SB2024022066 - SUSE update for hdf5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024022066

SB2024022066 - SUSE update for hdf5

Published: February 20, 2024

Security Bulletin ID SB2024022066
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2016-4332)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to library's failure to check if certain message types support a particular flag and the library can cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library can write outside the bounds of the heap buffer. A local attacker can trigger heap-based buffer overflow and execute arbitrary code with root privileges.

Successful exploitation of the vulnerability may result in system compromise.

2) NULL pointer dereference (CVE-ID: CVE-2018-11202)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in H5S_hyper_make_spans in H5Shyper.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service attack. A remote attacker can perform a denial of service (DoS) attack.


3) Buffer overflow (CVE-ID: CVE-2019-8396)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the H5O__layout_encode function in H5Olayout.c. A remote attacker can pass specially crafted data to the application, trigger a buffer buffer overflow and perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2020-10812)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the H5F_get_nrefs() function in H5Fquery.c. A remote attacker can perform a denial of service (DoS) attack.


5) Out-of-bounds write (CVE-ID: CVE-2021-37501)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the h5tools_str_sprint() function in /hdf5/tools/lib/h5tools_str.c. A remote attacker can trigger an out-of-bounds write and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References