CVE-2023-1709
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Datalogics Library APDFLThe v18.0.4PlusP1e and prior contains a stack-based buffer overflow due to documents containing corrupted fonts, which could allow an attack that causes an unhandled crash during the rendering process.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Siemens | JT2Go | 0 < 14.2.0.2 | affected |
| Siemens | Teamcenter Visualization | 13.2 < 13.2.0.13 | affected |
| Siemens | Teamcenter Visualization | 13.3 < 13.3.0.9 | affected |
| Siemens | Teamcenter Visualization | 14.0 < 14.0.0.5 | affected |
| Siemens | Teamcenter Visualization | 14.1 < 14.1.0.7 | affected |
| Siemens | Teamcenter Visualization | 14.2 < 14.2.0.2 | affected |
| Datalogics | Library APDFL | 0 <= v18.0.4PlusP1e | affected |
Weaknesses
- CWE-121: CWE-121: Stack-based Buffer Overflow
Workarounds
Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risks:
- Avoid opening untrusted files in JT2Go and Teamcenter Visualization
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security https://www.siemens.com/cert/operational-guidelines-industrial-security , and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page https://www.siemens.com/industrialsecurity .
For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT https://www.siemens.com/cert/advisories .
Datalogics recommends users to update to APDFL v18.0.4PlusP1g. Contact Datalogics https://www.datalogics.com/datalogics-contact-us for more information on obtaining this update.
For more information, refer to Datalogic’s release notes https://dev.datalogics.com/adobe-pdf-library/release-notes-adobe-pdf-library-v-18/ .
ADP Enrichment
CVE Program Container
Additional References
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-11
- https://cert-portal.siemens.com/productcert/html/ssa-629917.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-164-01
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-11
- https://cert-portal.siemens.com/productcert/html/ssa-629917.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-164-01
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.