CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 1CVE-2023-42459 – Malformed DATA submessage leads to bad-free error in Fast-DDS
https://notcve.org/view.php?id=CVE-2023-42459
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. • https://github.com/eProsima/Fast-DDS/issues/3207 https://github.com/eProsima/Fast-DDS/pull/3824 https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm https://www.debian.org/security/2023/dsa-5568 • CWE-415: Double Free CWE-416: Use After Free CWE-590: Free of Memory not on the Heap •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39948 – Uncaught fastcdr exception (Unexpected CDR type received) crashing fastdds
https://notcve.org/view.php?id=CVE-2023-39948
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue. eprosima Fast DDS es una implementación en C++ del estándar Data Distribution Service del Object Management Group. Antes de las versiones 2.10.0 y 2.6.5, la `BadParamException` lanzada por Fast CDR no es capturada en Fast DDS. • https://github.com/eProsima/Fast-DDS/files/11117197/fastdds-assert.pcap.zip https://github.com/eProsima/Fast-DDS/issues/3422 https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-x9pj-vrgf-f68f https://www.debian.org/security/2023/dsa-5481 • CWE-248: Uncaught Exception •
CVSS: 8.2EPSS: 0%CPEs: 6EXPL: 0CVE-2023-39947 – Another heap overflow in push_back_helper
https://notcve.org/view.php?id=CVE-2023-39947
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, even after the fix at commit 3492270, malformed `PID_PROPERTY_LIST` parameters cause heap overflow at a different program counter. This can remotely crash any Fast-DDS process. Versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6 contain a patch for this issue. eprosima Fast DDS es una implementación en C++ del estándar Data Distribution Service del Object Management Group. Antes de las versiones 2.11.1, 2.10.2, 2.9.2, y 2.6.6, incluso después de la corrección en el commit 3492270, los parámetros malformados `PID_PROPERTY_LIST` causan desbordamiento de heap en un contador de programa diferente. • https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-mf55-5747-c4pv https://www.debian.org/security/2023/dsa-5481 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.2EPSS: 0%CPEs: 6EXPL: 0CVE-2023-39946 – Heap overflow in push_back_helper due to a CDR message
https://notcve.org/view.php?id=CVE-2023-39946
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.1, 2.10.2, 2.9.2, and 2.6.6, heap can be overflowed by providing a PID_PROPERTY_LIST parameter that contains a CDR string with length larger than the size of actual content. In `eprosima::fastdds::dds::ParameterPropertyList_t::push_back_helper`, `memcpy` is called to first copy the octet'ized length and then to copy the data into `properties_.data`. At the second memcpy, both `data` and `size` can be controlled by anyone that sends the CDR string to the discovery multicast port. This can remotely crash any Fast-DDS process. • https://github.com/eProsima/Fast-DDS/commit/349227005827e8a67a0406b823138b5068cc47dc https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-j297-rg6j-m7hx https://www.debian.org/security/2023/dsa-5481 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 0CVE-2023-39945 – Malformed serialized data in a data submessage leads to unhandled exception
https://notcve.org/view.php?id=CVE-2023-39945
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue. eprosima Fast DDS es una implementación en C++ del estándar Data Distribution Service del Object Management Group. Antes de las versiones 2.11.0, 2.10.2, 2.9.2, y 2.6.5, un submensaje de datos enviado al puerto PDP lanzaba una `BadParamException` no manejada en fastcdr, que a su vez bloqueaba fastdds. Las versiones 2.11.0, 2.10.2, 2.9.2 y 2.6.5 contienen un parche para este problema. • https://bombshell.gtisc.gatech.edu/ddsfuzz/pcap/fastdds-exception-20230509-02.pcap https://github.com/eProsima/Fast-CDR/blob/v1.0.26/src/cpp/Cdr.cpp#L72-L79 https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-2rq6-8j7x-frr9 https://www.debian.org/security/2023/dsa-5481 • CWE-248: Uncaught Exception •