CVE-2023-1709

Summary

Datalogics Library APDFLThe v18.0.4PlusP1e and prior contains a stack-based buffer overflow due to documents containing corrupted fonts, which could allow an attack that causes an unhandled crash during the rendering process.

Affected Software

VendorProductVersion RangeStatus
SiemensJT2Go0 < 14.2.0.2affected
SiemensTeamcenter Visualization13.2 < 13.2.0.13affected
SiemensTeamcenter Visualization13.3 < 13.3.0.9affected
SiemensTeamcenter Visualization14.0 < 14.0.0.5affected
SiemensTeamcenter Visualization14.1 < 14.1.0.7affected
SiemensTeamcenter Visualization14.2 < 14.2.0.2affected
DatalogicsLibrary APDFL0 <= v18.0.4PlusP1eaffected

Weaknesses

  • CWE-121: CWE-121: Stack-based Buffer Overflow

Workarounds

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risks:

  • Avoid opening untrusted files in JT2Go and Teamcenter Visualization

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security https://www.siemens.com/cert/operational-guidelines-industrial-security , and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at the Siemens Industrial Security web page https://www.siemens.com/industrialsecurity .

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT https://www.siemens.com/cert/advisories .

Datalogics recommends users to update to APDFL v18.0.4PlusP1g. Contact Datalogics https://www.datalogics.com/datalogics-contact-us  for more information on obtaining this update.

For more information, refer to Datalogic’s release notes https://dev.datalogics.com/adobe-pdf-library/release-notes-adobe-pdf-library-v-18/ .

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References