9.4.2.13. Vulnerabilities

9.4.2.13.1. [Critical] Vulnerabilities in RTI Micro Application Generator (MAG)

This release fixes vulnerabilities in Log4j known as “log4shell”. You can find further details in RTI’s Security Notice 2021-12-log4j at https://community.rti.com/kb/apache-log4j-vulnerability-cve-2021-44228cve-2021-45046-impact-rti-connext-products.

RTI Micro Application Generator uses Apache Log4j version 2.17.1 in this release.

[RTI Issue ID MAG-147]

9.4.2.13.2. [Critical] Illegal memory access when failing to generate interpreter programs

Receiving malicious endpoint discovery information might have resulted (very rarely) in an arbitrary read from the thread stack.

User impact with or without security was as follows:

• Remotely exploitable

• Crash application

• Potentially impacting confidentiality of Connext application

• CVSS Base Score: 6.5 MEDIUM

• CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

[RTI Issue ID MICRO-3219]

9.4.2.13.3. [Critical] Potential crash when receiving a malformed sample using DDS_XCDR2_DATA_REPRESENTATION

A Connext Micro application could have crashed if a DataReader received a malformed serialized sample using DDS_XCDR2_DATA_REPRESENTATION. The issue only affected appendable or mutable types.

User impact with or without security was as follows:

• Remotely exploitable through malicious RTPS messages

• Connext application could crash or potentially leak sensitive information

• CVSS Base Score: 6.5 MEDIUM

• CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

[RTI Issue ID MICRO-3118]