CVE-2018-12086
published 2018-09-14CVE-2018-12086: Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
PriorityP348high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
11.59%
95.5th percentile
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wireshark | < wireshark 2.6.4-1 (bookworm) | wireshark 2.6.4-1 (bookworm) |
| fasterxml | jackson-databind | >= 0 < 2.4.2-3ubuntu0.1~esm2 | 2.4.2-3ubuntu0.1~esm2 |
| opcfoundation | unified_architecture-java | <= 1.03.343 | — |
| opcfoundation | unified_architecture_ansic | <= 1.03.340 | — |
| opcfoundation | unified_architecture_net-legacy | <= 1.03.342 | — |
| opcfoundation | unified_architecture_net-standard | <= 1.03.352.12 | — |
| wireshark | wireshark | >= 0 < 2.6.4-1 | 2.6.4-1 |
| wireshark | wireshark | >= 0 < 2.6.4-1 | 2.6.4-1 |
| wireshark | wireshark | >= 0 < 2.6.4-1 | 2.6.4-1 |
| wireshark | wireshark | >= 0 < 2.6.4-1 | 2.6.4-1 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
ghsa·2022-05-24·CVSS 9.8
CVE-2019-10202 [CRITICAL] CWE-502 Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
OSV
jackson-databind vulnerabilities
osv·2021-03-15·CVSS 9.8
CVE-2018-11307 jackson-databind vulnerabilities
jackson-databind vulnerabilities
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to obtain
sensitive information. (CVE-2018-11307, CVE-2019-12086, CVE-2019-12814)
It was discovered that Jackson Databind incorrectly handled
deserialization. An attacker could possibly use this issue to execute
arbitrary code or other unspecified impact. (CVE-2018-12022,
CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360,
CVE-2018-19361, CVE-2018-19362, CVE-2019-12384, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330,
CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969,
CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2
GHSA
High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
ghsa·2018-10-16
CVE-2018-12086 [HIGH] CWE-787 High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
OSV
High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
osv·2018-10-16
CVE-2018-12086 [HIGH] High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
High severity vulnerability that affects OPCFoundation.NetStandard.Opc.Ua
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
OSV
CVE-2018-12086: Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests
osv·2018-09-14·CVSS 7.5
CVE-2018-12086 [HIGH] CVE-2018-12086: Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
Red Hat
codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
vendor_redhat·2019-09-30·CVSS 9.8
CVE-2019-10202 [CRITICAL] CWE-502 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Package: codehaus (Red Hat BPM Suite 6) - Out of support scope
Package: codehaus (Red Hat Decision Manager 7) - Not affected
Package: codehaus (Red Hat JBoss A-MQ 6) - Out of support scope
Package: codehaus (Red Hat JBoss BRMS 5) - Out of support scope
Package: codehaus (Red Hat JBoss BRMS 6) - Out of support scope
Package: codehaus
Red Hat
wireshark: OpcUa dissector crash
vendor_redhat·2018-10-10·CVSS 7.5
CVE-2018-12086 [HIGH] CWE-20 wireshark: OpcUa dissector crash
wireshark: OpcUa dissector crash
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
Package: wireshark (Red Hat Enterprise Linux 5) - Not affected
Package: wireshark (Red Hat Enterprise Linux 6) - Not affected
Package: wireshark (Red Hat Enterprise Linux 7) - Not affected
Package: wireshark (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2018-12086: wireshark - Buffer overflow in OPC UA applications allows remote attackers to trigger a stac...
vendor_debian·2018·CVSS 7.5
CVE-2018-12086 [HIGH] CVE-2018-12086: wireshark - Buffer overflow in OPC UA applications allows remote attackers to trigger a stac...
Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.
Scope: local
bookworm: resolved (fixed in 2.6.4-1)
bullseye: resolved (fixed in 2.6.4-1)
forky: resolved (fixed in 2.6.4-1)
sid: resolved (fixed in 2.6.4-1)
trixie: resolved (fixed in 2.6.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-12086 wireshark: OpcUa dissector crash
bugzilla·2018-10-25·CVSS 7.5
CVE-2018-12086 [HIGH] CVE-2018-12086 wireshark: OpcUa dissector crash
CVE-2018-12086 wireshark: OpcUa dissector crash
It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
External References:
https://www.wireshark.org/security/wnpa-sec-2018-50
Discussion:
Created wireshark tracking bugs for this issue:
Affects: fedora-all [bug 1642918]
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2018-12086
Bugzilla
CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 wireshark: various flaws [fedora-all]
bugzilla·2018-10-25·CVSS 7.5
CVE-2018-12086 [HIGH] CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 wireshark: various flaws [fedora-all]
CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 wireshark: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.htmlhttp://www.securityfocus.com/bid/105538http://www.securitytracker.com/id/1041909https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12086.pdfhttps://www.debian.org/security/2018/dsa-4359http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.htmlhttp://www.securityfocus.com/bid/105538http://www.securitytracker.com/id/1041909https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12086.pdfhttps://www.debian.org/security/2018/dsa-4359
2018-09-14
Published