CVE-2022-37434
05.08.2022, 07:15
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| zlib | zlib | 𝑥 ≤ 1.2.12 |
| debian | debian_linux | 10.0 |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | hci | - |
| netapp | management_services_for_element_software | - |
| netapp | oncommand_workflow_automation | - |
| netapp | ontap_select_deploy_administration_utility | - |
| netapp | storagegrid | - |
| netapp | hci_compute_node | - |
| netapp | h300s_firmware | - |
| netapp | h500s_firmware | - |
| netapp | h700s_firmware | - |
| netapp | h700s_firmware | - |
| apple | ipados | 𝑥 < 15.7.1 |
| apple | iphone_os | 𝑥 < 15.7.1 |
| apple | iphone_os | 16.0 ≤ 𝑥 < 16.1 |
| apple | macos | 11.0 ≤ 𝑥 < 11.7.1 |
| apple | macos | 12.0.0 ≤ 𝑥 < 12.6.1 |
| apple | watchos | 𝑥 < 9.1 |
| stormshield | stormshield_network_security | 3.7.31 ≤ 𝑥 < 3.7.34 |
| stormshield | stormshield_network_security | 3.11.0 ≤ 𝑥 < 3.11.22 |
| stormshield | stormshield_network_security | 4.3.0 ≤ 𝑥 < 4.3.16 |
| stormshield | stormshield_network_security | 4.6.0 ≤ 𝑥 < 4.6.3 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Siemens | CADRA | 𝑥 < V2511 | ADP |
| Siemens | RUGGEDCOM ROX MX5000 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX MX5000RE | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1400 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1500 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1501 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1510 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1511 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1512 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1524 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX1536 | 𝑥 < V2.17.0 | ADP |
| Siemens | RUGGEDCOM ROX RX5000 | 𝑥 < V2.17.0 | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | V3.1.0 ≤ 𝑥 < V3.1.5 | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | V3.1.0 ≤ 𝑥 < V3.1.5 | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | V3.1.0 ≤ 𝑥 < V3.1.5 | ADP |
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | V3.1.0 ≤ 𝑥 < V3.1.5 | ADP |
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | V3.1.0 ≤ 𝑥 < V3.1.5 | ADP |
Debian Releases
Debian Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libz-mingw-w64 |
| ||||||||||||
| zlib |
|
Ubuntu Releases
Ubuntu Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| klibc |
| ||||||||||||||||
| rsync |
| ||||||||||||||||
| zlib |
|
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libminizip1 |
| ||||||||||||||||||||||||||||||||||||||||||
| libz1 |
| ||||||||||||||||||||||||||||||||||||||||||
| libz1-32bit |
| ||||||||||||||||||||||||||||||||||||||||||
| minizip-devel |
| ||||||||||||||||||||||||||||||||||||||||||
| rsync |
| ||||||||||||||||||||||||||||||||||||||||||
| zlib-devel |
| ||||||||||||||||||||||||||||||||||||||||||
| zlib-devel-32bit |
| ||||||||||||||||||||||||||||||||||||||||||
| zlib-devel-static |
| ||||||||||||||||||||||||||||||||||||||||||
| zlib-devel-static-32bit |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| minizip |
| ||||||||||||||
| minizip-devel |
| ||||||||||||||
| rsync |
| ||||||||||||||
| rsync-daemon |
| ||||||||||||||
| zlib |
| ||||||||||||||
| zlib-devel |
| ||||||||||||||
| zlib-static |
|
Amazon Linux Releases
Amazon Package | |||||||
|---|---|---|---|---|---|---|---|
| minizip |
| ||||||
| minizip-compat |
| ||||||
| minizip-compat-debuginfo |
| ||||||
| minizip-compat-devel |
| ||||||
| minizip-devel |
| ||||||
| rsync |
| ||||||
| rsync-daemon |
| ||||||
| rsync-debuginfo |
| ||||||
| rsync-debugsource |
| ||||||
| zlib |
| ||||||
| zlib-debuginfo |
| ||||||
| zlib-debugsource |
| ||||||
| zlib-devel |
| ||||||
| zlib-static |
|
Azure Linux Releases
Common Weakness Enumeration
- CWE-787 - Out-of-bounds WriteThe software writes data past the end, or before the beginning, of the intended buffer.
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
References