{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2023-1709", "ASSIGNER": "ics-cert@hq.dhs.gov", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "\nDatalogics Library APDFLThe v18.0.4PlusP1e and prior contains a stack-based buffer overflow due to documents containing corrupted fonts, which could allow an attack that causes an unhandled crash during the rendering process.\n\n \n\n" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-121: Stack-based Buffer Overflow", "cweId": "CWE-121" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Siemens ", "product": { "product_data": [ { "product_name": "JT2Go", "version": { "version_data": [ { "version_affected": "<", "version_name": "0", "version_value": "14.2.0.2" } ] } }, { "product_name": "Teamcenter Visualization", "version": { "version_data": [ { "version_affected": "<", "version_name": "13.2", "version_value": "13.2.0.13" }, { "version_affected": "<", "version_name": "13.3", "version_value": "13.3.0.9" }, { "version_affected": "<", "version_name": "14.0", "version_value": "14.0.0.5" }, { "version_affected": "<", "version_name": "14.1", "version_value": "14.1.0.7" }, { "version_affected": "<", "version_name": "14.2", "version_value": "14.2.0.2" } ] } } ] } }, { "vendor_name": "Datalogics", "product": { "product_data": [ { "product_name": "Library APDFL", "version": { "version_data": [ { "version_affected": "<=", "version_name": "0", "version_value": "v18.0.4PlusP1e" } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-11", "refsource": "MISC", "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-11" }, { "url": "https://cert-portal.siemens.com/productcert/html/ssa-629917.html", "refsource": "MISC", "name": "https://cert-portal.siemens.com/productcert/html/ssa-629917.html" }, { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-164-01", "refsource": "MISC", "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-164-01" } ] }, "generator": { "engine": "Vulnogram 0.1.0-dev" }, "source": { "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risks:

\n

As a general security measure, Siemens recommends protecting \nnetwork access to devices with appropriate mechanisms. To operate the \ndevices in a protected IT environment, Siemens recommends configuring \nthe environment according to Siemens' operational guidelines for industrial security,\n and to follow the recommendations in the product manuals. Additional \ninformation on industrial security by Siemens can be found at the Siemens Industrial Security web page. \n

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.

" } ], "value": "Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risks: \n\n\n * Avoid opening untrusted files in JT2Go and Teamcenter Visualization \n\n\n\nAs a general security measure, Siemens recommends protecting \nnetwork access to devices with appropriate mechanisms. To operate the \ndevices in a protected IT environment, Siemens recommends configuring \nthe environment according to Siemens' operational guidelines for industrial security https://www.siemens.com/cert/operational-guidelines-industrial-security ,\n and to follow the recommendations in the product manuals. Additional \ninformation on industrial security by Siemens can be found at the Siemens Industrial Security web page https://www.siemens.com/industrialsecurity . \n\n\nFor further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT https://www.siemens.com/cert/advisories .\n\n" }, { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n

Datalogics recommends users to update to APDFL v18.0.4PlusP1g. Contact Datalogics for more information on obtaining this update.

For more information, refer to Datalogic\u2019s release notes.

\n\n
" } ], "value": "Datalogics recommends users to update to APDFL v18.0.4PlusP1g. Contact Datalogics https://www.datalogics.com/datalogics-contact-us \u00a0for more information on obtaining this update.\n\nFor more information, refer to Datalogic\u2019s release notes https://dev.datalogics.com/adobe-pdf-library/release-notes-adobe-pdf-library-v-18/ .\n\n\n\n\n" } ], "solution": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n
Siemens has released updates for the affected products and recommends updating to the latest versions:
" } ], "value": "Siemens has released updates for the affected products and recommends updating to the latest versions:\n\n * JT2Go: Update to V14.2.0.2 https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html or later version\n * Teamcenter Visualization V13.2: Update to V13.2.0.13 https://support.sw.siemens.com/ \u00a0 or later version \n * Teamcenter Visualization V13.3: Update to V13.3.0.9 https://support.sw.siemens.com/ \u00a0 or later version \n * Teamcenter Visualization V14.0: Update to V14.0.0.5 https://support.sw.siemens.com/ \u00a0 or later version \n * Teamcenter Visualization V14.1: Update to V14.1.0.7 https://support.sw.siemens.com/ \u00a0 or later version \n * Teamcenter Visualization V14.2: Update to V14.2.0.2 https://support.sw.siemens.com/ \u00a0 or later version \n\n\n\n\n" } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported this vulnerability to Siemens. " } ], "impact": { "cvss": [ { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } ] } }