ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

itext CVE-2022-24197 (BDSA-2021-4193): iText is vulnerable to a stack-based buffer overflow.

book

Article ID: 239080

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Blackduck scans have reported new vulnerabilities related to itext:

CVE-2022-24197 (BDSA-2021-4193): iText is vulnerable to a stack-based buffer overflow. An attacker could exploit this flaw by tricking a victim in to running a maliciously crafted file on the application leading to a denial-of-service (DoS) condition.

Scanned version is 10.7.0.361,

found in:

plugins/com.ca.apm.introscope.workstation.webapp_10.7.0.jar ! /WebContent/WEB-INF/lib/iText.jar

plugins/com.wily.ui.jasper.report_10.7.0.jar ! /lib/itext-1.3.1.jar

plugins/com.tomsawyer_9.0.0.jar ! /lib/client/thirdparty/iText.jar

 

 

Environment

Release : 10.7.0, 10.8

Component : Introscope

Resolution

Vulnerability Description: iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

This security vulnerability is about the attacker supplied PDF. We do not use iText to read PDFs.  Therefore, it is false positive.