Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
0

CVE-2016-7163

Disclosure Date: September 21, 2016
CVE-2016-7163 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Integer overflow in the opj_pi_create_decode function in pi.c in OpenJPEG allows remote attackers to execute arbitrary code via a crafted JP2 file, which triggers an out-of-bounds read or write.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fedoraproject,
  • redhat,
  • uclouvain

Products

  • debian linux 8.0,
  • enterprise linux desktop 7.0,
  • enterprise linux eus 7.3,
  • enterprise linux eus 7.4,
  • enterprise linux eus 7.5,
  • enterprise linux eus 7.6,
  • enterprise linux eus 7.7,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux server aus 7.3,
  • enterprise linux server aus 7.4,
  • enterprise linux server aus 7.6,
  • enterprise linux server aus 7.7,
  • enterprise linux server tus 7.3,
  • enterprise linux server tus 7.6,
  • enterprise linux server tus 7.7,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • fedora 23,
  • fedora 24,
  • fedora 25,
  • openjpeg

References

Canonical
CVE-2016-7163 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163)
BID-92897 (http://www.securityfocus.com/bid/92897)
Advisory
[oss-security] 20160908 Re: CVE Request: OpenJPEG Integer Overflow Issue (http://www.openwall.com/lists/oss-security/2016/09/08/6)
[oss-security] 20160908 CVE Request: OpenJPEG Integer Overflow Issue (http://www.openwall.com/lists/oss-security/2016/09/08/3)
FEDORA-2016-231f53426b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AQ2IIIQSJ3J4MONBOGCG6XHLKKJX2HKM)
FEDORA-2016-8ed6b7bb5e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2T6IQAMS4W65MGP7UW5FPE22PXELTK5D)
http://rhn.redhat.com/errata/RHSA-2017-0559.html
https://github.com/uclouvain/openjpeg/issues/826
http://rhn.redhat.com/errata/RHSA-2017-0838.html
https://github.com/uclouvain/openjpeg/commit/ef01f18dfc6780b776d0674ed3e7415c6ef54d24
DSA-3665 (http://www.debian.org/security/2016/dsa-3665)
https://github.com/uclouvain/openjpeg/pull/809
FEDORA-2016-dc53ceffc2 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66BWMMMWXH32J5AOGLAJGZA3GH5LZHXH)
FEDORA-2016-2eac99579c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4IRSGYMBSHCBZP23CUDIRJ3LBKH6ZJ7)
https://github.com/uclouvain/openjpeg/commit/c16bc057ba3f125051c9966cf1f5b68a05681de4
FEDORA-2016-27d3b7742f (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGKSEWWWED77Q5ZHK4OA2EKSJXLRU3MK)
FEDORA-2016-adb346980c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JYLOX7PZS3ZUHQ6RGI3M6H27B7I5ZZ26)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis