SB20171211329 - Multiple vulnerabilities in HDF5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20171211329

SB20171211329 - Multiple vulnerabilities in HDF5

Published: December 11, 2017 Updated: August 8, 2020

Security Bulletin ID SB20171211329
Severity
High
Patch available
NO
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) NULL pointer dereference (CVE-ID: CVE-2017-17505)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dreference error in H5Opline.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. A remote attacker can perform a denial of service (DoS) attack.


2) Out-of-bounds read (CVE-ID: CVE-2017-17506)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.


3) Out-of-bounds read (CVE-ID: CVE-2017-17507)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.


4) Division by zero (CVE-ID: CVE-2017-17508)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to division by zero error when processing untrusted input in the H5T.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. A remote attacker can perform denial of service attack.


5) Out-of-bounds write (CVE-ID: CVE-2017-17509)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In HDF5 1.10.1, there is an out of bounds write vulnerability in the function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example, h5dump would crash or possibly have unspecified other impact someone opens a crafted hdf5 file.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References