Vulnerability Note VU#602540
ICU Project ICU4C library contains multiple overflow vulnerabilities
ICU Project ICU4C library, versions 52 through 54, contains a heap-based buffer overflow and an integer overflow.
The ICU Project describes ICU as "a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications."
CWE-122: Heap-based Buffer Overflow - CVE-2014-8146
An attacker may be able to provide input that triggers one or both overflow vulnerabilities, leading to denial of service and the possibility of code execution.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||30 Apr 2015||03 Aug 2015|
|FreeBSD Project||Affected||30 Apr 2015||01 May 2015|
|ICU Project||Affected||24 Apr 2015||04 May 2015|
|SAP||Not Affected||30 Apr 2015||07 May 2015|
|Adobe||Unknown||30 Apr 2015||30 Apr 2015|
|Amazon||Unknown||30 Apr 2015||30 Apr 2015|
|Apache HTTP Server Project||Unknown||30 Apr 2015||30 Apr 2015|
|Apple||Unknown||30 Apr 2015||30 Apr 2015|
|Avaya, Inc.||Unknown||30 Apr 2015||30 Apr 2015|
|BAE Systems||Unknown||30 Apr 2015||30 Apr 2015|
|Business Objects||Unknown||30 Apr 2015||30 Apr 2015|
|Dell Computer Corporation, Inc.||Unknown||30 Apr 2015||30 Apr 2015|
|eBay||Unknown||30 Apr 2015||30 Apr 2015|
|Eclipse Foundation Inc||Unknown||30 Apr 2015||30 Apr 2015|
|EMC Corporation||Unknown||30 Apr 2015||30 Apr 2015|
CVSS Metrics (Learn More)
Thanks to Pedro Ribeiro (firstname.lastname@example.org) of Agile Information Security for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2014-8146 CVE-2014-8147
- Date Public: 04 May 2015
- Date First Published: 04 May 2015
- Date Last Updated: 03 Aug 2015
- Document Revision: 24
If you have feedback, comments, or additional information about this vulnerability, please send us email.