Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5c63230e-b733-4b15-1f5a-e885929bf474@apache.org>
Date: Mon, 20 Dec 2021 10:00:38 +0000
From: Christofer Dutz <cdutz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-43083: Apache PLC4X 0.9.0 Buffer overflow in PLC4C via
 crafted server response 

Description:

Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to 0.9.1, which addresses this issue.

However, in order to exploit this vulnerability, a user would have to actively connect to a mallicious device which could send a response with invalid content. Currently we consider the probability of this being exploited as quite minimal, however this could change in the future, especially with the industrial networks growing more and more together.

Credit:

Apache PLC4X would like to thank Eugene Lim for reporting this issue.

References:

https://lists.apache.org/thread/jxx6qc84z60xbbhn6vp2s5qf09psrtc7

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.