JVNVU#90121984
Multiple vulnerabilities in OMRON CX-Programmer

Overview

OMRON CX-Programmer contains multiple vulnerabilities.

Products Affected

• CX-Programmer v9.76.1 and earlier which is a part of CX-One (v4.60) suite

Description

CX-Programmer provided by OMRON Corporation contains multiple vulnerabilities listed below.

• Out-of-bounds Write (CWE-787) - CVE-2022-21124

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Use After Free (CWE-416) - CVE-2022-25230

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Use After Free (CWE-416) - CVE-2022-25325

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Out-of-bounds Read (CWE-125) - CVE-2022-21219

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

• Out-of-bounds Write (CWE-787) - CVE-2022-25234

  CVSS v3

  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

  Base Score: 7.8

Impact

By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.

Solution

Update the Software
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.
The version that contains the fix for this vulnerability is as follows.

• CX-Programmer Ver.9.77