Описание
An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.
A flaw was found in the libtiff library. This issue allows an attacker who can submit a specially crafted file to an application linked with libtiff to cause an infinite loop, resulting in a denial of service.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform enforces hardening guidelines to ensure the most restrictive setting needed for operational requirements. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, enabling capabilities like excessive CPU usage, long execution times, or processes consuming abnormal amounts of memory. Static code analysis and peer code review techniques are used to execute robust input validation and error-handling mechanisms to ensure all user inputs are thoroughly validated, preventing infinite loops caused by malformed or unexpected input, such as unbounded user input or unexpected null values that cause loops to never terminate. In the event of successful exploitation, process isolation limits the effect of an infinite loop to a single process rather than allowing it to consume all system resources.
Меры по смягчению последствий
Applications that do not parse files from untrusted or malicious sources will not be affected by this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | libtiff | Out of support scope | ||
| Red Hat Enterprise Linux 7 | compat-libtiff3 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libtiff | Out of support scope | ||
| Red Hat Enterprise Linux 8 | compat-libtiff3 | Will not fix | ||
| Red Hat Enterprise Linux 8 | libtiff | Will not fix | ||
| Red Hat Enterprise Linux 9 | libtiff | Fixed | RHSA-2024:2289 | 30.04.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.
An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.
An issue was discovered in function TIFFReadDirectory libtiff before 4 ...
An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.
Уязвимость функции TIFFReadDirectory библиотеки LibTIFF, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
6.5 Medium
CVSS3