Multiple vulnerabilities in Kakadu SDK

Published: 2018-04-24 | Updated: 2020-08-08

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2017-2811 CVE-2017-2812
CWE-ID	CWE-787
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Kakadu SDK Other software / Other software solutions
Vendor	Kakadu Software

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU37161

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-2811

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

A code execution vulnerability exists in the Kakadu SDK 7.9's parsing of compressed JPEG 2000 images. A specially crafted JPEG 2000 file can be read by the program, and can lead to an out of bounds write causing an exploitable condition to arise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Kakadu SDK: 7.9

External links

http://www.securityfocus.com/bid/100141
http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0308

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU37162