#VU21456 Infinite loop in OpenJPEG - CVE-2019-12973

Cybersecurity Help s.r.o.

Published: 2019-10-01 | Updated: 2020-12-29

Vulnerability identifier: #VU21456

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-12973

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenJPEG
Universal components / Libraries / Libraries used by multiple products

Vendor: openjpeg.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c in Open JPEG. A remote attacker can create a specially crafted .bmp file, pass it to the affected application and perform denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenJPEG: 2.1.1 - 2.3.1

External links
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html
https://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html
https://www.securityfocus.com/bid/108900
https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3
https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503
https://github.com/uclouvain/openjpeg/blob/v2.4.0/CHANGELOG.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler update for openjpeg2

Gentoo update for OpenJPEG

Infinite loop in openjpeg (Alpine package)

OpenSUSE Linux update for ghostscript

Denial of service in OpenJPEG