CVE-2022-37434: Buffer Overflow
First published: Fri Aug 05 2022(Updated: )
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call inflateGetHeader.
Credit: Evgeny Legerov Evgeny Legerov cve@mitre.org cve@mitre.org Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov Evgeny Legerov cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/zlib | <0:1.2.7-21.el7_9 | 0:1.2.7-21.el7_9 |
| redhat/zlib | <0:1.2.11-19.el8_6 | 0:1.2.11-19.el8_6 |
| redhat/rsync | <0:3.1.3-19.el8 | 0:3.1.3-19.el8 |
| redhat/zlib | <0:1.2.11-32.el9_0 | 0:1.2.11-32.el9_0 |
| redhat/rsync | <0:3.2.3-18.el9 | 0:3.2.3-18.el9 |
| debian/zlib | <=1:1.2.11.dfsg-1<=1:1.2.11.dfsg-4<=1:1.2.11.dfsg-2+deb11u1 | 1:1.2.11.dfsg-4.1 1:1.2.11.dfsg-2+deb11u2 |
| Apple watchOS | <9.1 | 9.1 |
| Apple iOS | <16.1 | 16.1 |
| Apple iPadOS | <16 | 16 |
| Apple macOS Big Sur | <11.7.1 | 11.7.1 |
| Apple macOS Monterey | <12.6.1 | 12.6.1 |
| Apple iOS | <15.7.1 | 15.7.1 |
| Apple iPadOS | <15.7.1 | 15.7.1 |
| Zlib Zlib | <=1.2.12 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Debian Debian Linux | =10.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| Netapp Hci | ||
| Netapp Management Services For Element Software | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Storagegrid | ||
| Netapp Hci Compute Node | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Apple iPadOS | <15.7.1 | |
| Apple iPhone OS | <15.7.1 | |
| Apple iPhone OS | >=16.0<16.1 | |
| Apple macOS | >=11.0<11.7.1 | |
| Apple macOS | >=12.0.0<12.6.1 | |
| Apple watchOS | <9.1 | |
| Stormshield Stormshield Network Security | >=3.7.31<3.7.34 | |
| Stormshield Stormshield Network Security | >=3.11.0<3.11.22 | |
| Stormshield Stormshield Network Security | >=4.3.0<4.3.16 | |
| Stormshield Stormshield Network Security | >=4.6.0<4.6.3 | |
| All of | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| All of | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| All of | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Apple macOS Ventura | <13 | 13 |
| debian/libz-mingw-w64 | <=1.2.11+dfsg-2 | 1.2.13+dfsg-1 1.3.1+dfsg-1 |
| debian/zlib | 1:1.2.11.dfsg-2+deb11u2 1:1.2.13.dfsg-1 1:1.3.dfsg+really1.3.1-1 | |
| IBM Security Guardium | <=11.3 | |
| IBM Security Guardium | <=11.4 | |
| IBM Security Guardium | <=11.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-37434 https://nvd.nist.gov/vuln/detail/CVE-2022-37434
- https://bugzilla.redhat.com/show_bug.cgi?id=2116639
- https://access.redhat.com/errata/RHSA-2023:1095
- https://access.redhat.com/errata/RHSA-2022:7106
- https://access.redhat.com/errata/RHSA-2022:7793
- https://access.redhat.com/errata/RHSA-2022:7314
- https://access.redhat.com/errata/RHSA-2022:8291
- https://access.redhat.com/errata/RHSA-2022:8841
- https://access.redhat.com/security/cve/cve-2022-37434
- https://security-tracker.debian.org/tracker/CVE-2022-37434
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
- https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
- https://github.com/ivd38/zlib_overflow
- https://github.com/curl/curl/issues/9271
- https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016710
- https://support.apple.com/en-us/HT213491 (Advisory)
- https://support.apple.com/en-us/HT213489 (Advisory)
- https://support.apple.com/en-us/HT213493 (Advisory)
- https://support.apple.com/en-us/HT213494 (Advisory)
- https://support.apple.com/en-us/HT213490 (Advisory)
- https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
- https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
- http://seclists.org/fulldisclosure/2022/Oct/37
- http://seclists.org/fulldisclosure/2022/Oct/38
- http://seclists.org/fulldisclosure/2022/Oct/41
- http://seclists.org/fulldisclosure/2022/Oct/42
- https://www.debian.org/security/2022/dsa-5218
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
- https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
- http://www.openwall.com/lists/oss-security/2022/08/05/2
- http://www.openwall.com/lists/oss-security/2022/08/09/1
- https://security.netapp.com/advisory/ntap-20220901-0005/
- https://support.apple.com/kb/HT213488
- https://support.apple.com/kb/HT213489
- https://support.apple.com/kb/HT213490
- https://support.apple.com/kb/HT213491
- https://support.apple.com/kb/HT213493
- https://support.apple.com/kb/HT213494
- https://security.netapp.com/advisory/ntap-20230427-0007/
- https://launchpad.net/bugs/cve/CVE-2022-37434
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116653
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116655
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116656
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116660
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116657
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116661
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116658
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116662
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116659
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2116663
- https://github.com/backuppc/backuppc/issues/478
- https://access.redhat.com/errata/RHSA-2024:0254
- https://support.apple.com/en-us/HT213488 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/232849
- https://www.ibm.com/support/pages/node/7007815 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2022-37434
- https://ubuntu.com/security/CVE-2022-37434
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2022-42825
- CVE-2022-32932
- CVE-2022-42798
- CVE-2022-32940
- CVE-2022-42813
- CVE-2022-32947
- CVE-2022-46712
- CVE-2022-32924
- CVE-2022-42808
- CVE-2022-32944
- CVE-2022-42803
- CVE-2022-32926
- CVE-2022-42801
- CVE-2022-42817
- CVE-2022-42811
- CVE-2022-42799
- CVE-2022-42823
- CVE-2022-42824
- CVE-2022-32923
- CVE-2022-37434
- CVE-2022-42800
- CVE-2022-32909
- CVE-2022-32929
- CVE-2022-32945
- CVE-2022-32946
- CVE-2022-32935
- CVE-2022-32939
- CVE-2022-42820
- CVE-2022-42806
- CVE-2022-42827
- CVE-2022-42810
- CVE-2022-46715
- CVE-2022-42828
- CVE-2022-32941
- CVE-2022-42829
- CVE-2022-42830
- CVE-2022-42831
- CVE-2022-42832
- CVE-2022-32938
- CVE-2022-42792
- CVE-2022-42826
- CVE-2022-32922
- CVE-2022-32927
- CVE-2022-42860
- CVE-2022-46723
- CVE-2022-46713
- CVE-2022-28739
- CVE-2022-32862
- CVE-2022-32949
- CVE-2022-42795
- CVE-2022-48577
- CVE-2022-32858
- CVE-2022-32898
- CVE-2022-32899
- CVE-2022-46721
- CVE-2022-47915
- CVE-2022-47965
- CVE-2022-32889
- CVE-2022-32907
- CVE-2022-32827
- CVE-2022-32877
- CVE-2022-42789
- CVE-2022-46722
- CVE-2022-32902
- CVE-2022-32904
- CVE-2022-32890
- CVE-2022-42796
- CVE-2022-42816
- CVE-2022-42821
- CVE-2022-42819
- CVE-2022-26730
- CVE-2022-42838
- CVE-2022-48683
- CVE-2022-22663
- CVE-2022-32867
- CVE-2022-32205
- CVE-2022-32206
- CVE-2022-32207
- CVE-2022-32208
- CVE-2022-42814
- CVE-2022-32865
- CVE-2022-32915
- CVE-2022-32928
- CVE-2022-22643
- CVE-2022-42788
- CVE-2022-48504
- CVE-2022-32905
- CVE-2022-42833
- CVE-2022-42809
- CVE-2022-3437
- CVE-2022-32849
- CVE-2022-32913
- CVE-2022-32809
- CVE-2022-1622
- CVE-2022-32936
- CVE-2022-32864
- CVE-2022-32866
- CVE-2022-32911
- CVE-2022-32914
- CVE-2022-42815
- CVE-2022-42834
- CVE-2022-46707
- CVE-2022-32883
- CVE-2022-32908
- CVE-2021-39537
- CVE-2022-29458
- CVE-2022-42818
- CVE-2022-32879
- CVE-2022-32895
- CVE-2022-42807
- CVE-2022-32918
- CVE-2022-32881
- CVE-2022-32931
- CVE-2022-42793
- CVE-2022-32876
- CVE-2022-42790
- CVE-2022-32870
- CVE-2022-32934
- CVE-2022-42791
- CVE-2021-36690
- CVE-2022-48505
- CVE-2022-26699
- CVE-2022-0261
- CVE-2022-0318
- CVE-2022-0319
- CVE-2022-0351
- CVE-2022-0359
- CVE-2022-0361
- CVE-2022-0368
- CVE-2022-0392
- CVE-2022-0554
- CVE-2022-0572
- CVE-2022-0629
- CVE-2022-0685
- CVE-2022-0696
- CVE-2022-0714
- CVE-2022-0729
- CVE-2022-0943
- CVE-2022-1381
- CVE-2022-1420
- CVE-2022-1725
- CVE-2022-1616
- CVE-2022-1619
- CVE-2022-1620
- CVE-2022-1621
- CVE-2022-1629
- CVE-2022-1674
- CVE-2022-1733
- CVE-2022-1735
- CVE-2022-1769
- CVE-2022-1927
- CVE-2022-1942
- CVE-2022-1968
- CVE-2022-1851
- CVE-2022-1897
- CVE-2022-1898
- CVE-2022-1720
- CVE-2022-2000
- CVE-2022-2042
- CVE-2022-2124
- CVE-2022-2125
- CVE-2022-2126
- CVE-2022-32875
- CVE-2022-32886
- CVE-2022-32888
- CVE-2022-32912
- CVE-2022-32892
- CVE-2022-32833
- CVE-2022-46709
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-37434.
What is the severity of CVE-2022-37434?
The severity of CVE-2022-37434 is critical with a severity value of 9.8.
Which software versions are affected by CVE-2022-37434?
Software versions including Zlib Zlib up to and including 1.2.12, Apple macOS Monterey up to and including 12.6.1, Apple iOS up to and including 16.1, Apple iPadOS up to and including 16, Apple watchOS up to and including 9.1, Redhat zlib up to and including 1.2.7-21.el7_9 and 1.2.11-19.el8_6, Redhat rsync up to and including 3.1.3-19.el8 and 3.2.3-18.el9, Fedora up to and including version 37, Debian Debian Linux up to and including 10.0, Stormshield Stormshield Network Security up to and including 4.6.3, and IBM Security Guardium up to and including 11.3 are affected by CVE-2022-37434.
How can I fix CVE-2022-37434?
To fix CVE-2022-37434, update to the following versions: Zlib Zlib 1.2.12 or later, Apple macOS Monterey 12.6.1 or later, Apple iOS 16.1 or later, Apple iPadOS 16 or later, Apple watchOS 9.1 or later, Redhat zlib 1.2.7-21.el7_9 or 1.2.11-19.el8_6, Redhat rsync 3.1.3-19.el8 or 3.2.3-18.el9, Fedora 38 or later, Debian Debian Linux 10.1 or later, Stormshield Stormshield Network Security 4.6.4 or later, and IBM Security Guardium 12 or later.
Are there any references available for more information about CVE-2022-37434?
Yes, you can find more information about CVE-2022-37434 at the following references: [Link 1](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764), [Link 2](https://github.com/ivd38/zlib_overflow), [Link 3](https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1).
- collector/redhat-cve
- collector/debian-bugs
- alias/CVE-2022-37434
- agent/first-publish-date
- agent/type
- collector/apple-support
- alias/CVE-2022-42800
- agent/software-canonical-lookup-request
- agent/severity
- source/Apple
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-index
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- package-manager/debian
- vendor/apple
- canonical/apple watchos
- canonical/apple ios
- canonical/apple ipados
- canonical/apple macos big sur
- canonical/apple macos monterey
- vendor/zlib
- canonical/zlib zlib
- version/zlib zlib/1.2.12
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp hci
- canonical/netapp management services for element software
- canonical/netapp oncommand workflow automation
- canonical/netapp ontap select deploy administration utility
- canonical/netapp storagegrid
- canonical/netapp hci compute node
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/apple iphone os
- version/apple iphone os/16.0
- canonical/apple macos
- version/apple macos/11.0
- version/apple macos/12.0.0
- vendor/stormshield
- canonical/stormshield stormshield network security
- version/stormshield stormshield network security/3.7.31
- version/stormshield stormshield network security/3.11.0
- version/stormshield stormshield network security/4.3.0
- version/stormshield stormshield network security/4.6.0
- canonical/apple macos ventura
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/11.3
- version/ibm security guardium/11.4
- version/ibm security guardium/11.5