influence of CVE-2020-29573 over SPE

book

Article ID: 224672

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Following CVE has been published recently:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29573

 

Environment

The issue is observed in case that:

- with old glibc (before 2.23) and
- printf family function has specific argument (80-bit long double with a non-canonical bit pattern)

Resolution

As the issue is limitted to 32-bit environment, therefore SPE version 7.8 or later are not impacted as these are 64-bit application now.

And SPE versions ealier than SPE 7.8 are not neither as SPE does not take user input directly in the usage of printf fuctions.

But this vulnerability applies all the application, therefore it's recommended to apply vendor provided patches in case that users environment has impacted versions of glibc.