[Japanese]

JVNDB-2017-005208

gSOAP vulnerable to stack-based buffer overflow

Overview

gSOAP library provided by Genivia contains a stack-based buffer overflow(CWE-121). Processing a crafted SOAP message sent by a remote attacker may result in code execution.
CVSS Severity (What is CVSS?)

Base Metrics: 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
Affected Products


Genivia
  • gSOAP versions prior to 2.8.48

Impact

Processing a crafted SOAP message sent by a remote attacker may result in code execution.
Solution

[Update to the latest version]
Update to the latest version according to the information provided by the developer.

The developer released gSOAP version 2.8.48 on June 21th, 2017, to fix this vulnerability.
Vendor Information

Genivia SUSE Red Hat, Inc.
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-9765
References

  1. JVN : JVNVU#98807587
  2. Related document : Senrio Blog - Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions
  3. Related document : Devil's Ivy
Revision History

[2017/07/21]
  Web page was published