5.26. Vulnerabilities

The following vulnerabilities are fixed in this release.

See also RTI Connext Security Bulletins and Advisories for a complete list of vulnerabilities in RTI releases that have been published through the CVE® Program. That list may be more up-to-date.

5.26.1. [Critical] Potential invalid read memory access in Connext applications during endpoint discovery

An invalid read memory access in Connext applications could have occurred while discovering a DataWriter or DataReader.

User Impact without Security

A vulnerability in Connext applications while discovering a DataWriter or DataReader could have resulted in the following:

User Impact with Security

There is no impact when enabling certain Security features; see Mitigations for more information.

Mitigations

Use Security Plugins RTPS protection, discovery protection, or RTPS PSK protection.

[RTI Issue ID CORE-15789]

5.26.2. [Critical] Potential invalid read memory access in Connext applications when subscribing to PublicationBuiltinTopicData *

An invalid read memory access in Connext applications could have occurred after calling DDS_Subscriber_lookup_datareader to retrieve the builtin publication information and then discovering a DataWriter.

User Impact without Security

A vulnerability in Connext applications while discovering a DataWriter could have resulted in the following:

User Impact with Security

There is no impact when enabling certain Security features; see Mitigations for more information.

Mitigations

  • Use Security Plugins RTPS protection, discovery protection, or RTPS PSK protection.

  • Set verbosity to NDDS_CONFIG_LOG_VERBOSITY_WARNING or higher for the NDDS_CONFIG_LOG_CATEGORY_API category.

[RTI Issue ID CORE-15730]

5.26.3. [Critical] Potential heap buffer read overflow in Connext applications when using a malicious license string

An out-of-bounds read on the heap could occur while parsing a malicious license string property (e.g., dds.license.license_string) value.

User Impact without Security

A vulnerability in the Connext application could have resulted in the following:

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-15693]

5.26.4. [Critical] Potential stack buffer write overflow in license-managed Core Libraries when setting RTI_LICENSE_FILE environment variable

The stack may have been corrupted while loading the RTI_LICENSE_FILE environment variable.

User Impact without Security

This vulnerability could have caused the following on any application loading the license information through the RTI_LICENSE_FILE environment variable:

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-15310]

5.26.5. [Critical] Potential buffer write overflow in Connext applications while parsing malicious license file

An out-of-bounds write on the heap could occur while parsing a malicious license file.

User Impact without Security

A vulnerability in the Connext application could have resulted in the following:

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-15145]

5.26.6. [Critical] Potential integer overflow in Connext applications on 32-bit systems when parsing XML files with very large number of default attributes or levels of nesting

The Core Libraries XML parser had a third-party dependency on Expat version 2.6.2, which is known to be affected by a number of publicly disclosed vulnerabilities. These vulnerabilities have been fixed by upgrading Expat to the latest stable version, 2.6.3. See the “What’s New” section in this document for more details.

The impact on Connext applications of using the previous version varied depending on your Connext application configuration:

User Impact without Security

  • Exploitable through a compromised local file system containing malicious XML/DTD files.

  • Remotely exploitable through malicious RTPS messages.

  • If exploited, impact ranged from denial of service to potentially arbitrary code execution.

  • CVSS v3.1 Score: 9.8 CRITICAL

  • CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

User Impact with Security

  • Exploitable through a compromised local file system containing malicious XML/DTD files.

  • If exploited, impact ranged from denial of service to potentially arbitrary code execution.

  • CVSS v3.1 Score: 8.4 HIGH

  • CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

[RTI Issue ID CORE-15121]

5.26.7. [Critical] Potential stack buffer write overflow in Connext applications while parsing malicious license file

An out-of-bounds write on the stack could occur while parsing a malicious license file.

User Impact without Security

A vulnerability in the Connext application could have resulted in the following:

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-14875]

5.26.8. [Critical] Potential stack buffer write overflow in Connext applications while parsing malicious XML types document (1)

An out-of-bounds write on the stack could have occurred while parsing a malicious XML types document.

User Impact without Security

A vulnerability in the Core Libraries affected all products that load types via XML, and could have resulted in the following:

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-14872]

5.26.9. [Critical] Potential stack buffer write overflow in Connext applications while parsing malicious XML types document (2)

An out-of-bounds write on the stack could have occurred while parsing a malicious XML types document.

User Impact without Security

A vulnerability in the Core Libraries affected all products that load types via XML, and could have resulted in the following:

  • Stack buffer overflow while parsing a malicious XML types document.

  • Exploitable by changing an XML configuration file on the file system.

  • Potential impact on the integrity of the application(s) using the XML types document. Such applications could include Routing Service.

  • Potential crash in the application.

  • In the case of Routing Service, the vulnerability could potentially have been triggered through the remote administration command load, but a successful attack would have required a malicious XML include file to already exist in the system, so the “Attack Vector” score is still “Local”.

  • CVSS v3.1 Base Score: 7.1 HIGH

  • CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

  • CVSS v4.0 Base Score: 6.9 MEDIUM

  • CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

User Impact with Security

Same impact as described in “User Impact without Security” above.

[RTI Issue ID CORE-14871]

5.26.10. [Critical] Potential stack buffer overflow in Connext applications when parsing an XML type

The stack may have been corrupted when parsing an XML type.

User Impact without Security

This vulnerability could have caused the following on any application using XML types:

User Impact with Security

This vulnerability could have caused the following on any application using XML types:

[RTI Issue ID CORE-14870]

5.26.11. [Critical] Potential unauthorized access to instance information in Connext applications *

An unauthorized access to instance information in Connext applications could have occurred while setting DDS_ReliabilityQosPolicy::instance_state_consistency_kind to DDS_RECOVER_INSTANCE_STATE_CONSISTENCY on a DataReader.

User Impact without Security

A vulnerability in Connext applications while enabling instance state consistency on a DataReader could have resulted in the following:

User Impact with Security

A vulnerability in Connext applications while enabling instance state consistency on a DataReader could have resulted in the following:

[RTI Issue ID CORE-16119]



* This bug did not affect you if you are upgrading from 6.1.x or earlier.