Zlib memory corruption when deflating (i.e. when compressing)
22342
07 November 2023
01 August 2023
OPEN
LOW
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2018-25032
|
Brocade Security Advisory ID |
BSA-2023-1774 |
|
Component |
zlib |
|
|
|
Summary
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Products Affected
Brocade SANnav versions prior to v2.2.2 are affected
Brocade Fabric OS contains the vulnerable module, but a user must have root privileges in order to attempt to exploit this vulnerability
Brocade ASCG OVA releases prior to v3.0 contain the vulnerable module in the underlying OS. The ASCG product itself is not affected.
Solution
Solution provided in Brocade SANnav v2.2.2
While Brocade Fabric OS is effectively not exploitable, the vulnerable module was removed in Fabric OS v9.2.0 and later versions
Brocade ASCG provides an update in v3.0 and later versions to ensure the underlying OS in Brocade ASCG OVA releases are not affected
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
August 1, 2023 |
|
1.1 |
Lowered Risk Assessment to Low as FOS is not exploitablable without root access |
October 3, 2023 |
|
2.0 |
Provided communication for ASCG |
November 7, 2023 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.