An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in     openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow. (CVE-2018-20847)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:4251 advisory.

  - Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in     openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application     crash). (CVE-2018-20845)

  - An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in     openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow. (CVE-2018-20847)

  - In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the opj_t1_encode_cblks function     (openjp2/t1.c). Remote attackers could leverage this vulnerability to cause a denial of service via a     crafted bmp file. (CVE-2018-5727)

  - In OpenJPEG 2.3.0, there is an integer overflow caused by an out-of-bounds left shift in the     opj_j2k_setup_encoder function (openjp2/j2k.c). Remote attackers could leverage this vulnerability to     cause a denial of service via a crafted bmp file. (CVE-2018-5785)

  - In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c.
    Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.
    This issue is similar to CVE-2018-6616. (CVE-2019-12973)

  - jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a     mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free     may also be possible. This is related to calling opj_image_destroy twice. (CVE-2020-15389)

  - A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could     use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of     the user running such an application. (CVE-2020-27814)

  - A flaw was found in OpenJPEG's encoder. This flaw allows an attacker to pass specially crafted x,y offset     input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27823)

  - A flaw was found in OpenJPEG's encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows     an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest     threat from this vulnerability is to system availability. (CVE-2020-27824)

  - There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide     crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of     this flaw is to application availability. (CVE-2020-27842)

  - A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially     crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest     threat from this vulnerability is system availability. (CVE-2020-27843)

  - There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to     provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds     read. The highest impact of this flaw is to application availability. (CVE-2020-27845)

  - Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of     Service (DoS). This occurs when the attacker uses the command line option -ImgDir on a directory that     contains 1048576 files. (CVE-2021-29338)

  - A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing     a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the     application compiled against openjpeg. (CVE-2021-3575)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:4251 advisory.

  - In OpenJPEG 2.3.0, there is an integer overflow vulnerability in the opj_t1_encode_cblks function     (openjp2/t1.c). Remote attackers could leverage this vulnerability to cause a denial of service via a     crafted bmp file. (CVE-2018-5727)

  - In OpenJPEG 2.3.0, there is an integer overflow caused by an out-of-bounds left shift in the     opj_j2k_setup_encoder function (openjp2/j2k.c). Remote attackers could leverage this vulnerability to     cause a denial of service via a crafted bmp file. (CVE-2018-5785)

  - Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in     openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application     crash). (CVE-2018-20845)

  - An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in     openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow. (CVE-2018-20847)

  - In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c.
    Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.
    This issue is similar to CVE-2018-6616. (CVE-2019-12973)

  - jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a     mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free     may also be possible. This is related to calling opj_image_destroy twice. (CVE-2020-15389)

  - A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could     use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of     the user running such an application. (CVE-2020-27814)

  - A flaw was found in OpenJPEG's encoder. This flaw allows an attacker to pass specially crafted x,y offset     input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to     confidentiality, integrity, as well as system availability. (CVE-2020-27823)

  - A flaw was found in OpenJPEG's encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows     an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest     threat from this vulnerability is to system availability. (CVE-2020-27824)

  - There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide     crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of     this flaw is to application availability. (CVE-2020-27842)

  - A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially     crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest     threat from this vulnerability is system availability. (CVE-2020-27843)

  - There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to     provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds     read. The highest impact of this flaw is to application availability. (CVE-2020-27845)

  - Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of     Service (DoS). This occurs when the attacker uses the command line option -ImgDir on a directory that     contains 1048576 files. (CVE-2021-29338)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4251 advisory.

    - Fix CVE-2021-3575 (#1969279)
    - Fix CVE-2021-29338 (#1951332)
    - Resolves: CVE-2018-5727 (#1538467)
    - Resolves: CVE-2018-5785 (#1538556)
    - Resolves: CVE-2018-20845 (#1730679)
    - Resolves: CVE-2018-20847 (#1734337)
    - Resolves: CVE-2019-12973 (#1739076)
    - Resolves: CVE-2020-15389 (#1855115)
    - Resolves: CVE-2020-27814 (#1908965)
    - Resolves: CVE-2020-27823 (#1906222)
    - Resolves: CVE-2020-27824 (#1906216)
    - Resolves: CVE-2020-27842 (#1908165)
    - Resolves: CVE-2020-27843 (#1908164)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4251 advisory.

    OpenJPEG is an open source library for reading and writing image files in JPEG2000 format.

    The following packages have been upgraded to a later upstream version: openjpeg2 (2.4.0).

    Security Fix(es):

    * openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on     by the decompressor (CVE-2020-15389)

    * openjpeg: heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS (CVE-2020-27814)

    * openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode() (CVE-2020-27823)

    * openjpeg: heap-buffer-overflow in color.c may lead to DoS or arbitrary code execution (CVE-2021-3575)

    * openjpeg: integer overflow in opj_t1_encode_cblks in src/lib/openjp2/t1.c (CVE-2018-5727)

    * openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c (CVE-2018-5785)

    * openjpeg: division-by-zero in functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c     (CVE-2018-20845)

    * openjpeg: integer overflow in function opj_get_encoding_parameters in openjp2/pi.c (CVE-2018-20847)

    * openjpeg: denial of service in function opj_t1_encode_cblks in openjp2/t1.c (CVE-2019-12973)

    * openjpeg: global-buffer-overflow read in opj_dwt_calc_explicit_stepsizes() (CVE-2020-27824)

    * openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c (CVE-2020-27842)

    * openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c (CVE-2020-27843)

    * openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and     opj_pi_next_lrcp in openjp2/pi.c (CVE-2020-27845)

    * openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c (CVE-2021-29338)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:4251 advisory.

  - openjpeg: division-by-zero in functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c     (CVE-2018-20845)

  - openjpeg: integer overflow in function opj_get_encoding_parameters in openjp2/pi.c (CVE-2018-20847)

  - openjpeg: integer overflow in opj_t1_encode_cblks in src/lib/openjp2/t1.c (CVE-2018-5727)

  - openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c (CVE-2018-5785)

  - openjpeg: denial of service in function opj_t1_encode_cblks in openjp2/t1.c (CVE-2019-12973)

  - openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on     by the decompressor (CVE-2020-15389)

  - openjpeg: heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS (CVE-2020-27814)

  - openjpeg: heap-buffer-overflow write in opj_tcd_dc_level_shift_encode() (CVE-2020-27823)

  - openjpeg: global-buffer-overflow read in opj_dwt_calc_explicit_stepsizes() (CVE-2020-27824)

  - openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c (CVE-2020-27842)

  - openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c (CVE-2020-27843)

  - openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp     in openjp2/pi.c (CVE-2020-27845)

  - openjpeg: out-of-bounds write due to an integer overflow in opj_compress.c (CVE-2021-29338)

  - openjpeg: heap-buffer-overflow in color.c may lead to DoS or arbitrary code execution (CVE-2021-3575)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4497-1 advisory.

    It was discovered that OpenJPEG incorrectly handled certain image files. A remote attacker could possibly     use this issue to cause a denial of service. (CVE-2016-9112)

    It was discovered that OpenJPEG did not properly handle certain input. If OpenJPEG were supplied with     specially crafted input, it could be made to crash or potentially execute arbitrary code. (CVE-2018-20847,     CVE-2018-21010, CVE-2020-6851, CVE-2020-8112, CVE-2020-15389)

    It was discovered that OpenJPEG incorrectly handled certain BMP files. A remote attacker could possibly     use this issue to cause a denial of service. (CVE-2019-12973)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Two security vulnerabilities were discovered in openjpeg2, a JPEG 2000 image library.

CVE-2016-9112

A floating point exception or divide by zero in the function opj_pi_next_cprl may lead to a denial of service.

CVE-2018-20847

An improper computation of values in the function opj_get_encoding_parameters can lead to an integer overflow. This issue was partly fixed by the patch for CVE-2015-1239.

For Debian 8 'Jessie', these problems have been fixed in version 2.1.0-2+deb8u7.

We recommend that you upgrade your openjpeg2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
255981	Linux Distros Unpatched Vulnerability : CVE-2018-20847	Nessus	Misc.	high
185024	Rocky Linux 8 : openjpeg2 (RLSA-2021:4251)	Nessus	Rocky Linux Local Security Checks	high
157485	AlmaLinux 8 : openjpeg2 (ALSA-2021:4251)	Nessus	Alma Linux Local Security Checks	high
155437	Oracle Linux 8 : openjpeg2 (ELSA-2021-4251)	Nessus	Oracle Linux Local Security Checks	high
155190	RHEL 8 : openjpeg2 (RHSA-2021:4251)	Nessus	Red Hat Local Security Checks	high
155186	CentOS 8 : openjpeg2 (CESA-2021:4251)	Nessus	CentOS Local Security Checks	high
140592	Ubuntu 16.04 LTS : OpenJPEG vulnerabilities (USN-4497-1)	Nessus	Ubuntu Local Security Checks	high
126607	Debian DLA-1851-1 : openjpeg2 security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2018-20847

high

Tenable Plugins

high

high

high

high

high

high

high

high