Published:2013/10/30  Last Updated:2015/10/22

JVN#70739377
Multiple products that use International Components for Unicode (ICU) vulnerable to denial-of-service (DoS)

Overview

Multiple products that use International Components for Unicode (ICU) contain a denial-of-service (DoS) vulnerability.

Products Affected

Products that use International Components for Unicode (ICU) may be vulnerable.

For more information on vulnerable products, please refer to the "Vendor Status" section.

Description

International Components for Unicode (ICU) is a library for handling Unicode strings. A C version, ICU4C and a Java version ICU4J are available. Multiple products that use ICU4C contain a denial-of-service vulnerability due to a race condition.

ICU released ICU4C version 50.1.1 that addresses this vulnerability in December, 2012.

Impact

Impacts may vary depending on the product. In some cases, a remote attacker may cause a denial-of-service (DoS).

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
APC Japan, Inc. Not Vulnerable 2013/10/31
Cybozu, Inc. Vulnerable 2013/10/30 Cybozu, Inc. website
Emurasoft Not Vulnerable 2014/08/21
NEC Corporation Vulnerable 2015/10/21

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2013-0900
JVN iPedia JVNDB-2013-001665

Update History

2013/10/30
Information under the section "Vendor Status" was modified.
2013/10/31
APC Japan, Inc. update status
2014/08/21
Emurasoft update status
2015/10/22
NEC Corporation update status