#VU20493 Integer overflow in OpenJPEG - CVE-2018-5785

Cybersecurity Help s.r.o.

Published: 2019-08-30

Vulnerability identifier: #VU20493

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-5785

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenJPEG
Universal components / Libraries / Libraries used by multiple products

Vendor: openjpeg.org

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to integer overflow in opj_j2k_setup_encoder function (openjp2/j2k.c). A remote attacker can create a specially crafted bmp image, trigger integer overflow and crash the affected application.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

OpenJPEG: 2.3.0

External links
https://github.com/uclouvain/openjpeg/issues/1057
https://usn.ubuntu.com/4109-1/
https://www.debian.org/security/2019/dsa-4405

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for openjpeg2

Ubuntu update for OpenJPEG

Integer overflow in openjpeg (Alpine package)

Denial of service in OpenJPEG