Vulnerability Name:

CVE-2014-8146

Assigned:2014-10-10
Published:2015-05-04
Updated:2018-01-18
Summary:The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.4 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
References:Source: CONFIRM
Type: VENDOR_ADVISORY
http://bugs.icu-project.org/trac/changeset/37162

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-1

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-3

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-21-1

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-30-3

Source: MLIST
Type: UNKNOWN
[oss-security] 20150505 [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAIL

Source: FULLDISC
Type: VENDOR_ADVISORY
20150505 [CVE-2014-8146/8147] - ICU heap and integer overflows / I-C-U-FAIL

Source: DEBIAN
Type: VENDOR_ADVISORY
DSA-3323

Source: CERT-VN
Type: VENDOR_ADVISORY
VU#602540

Source: CONFIRM
Type: VENDOR_ADVISORY
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

Source: CONFIRM
Type: PATCH
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Source: BID
Type: VENDOR_ADVISORY
74457

Source: XF
Type: UNKNOWN
icu4c-cve20148146-bo(102875)

Source: MISC
Type: UNKNOWN
https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt

Source: GENTOO
Type: VENDOR_ADVISORY
GLSA-201507-04

Source: CONFIRM
Type: VENDOR_ADVISORY
https://support.apple.com/HT205212

Source: CONFIRM
Type: VENDOR_ADVISORY
https://support.apple.com/HT205213

Source: CONFIRM
Type: VENDOR_ADVISORY
https://support.apple.com/HT205221

Source: CONFIRM
Type: VENDOR_ADVISORY
https://support.apple.com/HT205267

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apple:itunes:12.1.3:*:*:*:*:*:*:*
  • OR cpe:/o:apple:iphone_os:8.2:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*
  • OR cpe:/o:apple:watchos:1.0.1:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:icu-project:international_components_for_unicode:1.4::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.4.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.4.1.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.4.1.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.4.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.5::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.6::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.7::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.8::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:1.8.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.0::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.0.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.0.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.4::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.6::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.6.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.6.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:2.8::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.0::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.2.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.4::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.4.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.6::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.8::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:3.8.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.0::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.0.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.2.0.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.4.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.4.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.4.2.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.6::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.6.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.8::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.8.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:4.8.1.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:49.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:49.1.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:49.1.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:50.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:50.1.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:50.1.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:51.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:51.2::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:52.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:53.1::~~~c/c++~~:*:*:*:*:*
  • OR cpe:/a:icu-project:international_components_for_unicode:54.1::~~~c/c++~~:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20148146
    V
    CVE-2014-8146
    2018-05-21
    oval:org.cisecurity:def:51
    P
    DSA-3323-1 -- icu -- security update
    2016-02-08
    oval:com.ubuntu.precise:def:20148146000
    V
    CVE-2014-8146 on Ubuntu 12.04 LTS (precise) - medium.
    2015-05-25
    oval:com.ubuntu.trusty:def:20148146000
    V
    CVE-2014-8146 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-05-25
    BACK
    apple itunes 12.1.3
    apple iphone os 8.2
    apple mac os x 10.10.4
    apple watchos 1.0.1
    icu-project international components for unicode 1.4
    icu-project international components for unicode 1.4.1
    icu-project international components for unicode 1.4.1.1
    icu-project international components for unicode 1.4.1.2
    icu-project international components for unicode 1.4.2
    icu-project international components for unicode 1.5
    icu-project international components for unicode 1.6
    icu-project international components for unicode 1.7
    icu-project international components for unicode 1.8
    icu-project international components for unicode 1.8.1
    icu-project international components for unicode 2.0
    icu-project international components for unicode 2.0.1
    icu-project international components for unicode 2.0.2
    icu-project international components for unicode 2.1
    icu-project international components for unicode 2.2
    icu-project international components for unicode 2.4
    icu-project international components for unicode 2.6
    icu-project international components for unicode 2.6.1
    icu-project international components for unicode 2.6.2
    icu-project international components for unicode 2.8
    icu-project international components for unicode 3.0
    icu-project international components for unicode 3.2
    icu-project international components for unicode 3.2.1
    icu-project international components for unicode 3.4
    icu-project international components for unicode 3.4.1
    icu-project international components for unicode 3.6
    icu-project international components for unicode 3.8
    icu-project international components for unicode 3.8.1
    icu-project international components for unicode 4.0
    icu-project international components for unicode 4.0.1
    icu-project international components for unicode 4.2
    icu-project international components for unicode 4.2.0.1
    icu-project international components for unicode 4.4.1
    icu-project international components for unicode 4.4.2
    icu-project international components for unicode 4.4.2.1
    icu-project international components for unicode 4.6
    icu-project international components for unicode 4.6.1
    icu-project international components for unicode 4.8
    icu-project international components for unicode 4.8.1
    icu-project international components for unicode 4.8.1.1
    icu-project international components for unicode 49.1
    icu-project international components for unicode 49.1.1
    icu-project international components for unicode 49.1.2
    icu-project international components for unicode 50.1
    icu-project international components for unicode 50.1.1
    icu-project international components for unicode 50.1.2
    icu-project international components for unicode 51.1
    icu-project international components for unicode 51.2
    icu-project international components for unicode 52.1
    icu-project international components for unicode 53.1
    icu-project international components for unicode 54.1