Remote code execution in OpenJPEG
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-6851 CVE-2020-8112 CVE-2019-6988 |
| CWE-ID | CWE-122 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
OpenJPEG Universal components / Libraries / Libraries used by multiple products |
| Vendor | openjpeg.org |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 24.02.2020
Added vulnerability #2.
Updated: 29.12.2020
Updated list of affected and fixed versions, added vulnerability #3, changed bulletin status to patched.
1) Heap-based buffer overflow
EUVDB-ID: #VU24306
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6851
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the opj_t1_clbl_decode_processor() function in libopenjp2.so. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenJPEG: 2.3.0 - 2.3.1
External linkshttp://github.com/uclouvain/openjpeg/issues/1228
http://github.com/uclouvain/openjpeg/blob/v2.4.0/CHANGELOG.md
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU25546
Risk: Medium
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8112
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the the qmfbid==1 case, a different issue than CVE-2020-6851. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenJPEG: 2.3.1
External linkshttp://access.redhat.com/errata/RHSA-2020:0550
http://github.com/uclouvain/openjpeg/issues/1231
http://lists.debian.org/debian-lts-announce/2020/01/msg00035.html
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFEVEKETJV7GOXD5RDWL35ESEDHC663E/
http://github.com/uclouvain/openjpeg/blob/v2.4.0/CHANGELOG.md
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU17319
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6988
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper memory operations that are performed by the opj_calloc function, as defined in the openjp2/opj_malloc.c source code file when a call is made from the opj_tcd_init_tile function in the openjp2/tcd.c file. A remote attacker can trick the victim into executing an JPEG 2000 image file with a 64-bit opj_decompress program that submits malicious input, consume excessive amounts of memory resources and cause the affected application to hang.
MitigationInstall update from vendor's website.
Vulnerable software versionsOpenJPEG: 2.3.0 - 2.3.1
External linkshttp://github.com/uclouvain/openjpeg/issues/1178
http://github.com/uclouvain/openjpeg/blob/v2.4.0/CHANGELOG.md
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
