Malformed PID_PROPERTY_LIST parameter in DATA submessage remotely crashes OpenDDS
CVE-2023-37915

7.5HIGH

Key Information:

Vendor: Opendds
Status: Opendds
Vendor: CVE Published:; 21 July 2023

Summary

OpenDDS, an open-source C++ implementation of the Object Management Group (OMG) Data Distribution Service, is susceptible to a vulnerability that can lead to process crashes. This issue arises from the parsing of a malformed PID_PROPERTY_LIST in a DATA submessage during participant discovery. Attackers can exploit the vulnerability remotely by sending a corrupt DATA submessage to a known multicast port, causing a crash in the OpenDDS processes. Users are strongly encouraged to upgrade to version 3.25, as there are no known workarounds available.

Affected Version(s)

OpenDDS < 3.25

References

https://github.com/OpenDDS/OpenDDS/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/OpenDDS/OpenDDS/releases/tag/DDS-3.25

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 21, 2023
Vulnerability Reserved
Jul 10, 2023