First published: Thu May 05 2022(Updated: )
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
Credit: ics-cert@hq.dhs.gov
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse CycloneDDS | <0.8.0 | |
<0.8.0 | 0.8.0 | |
<2.4.0 | 2.4.0 | |
<3.18.1 | 3.18.1 | |
Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing Real-Time Innovations (RTI) Connext DDS Professional and Connext DDS Secure: Versions 4.2x to 6.1.0 | ||
Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing RTI Connext DDS Micro | >=3.0.0 | |
Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), TwinOaks Computing TwinOaks Computing CoreDX DDS | <5.9.1 | 5.9.1 |
Eclipse recommends users apply the latest CycloneDDS patches. https://projects.eclipse.org/projects/iot.cyclonedds
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for Eclipse CycloneDDS is CVE-2021-38441.
The severity of CVE-2021-38441 is critical with a severity value of 9.8.
Versions of Eclipse CycloneDDS prior to 0.8.0 are affected by CVE-2021-38441.
CVE-2021-38441 allows an attacker to write arbitrary values in the XML parser, which can lead to unauthorized modification of data.
To mitigate the vulnerability in Eclipse CycloneDDS, it is recommended to update to version 0.8.0 or later.