Vulnerability Description
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Glibc | 2.34 |
| Oracle | Communications Cloud Native Core Binding Support Function | 22.1.3 |
| Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 22.1.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 22.1.2 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.1 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 22.2.0 |
| Oracle | Enterprise Operations Monitor | 4.3 |
References
- https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxcExploitThird Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=28524ExploitIssue TrackingThird Party Advisory
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff012870b2c02a62598c04daa
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxcExploitThird Party Advisory
- https://sourceware.org/bugzilla/show_bug.cgi?id=28524ExploitIssue TrackingThird Party Advisory
- https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff012870b2c02a62598c04daa
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
FAQ
What is CVE-2021-43396?
CVE-2021-43396 is a vulnerability with a CVSS score of 7.5 (HIGH). In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an intern...
How severe is CVE-2021-43396?
CVE-2021-43396 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43396?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Security Edge Protection Proxy.