JVNVU#98045645
Ichitaro series vulnerable to heap-based buffer overflow
Overview
The "Ichitaro" series word processing software provided by JustSystems Corporation contains multiple heap-based buffer overflow vulnerabilities.
Products Affected
- Ichitaro 2016
- Ichitaro 2015
- Ichitaro Pro 3
- Ichitaro Pro 2
- Ichitaro Pro
- Ichitaro Government 8
- Ichitaro Government 7
- Ichitaro Government 6
- Ichitaro 2011 Sou / Ichitaro 2011
- Ichitaro 2010
- Ichitaro Government 2010
Description
The "Ichitaro" series word processing software provided by JustSystems Corporation contains multiple heap-based buffer overflow vulnerabilities.
- heap-based buffer overflow due to handling .jtd format files (CWE-122) - CVE-2017-2789
- heap-based buffer overflow due to handling .xls format files (CWE-122) - CVE-2017-2790
- heap-based buffer overflow due to handling .ppt format files (CWE-122) - CVE-2017-2791
Impact
When a user opens a specially crafted file, the application crashes.
The reporter states in its blog entry that arbitrary code execution is possible exploiting these vulnerabilities.
Solution
Update the software
Update the softwawre according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| JustSystems Corporation | [JS17001] For the Ichitaro users |
References
-
Cisco Talos Security Intelligence and Research Group Blog
Vulnerability Spotlight: Multiple Ichitaro Office Vulnerabilities
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Cisco Talos Security Intelligence and Research Group reported this vulnerability to JustSystems Corporation.
JPCERT/CC coordinated between the reporter and the developer.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-2789 |
|
CVE-2017-2790 |
|
|
CVE-2017-2791 |
|
| JVN iPedia |
|