CVE-2023-39949: Improper validation of sequence numbers leading to remotely reachable assertion failure
First published: Fri Aug 11 2023(Updated: )
eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/fastdds | <2.10.1+ | 2.10.1+ |
| ubuntu/fastdds | <2.5.0+ | 2.5.0+ |
| ubuntu/fastdds | <2.9.1+ | 2.9.1+ |
| eprosima Fast DDS | >=2.6.0<2.6.5 | |
| eprosima Fast DDS | =2.9.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| >=2.6.0<2.6.5 | ||
| =2.9.0 | ||
| =11.0 | ||
| =12.0 | ||
| debian/fastdds | 2.1.0+ds-9+deb11u1 2.9.1+ds-1+deb12u2 2.11.2+ds-6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eProsima/Fast-DDS/blob/v2.9.0/src/cpp/rtps/messages/MessageReceiver.cpp#L1059
- https://github.com/eProsima/Fast-DDS/issues/3236
- https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg
- https://www.debian.org/security/2023/dsa-5481
- https://launchpad.net/bugs/cve/CVE-2023-39949
- https://github.com/eProsima/Fast-DDS/commit/3aa3ee0259deaebe3d578e0ec200947bdfe7d06f
- https://github.com/eProsima/Fast-DDS/commit/6bc2f8048eb9760dcbd148bdb73492e58da8eb1e
- https://security-tracker.debian.org/tracker/CVE-2023-39949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39949
- https://ubuntu.com/security/notices/USN-6306-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-39949
- https://ubuntu.com/security/CVE-2023-39949
Frequently Asked Questions
What is CVE-2023-39949?
CVE-2023-39949 is a vulnerability in eprosima Fast DDS that allows for remotely reachable assertion failure, leading to a process crash.
Which versions of eprosima Fast DDS are affected by CVE-2023-39949?
Versions 2.6.0 to 2.6.5 and version 2.9.0 of eprosima Fast DDS are affected by CVE-2023-39949.
How severe is CVE-2023-39949?
CVE-2023-39949 has a severity rating of 7.5, making it a high severity vulnerability.
How can I fix CVE-2023-39949?
To fix CVE-2023-39949, update to version 2.9.1+ of eprosima Fast DDS or apply the relevant patches provided by eprosima.
Where can I find more information about CVE-2023-39949?
More information about CVE-2023-39949 can be found in the following references: [GitHub Issue](https://github.com/eProsima/Fast-DDS/issues/3236), [GitHub Advisory](https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-3jv9-j9x3-95cg)
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/softwarecombine
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/event
- agent/tags
- vendor/eprosima
- canonical/eprosima fast dds
- version/eprosima fast dds/2.6.0
- version/eprosima fast dds/2.9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- package-manager/ubuntu
- package-manager/debian