Vulnerability Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator which may trigger a free error. This can remotely crash any Fast-DDS process. The call to free() could potentially leave the pointer in the attackers control which could lead to a double free. This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, and 2.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eprosima | Fast Dds | < 2.6.7 |
Related Weaknesses (CWE)
References
- https://github.com/eProsima/Fast-DDS/issues/3207ExploitIssue Tracking
- https://github.com/eProsima/Fast-DDS/pull/3824Patch
- https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gmVendor Advisory
- https://www.debian.org/security/2023/dsa-5568Mailing List
- https://github.com/eProsima/Fast-DDS/issues/3207ExploitIssue Tracking
- https://github.com/eProsima/Fast-DDS/pull/3824Patch
- https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gmVendor Advisory
- https://www.debian.org/security/2023/dsa-5568Mailing List
FAQ
What is CVE-2023-42459?
CVE-2023-42459 is a vulnerability with a CVSS score of 8.6 (HIGH). Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). In affected versions specific DATA submessages can be sent to a discovery locator...
How severe is CVE-2023-42459?
CVE-2023-42459 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42459?
Check the references section above for vendor advisories and patch information. Affected products include: Eprosima Fast Dds.