FrankChen021 commented on issue #10633: URL: https://github.com/apache/druid/issues/10633#issuecomment-750701999
Hi @QiAnXinCodeSafe I made some investigation that all the vulnerabilities you listed above are related ICU for C/C++ according to nvd.nist.gov. I'm wondering is ICU4J 55.1 is being affected ? [CVE-2017-17484](https://nvd.nist.gov/vuln/detail/CVE-2017-17484) > The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for **C/C++** through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC. [CVE-2017-14952](https://nvd.nist.gov/vuln/detail/CVE-2017-14952) > Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) **for C/C++** through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue. [CVE-2016-6293](https://nvd.nist.gov/vuln/detail/CVE-2016-6293) > The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 **for C/C++** does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. [CVE-2016-7415](https://nvd.nist.gov/vuln/detail/CVE-2016-7415) > Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 **for C/C++** allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string. [CVE-2017-7868](https://nvd.nist.gov/vuln/detail/CVE-2017-7868) > International Components for Unicode (ICU) **for C/C++** before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. [CVE-2017-7867](https://nvd.nist.gov/vuln/detail/CVE-2017-7867) > International Components for Unicode (ICU) **for C/C++** before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
