SB2022120611 - Multiple vulnerabilities in Wasmtime
Published: December 6, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2022-39392)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within zero-memory-pages configuration. A remote administrator can trigger out-of-bounds write and execute arbitrary code on the target system.
2) Information disclosure (CVE-ID: CVE-2022-39393)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application between instances in the pooling allocator. A remote attacker can gain unauthorized access to sensitive information on the system.
3) Out-of-bounds write (CVE-ID: CVE-2022-39394)
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in "wasmtime_trap_code" C API function. A remote administrator can trigger out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-44mr-8vmm-wjhg
- https://github.com/bytecodealliance/wasmtime/commit/e60c3742904ccbb3e26da201c9221c38a4981d72
- https://github.com/bytecodealliance/wasmtime/commit/2614f2e9d2d36805ead8a8da0fa0c6e0d9e428a0
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-wh6w-3828-g9qf
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-h84q-m8rr-3v9q
- https://github.com/bytecodealliance/wasmtime/commit/087d9d7becf7422b3f872a3bcd5d97bb7ce7ff36