CVE-2022-3160

Summary

The APDFL.dll contains an out-of-bounds write past the fixed-length heap-based buffer while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.

Affected Software

VendorProductVersion RangeStatus
Siemens JT2Go0 < 14.1.0.5affected
Siemens Teamcenter Visualization V13.30 < 13.3.0.8affected
Siemens Teamcenter Visualization V14.00 < 14.0.0.4affected
Siemens Teamcenter Visualization V14.10 < 14.1.0.5affected

Weaknesses

  • CWE-122: CWE-122

Workarounds

Siemens identified the following specific workaround and mitigation user can apply to reduce risk:

  • Do not open untrusted PDF files in JT2Go and Teamcenter Visualization.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security https://www.siemens.com/cert/operational-guidelines-industrial-security

and following the recommendations in the product manuals. Siemens also provides additional information on industrial security https://www.siemens.com/industrialsecurity .

For further inquiries on security vulnerabilities in Siemens products, users should contact Siemens https://www.siemens.com/cert/advisories .

For more information, see the associated Siemens security advisory SSA-360681 in HTML https://cert-portal.siemens.com/productcert/html/ssa-360681.html and CSAF https://cert-portal.siemens.com/productcert/csaf/ssa-360681.json .

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References