heap buffer overflow.

When processing a crafted input, the function OCP_PC1_GET_DETAIL_INFO would write beyond the end of the heap-buffer. By sending an attacker-controlled value, an attacker could cause a denial of service condition, or potentially execute arbitrary code.

CVE-2019-2702 was discovered in the component /core/CorePrP.f03b. When processing a crafted input, the function OCP_PRP_GET_PROPERTY_VALUE would write beyond the end of the heap-buffer. By sending an attacker-controlled value, an attacker could cause a denial of service condition, or potentially execute arbitrary code.

- End-of-life status has been declared for all products where a CVSS score of 10.0 or lower has been reported. - End-of-life status has been declared for all products where a CVSS score of 10.0 or lower has been reported.

Mitigation Strategies

- Ensure that all potential vulnerabilities are discovered and reported in a timely manner

CVSSv3: https://doi.org/10.6271/N62260

The following vulnerabilities have been discovered and assigned to CVE-2019-2702:

CVE-2019-2702    OCP_PRP_GET_PROPERTY_VALUE, OCP_PC1_GET_DETAIL_INFO
CVE-2022-38306  OCPS2D and OCPS3.

Mitigation Strategy for CVE-2019-2702

- The user must upgrade to the latest software version. - The user must upgrade to the latest software version.
- For users running a previous version of their software, the following mitigation strategies are recommended: - For users running a previous version of their software, the following mitigation strategies are recommended:
- Upgrade all affected products in your environment to the newest software release for impacted products.
- Use a sandboxing mechanism such as AppShield or AppLocker to prevent untrusted code from running on your system.

CVSS Scores

CVSS stands for Common Vulnerability Scoring System, which is an open-source computer vulnerability scoring system used by the US National Vulnerability Database, MITRE and NIST.

This score is then used by vendors to determine the patching process for the product.

Vulnerability Description

A vulnerability was discovered in the OCP components. In these cases, there is a potential for a denial of service condition, or potentially execute arbitrary code. This patch will be applied to all products where a CVSS score of 10.0 or lower has been reported.

Timeline

Published on: 09/13/2022 21:15:00 UTC
Last modified on: 09/21/2022 20:11:00 UTC

References

• https://github.com/lief-project/LIEF/issues/763
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38306