JVN#85336306
Use-after-free vulnerability in multiple products that use International Components for Unicode (ICU)
Overview
Multiple products that use International Components for Unicode (ICU) contain a use-after-free vulnerability.
Products Affected
Products that use International Components for Unicode (ICU) may be vulnerable.
For more information on vulnerable products, please refer to the "Vendor Status" section.
Description
International Components for Unicode (ICU) is a library for handling
Unicode strings. A C version, ICU4C and a Java version, ICU4J are
available. Multiple products that use ICU4C contain a use-after-free
vulnerability.
ICU released ICU4C version 52.1 that addresses this vulnerability on October 9, 2013.
Impact
Impacts may vary depending on the product. In some cases, a remote attacker may cause a denial-of-service (DoS).
Solution
Apply an Update
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2013/10/30 | Cybozu, Inc. website |
| Emurasoft | Not Vulnerable | 2014/08/21 | |
| NEC Corporation | Vulnerable | 2015/10/21 |
| Vendor | Link |
| ICU - International Components for Unicode | ICU Home Page |
| Changeset 34076 | |
| Stable Channel Update (Chrome 30.0.1599.66) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2013-2924 |
| JVN iPedia |
JVNDB-2013-004446 |
Update History
- 2013/10/30
- Information under the section "Vendor Status" was modified.
- 2014/03/31
- Intercom, Inc. update status
- 2014/08/21
- Emurasoft update status
- 2015/10/21
- NEC Corporation update status