CVE-2017-9765: Integer Overflow
First published: Wed Jul 19 2017(Updated: )
A buffer overflow can cause an open unsecured server to crash after 2GB (greater than 2147483711 bytes to trigger the software bug)) XML message is received. Fortunately, the overflowing data after 2GB is cleaned up in the buffer which means that the chances of exploiting this flaw (by injecting code) is significantly reduced in gSOAP versions affected. References: <a href="https://www.genivia.com/advisory.html">https://www.genivia.com/advisory.html</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gsoap | <2.8.48 | 2.8.48 |
| Genivia gSOAP | =2.7.0 | |
| Genivia gSOAP | =2.7.1 | |
| Genivia gSOAP | =2.7.2 | |
| Genivia gSOAP | =2.7.3 | |
| Genivia gSOAP | =2.7.4 | |
| Genivia gSOAP | =2.7.5 | |
| Genivia gSOAP | =2.7.6 | |
| Genivia gSOAP | =2.7.7 | |
| Genivia gSOAP | =2.7.8 | |
| Genivia gSOAP | =2.7.9 | |
| Genivia gSOAP | =2.7.10 | |
| Genivia gSOAP | =2.7.11 | |
| Genivia gSOAP | =2.7.12 | |
| Genivia gSOAP | =2.7.13 | |
| Genivia gSOAP | =2.7.14 | |
| Genivia gSOAP | =2.7.15 | |
| Genivia gSOAP | =2.7.16 | |
| Genivia gSOAP | =2.7.17 | |
| Genivia gSOAP | =2.8.0 | |
| Genivia gSOAP | =2.8.1 | |
| Genivia gSOAP | =2.8.2 | |
| Genivia gSOAP | =2.8.3 | |
| Genivia gSOAP | =2.8.4 | |
| Genivia gSOAP | =2.8.5 | |
| Genivia gSOAP | =2.8.6 | |
| Genivia gSOAP | =2.8.7 | |
| Genivia gSOAP | =2.8.8 | |
| Genivia gSOAP | =2.8.9 | |
| Genivia gSOAP | =2.8.10 | |
| Genivia gSOAP | =2.8.11 | |
| Genivia gSOAP | =2.8.12 | |
| Genivia gSOAP | =2.8.13 | |
| Genivia gSOAP | =2.8.14 | |
| Genivia gSOAP | =2.8.15 | |
| Genivia gSOAP | =2.8.16 | |
| Genivia gSOAP | =2.8.17 | |
| Genivia gSOAP | =2.8.18 | |
| Genivia gSOAP | =2.8.19 | |
| Genivia gSOAP | =2.8.20 | |
| Genivia gSOAP | =2.8.21 | |
| Genivia gSOAP | =2.8.22 | |
| Genivia gSOAP | =2.8.23 | |
| Genivia gSOAP | =2.8.24 | |
| Genivia gSOAP | =2.8.25 | |
| Genivia gSOAP | =2.8.26 | |
| Genivia gSOAP | =2.8.27 | |
| Genivia gSOAP | =2.8.28 | |
| Genivia gSOAP | =2.8.29 | |
| Genivia gSOAP | =2.8.30 | |
| Genivia gSOAP | =2.8.31 | |
| Genivia gSOAP | =2.8.32 | |
| Genivia gSOAP | =2.8.33 | |
| Genivia gSOAP | =2.8.34 | |
| Genivia gSOAP | =2.8.35 | |
| Genivia gSOAP | =2.8.36 | |
| Genivia gSOAP | =2.8.37 | |
| Genivia gSOAP | =2.8.38 | |
| Genivia gSOAP | =2.8.39 | |
| Genivia gSOAP | =2.8.40 | |
| Genivia gSOAP | =2.8.41 | |
| Genivia gSOAP | =2.8.42 | |
| Genivia gSOAP | =2.8.43 | |
| Genivia gSOAP | =2.8.44 | |
| Genivia gSOAP | =2.8.45 | |
| Genivia gSOAP | =2.8.46 | |
| Genivia gSOAP | =2.8.47 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.genivia.com/advisory.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1472808
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1472809
- http://seclists.org/oss-sec/2017/q3/190
- https://bugzilla.redhat.com/show_bug.cgi?id=1472807
- http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
- http://blog.senr.io/devilsivy.html
- http://www.securityfocus.com/bid/99868
- https://bugzilla.suse.com/show_bug.cgi?id=1049348
- https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21,_2017%29
- https://www.genivia.com/changelog.html#Version_2.8.48_upd_%2806/21/2017%29
- https://www.genivia.com/advisory.html#Security_advisory:_CVE-2017-9765_bug_in_certain_versions_of_gSOAP_2.7_up_to_2.8.47_%28June_21%2C_2017%29
Frequently Asked Questions
What is the severity of CVE-2017-9765?
CVE-2017-9765 is classified as a moderate severity vulnerability due to the potential for a buffer overflow that could lead to a crash of the affected server.
How do I fix CVE-2017-9765?
To mitigate CVE-2017-9765, upgrade to gSOAP version 2.8.48 or later.
Which software versions are affected by CVE-2017-9765?
CVE-2017-9765 affects gSOAP versions 2.7.0 through 2.8.47.
Can CVE-2017-9765 be exploited remotely?
While CVE-2017-9765 shows a potential for exploitation, the buffer overflow is unlikely to be exploitable due to data cleanup after exceeding 2GB.
What type of vulnerability is CVE-2017-9765?
CVE-2017-9765 is a buffer overflow vulnerability caused by the handling of large XML messages in gSOAP.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-9765
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/genivia
- canonical/genivia gsoap
- version/genivia gsoap/2.7.0
- version/genivia gsoap/2.7.1
- version/genivia gsoap/2.7.2
- version/genivia gsoap/2.7.3
- version/genivia gsoap/2.7.4
- version/genivia gsoap/2.7.5
- version/genivia gsoap/2.7.6
- version/genivia gsoap/2.7.7
- version/genivia gsoap/2.7.8
- version/genivia gsoap/2.7.9
- version/genivia gsoap/2.7.10
- version/genivia gsoap/2.7.11
- version/genivia gsoap/2.7.12
- version/genivia gsoap/2.7.13
- version/genivia gsoap/2.7.14
- version/genivia gsoap/2.7.15
- version/genivia gsoap/2.7.16
- version/genivia gsoap/2.7.17
- version/genivia gsoap/2.8.0
- version/genivia gsoap/2.8.1
- version/genivia gsoap/2.8.2
- version/genivia gsoap/2.8.3
- version/genivia gsoap/2.8.4
- version/genivia gsoap/2.8.5
- version/genivia gsoap/2.8.6
- version/genivia gsoap/2.8.7
- version/genivia gsoap/2.8.8
- version/genivia gsoap/2.8.9
- version/genivia gsoap/2.8.10
- version/genivia gsoap/2.8.11
- version/genivia gsoap/2.8.12
- version/genivia gsoap/2.8.13
- version/genivia gsoap/2.8.14
- version/genivia gsoap/2.8.15
- version/genivia gsoap/2.8.16
- version/genivia gsoap/2.8.17
- version/genivia gsoap/2.8.18
- version/genivia gsoap/2.8.19
- version/genivia gsoap/2.8.20
- version/genivia gsoap/2.8.21
- version/genivia gsoap/2.8.22
- version/genivia gsoap/2.8.23
- version/genivia gsoap/2.8.24
- version/genivia gsoap/2.8.25
- version/genivia gsoap/2.8.26
- version/genivia gsoap/2.8.27
- version/genivia gsoap/2.8.28
- version/genivia gsoap/2.8.29
- version/genivia gsoap/2.8.30
- version/genivia gsoap/2.8.31
- version/genivia gsoap/2.8.32
- version/genivia gsoap/2.8.33
- version/genivia gsoap/2.8.34
- version/genivia gsoap/2.8.35
- version/genivia gsoap/2.8.36
- version/genivia gsoap/2.8.37
- version/genivia gsoap/2.8.38
- version/genivia gsoap/2.8.39
- version/genivia gsoap/2.8.40
- version/genivia gsoap/2.8.41
- version/genivia gsoap/2.8.42
- version/genivia gsoap/2.8.43
- version/genivia gsoap/2.8.44
- version/genivia gsoap/2.8.45
- version/genivia gsoap/2.8.46
- version/genivia gsoap/2.8.47
- package-manager/redhat