Vulnerability Note VU#602540
ICU Project ICU4C library contains multiple overflow vulnerabilities
Overview
ICU Project ICU4C library, versions 52 through 54, contains a heap-based buffer overflow and an integer overflow.
Description
The ICU Project describes ICU as "a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications." CWE-122: Heap-based Buffer Overflow - CVE-2014-8146 |
Impact
An attacker may be able to provide input that triggers one or both overflow vulnerabilities, leading to denial of service and the possibility of code execution. |
Solution
Apply an update |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Debian GNU/Linux | Affected | 30 Apr 2015 | 03 Aug 2015 |
FreeBSD Project | Affected | 30 Apr 2015 | 01 May 2015 |
ICU Project | Affected | 24 Apr 2015 | 04 May 2015 |
SAP | Not Affected | 30 Apr 2015 | 07 May 2015 |
Adobe | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Amazon | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Apache HTTP Server Project | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Apple | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Avaya, Inc. | Unknown | 30 Apr 2015 | 30 Apr 2015 |
BAE Systems | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Business Objects | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Dell Computer Corporation, Inc. | Unknown | 30 Apr 2015 | 30 Apr 2015 |
eBay | Unknown | 30 Apr 2015 | 30 Apr 2015 |
Eclipse Foundation Inc | Unknown | 30 Apr 2015 | 30 Apr 2015 |
EMC Corporation | Unknown | 30 Apr 2015 | 30 Apr 2015 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 3.4 | E:POC/RL:OF/RC:C |
Environmental | 3.4 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://site.icu-project.org/
- http://site.icu-project.org/download/55
- http://site.icu-project.org/#TOC-Who-Uses-ICU-
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/190.html
- https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt
Credit
Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.
This document was written by Joel Land.
Other Information
- CVE IDs: CVE-2014-8146 CVE-2014-8147
- Date Public: 04 May 2015
- Date First Published: 04 May 2015
- Date Last Updated: 03 Aug 2015
- Document Revision: 24
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.