Published:2010/08/20  Last Updated:2010/08/20

JVN#25393522
Winny node information processing vulnerability
Critical

Overview

Winny contains a vulnerability in the processing of node information.

Products Affected

  • Winny 2.0b7.1 and earlier

Description

Winny is a P2P file sharing software. Winny contains a vulnerability in the processing of node information, which can be used to launch Distributed Denial of Service (DDoS) attacks.

Impact

A user may take part in a DDoS attack by a remote attacker.

Solution

Do not use Winny
Please discontinue use of Winny.

Vendor Status

References

JPCERT/CC Addendum

According to the attorney of the developer, due to the on-going litigation, there is no timetable for an update as of August 20, 2010.

Vulnerability Analysis by JPCERT/CC

Credit

Fuyumasa Takatsu of University of Tsukuba reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-2362
JVN iPedia JVNDB-2010-000028