[Japanese]

JVNDB-2017-005208

gSOAP vulnerable to stack-based buffer overflow

Overview

gSOAP library provided by Genivia contains a stack-based buffer overflow(CWE-121). Processing a crafted SOAP message sent by a remote attacker may result in code execution.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Genivia
  • gSOAP versions prior to 2.8.48

Impact

Processing a crafted SOAP message sent by a remote attacker may result in code execution.
Solution

[Update to the latest version]
Update to the latest version according to the information provided by the developer.

The developer released gSOAP version 2.8.48 on June 21th, 2017, to fix this vulnerability.
Vendor Information

Genivia SUSE Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2017-9765
References

  1. JVN : JVNVU#98807587
  2. National Vulnerability Database (NVD) : CVE-2017-9765
  3. Related document : Senrio Blog - Devil's Ivy: Flaw in Widely Used Third-party Code Impacts Millions
  4. Related document : Devil's Ivy
Revision History

  • [2017/07/21]
      Web page was published
    [2018/02/14]
      References : Content was added
      Vendor Information : Content was added

Date Public2017/06/21
Date First Published2017/07/21
Date Last Updated2018/02/14