CVE-2017-17484 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 89%

Affected Products (NVD)

Vendor	Product	Version
icu-project	international_components_for_unicode	𝑥 ≤ 60.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

icu

bookworm	72.1-3 fixed
bullseye	67.1-7 fixed
sid	72.1-5 fixed
trixie	72.1-5 fixed

Ubuntu Releases

Ubuntu Product

Codename

icu

artful	not-affected
trusty	not-affected
xenial	not-affected
zesty	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

libicu-doc

suse enterprise sap 12 SP1	52.1-8.7.1 fixed
suse enterprise sap 12 SP2	52.1-8.7.1 fixed
suse enterprise sap 12 SP3	52.1-8.7.1 fixed
suse enterprise sap 12 SP5	52.1-8.7.1 fixed
suse enterprise server 12	52.1-8.7.1 fixed
suse enterprise server 12 SP1	52.1-8.7.1 fixed
suse enterprise server 12 SP2	52.1-8.7.1 fixed
suse enterprise server 12 SP3	52.1-8.7.1 fixed
suse enterprise server 12 SP4	52.1-8.7.1 fixed
suse enterprise server 12 SP5	52.1-8.7.1 fixed

libicu52_1

suse enterprise sap 12 SP1	52.1-8.7.1 fixed
suse enterprise sap 12 SP2	52.1-8.7.1 fixed
suse enterprise sap 12 SP3	52.1-8.7.1 fixed
suse enterprise sap 12 SP5	52.1-8.7.1 fixed
suse enterprise server 12	52.1-8.7.1 fixed
suse enterprise server 12 SP1	52.1-8.7.1 fixed
suse enterprise server 12 SP2	52.1-8.7.1 fixed
suse enterprise server 12 SP3	52.1-8.7.1 fixed
suse enterprise server 12 SP4	52.1-8.7.1 fixed
suse enterprise server 12 SP5	52.1-8.7.1 fixed

libicu52_1-32bit

suse enterprise sap 12 SP1	52.1-8.7.1 fixed
suse enterprise sap 12 SP2	52.1-8.7.1 fixed
suse enterprise sap 12 SP3	52.1-8.7.1 fixed
suse enterprise sap 12 SP5	52.1-8.7.1 fixed
suse enterprise server 12	52.1-8.7.1 fixed
suse enterprise server 12 SP1	52.1-8.7.1 fixed
suse enterprise server 12 SP2	52.1-8.7.1 fixed
suse enterprise server 12 SP3	52.1-8.7.1 fixed
suse enterprise server 12 SP4	52.1-8.7.1 fixed
suse enterprise server 12 SP5	52.1-8.7.1 fixed

libicu52_1-data

suse enterprise sap 12 SP1	52.1-8.7.1 fixed
suse enterprise sap 12 SP2	52.1-8.7.1 fixed
suse enterprise sap 12 SP3	52.1-8.7.1 fixed
suse enterprise sap 12 SP5	52.1-8.7.1 fixed
suse enterprise server 12	52.1-8.7.1 fixed
suse enterprise server 12 SP1	52.1-8.7.1 fixed
suse enterprise server 12 SP2	52.1-8.7.1 fixed
suse enterprise server 12 SP3	52.1-8.7.1 fixed
suse enterprise server 12 SP4	52.1-8.7.1 fixed
suse enterprise server 12 SP5	52.1-8.7.1 fixed

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://github.com/znc/znc/issues/1459

https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpp

https://ssl.icu-project.org/trac/changeset/40714

https://ssl.icu-project.org/trac/changeset/40715

https://ssl.icu-project.org/trac/ticket/13490

https://ssl.icu-project.org/trac/ticket/13510

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://github.com/znc/znc/issues/1459

https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.cpp

https://ssl.icu-project.org/trac/changeset/40714

https://ssl.icu-project.org/trac/changeset/40715

https://ssl.icu-project.org/trac/ticket/13490

https://ssl.icu-project.org/trac/ticket/13510

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html