7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.026 Low
EPSS
Percentile
90.2%
ICU Project ICU4C library, versions 52 through 54, contains a heap-based buffer overflow and an integer overflow.
The ICU Project describes ICU as “a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications.”
CWE-122: Heap-based Buffer Overflow- CVE-2014-8146
Multiple out-of-bounds writes may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C.
CWE-190: Integer Overflow or Wraparound - CVE-2014-8147
An integer overflow may occur in the resolveImplicitLevels function of ubidi.c in affected versions of ICU4C due to the assignment of an int32 value to an int16 type.
Both issues may lead to denial of service and the possibility of code execution. For more details, refer to Pedro Ribeiro’s disclosure.
An attacker may be able to provide input that triggers one or both overflow vulnerabilities, leading to denial of service and the possibility of code execution.
Apply an update
These issues have been addressed in ICU4C version 55.1. Developers are encouraged to update applications that make use of affected versions of ICU4C. Users of affected products should check with product vendors for updates that utilize a patched version of ICU4C.
602540
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 30, 2015 Updated: August 03, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 30, 2015 Updated: May 01, 2015
Statement Date: April 30, 2015
Affected
`Thanks for the notification. We believe this have been already
addressed in FreeBSD about a week ago:
https://svnweb.freebsd.org/ports?view=revision&revision=384614
Prior to that we are affected as the previous icu version was 53.1.`
We are not aware of further vendor information regarding this vulnerability.
Notified: April 24, 2015 Updated: May 04, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
ICU4C versions 52 through 54 are affected by these vulnerabilities.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23602540 Feedback>).
Notified: April 30, 2015 Updated: May 07, 2015
Statement Date: May 06, 2015
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 30, 2015 Updated: April 30, 2015
Unknown
We have not received a statement from the vendor.
View all 31 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 4.4 | AV:L/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 3.4 | E:POC/RL:OF/RC:C |
Environmental | 3.4 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Pedro Ribeiro ([email protected]) of Agile Information Security for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2014-8146, CVE-2014-8147 |
---|---|
Date Public: | 2015-05-04 Date First Published: |