JVNVU#92877622
Multiple vulnerabilities in OMRON CX-Programmer
Overview
OMRON CX-Programmer contains multiple vulnerabilities.
Products Affected
CVE-2022-43508
- CX-Programmer Ver.9.77 and earlier
- CX-Programmer Ver.9.78 and earlier
- CX-Programmer Ver.9.79 and earlier
Description
CX-Programmer provided by Omron Corporation contains multiple vulnerabilities listed below.
- Use-after-free (CWE-416) - CVE-2022-43508, CVE-2023-22277, CVE-2023-22317, CVE-2023-22314
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 - Out-of-bounds Write (CWE-787) - CVE-2022-43509
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8 - Stack-based Buffer Overflow (CWE-121) - CVE-2022-43667
CVSS v3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score: 7.8
Impact
By having a user to open a specially crafted CXP file, information disclosure and/or arbitrary code execution may occur.
Solution
Update the Software
Update for CX-One suite is applied by its Auto Update function, therefore it is not necessary for the users to take any actions.
The developer recommends the users to contact the developer and/or the sales representatives if there are any issues with Auto Update.
For more information, refer to the information provided by the developer.
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2022-43509 |
|
CVE-2022-43667 |
|
|
CVE-2023-22277 |
|
|
CVE-2023-22317 |
|
|
CVE-2023-22314 |
|
|
CVE-2022-43508 |
|
| JVN iPedia |
|
Update History
- 2022/12/15
- Information under the section [Products Affected] and [Solution] was updated
- 2023/01/11
- Information under the section [Products Affected], [Description], [References], and [Other Information] was updated, and OMRON Corporation updated its status