NVD Vulnerability Detail

CVE-2022-37434

Summary	zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Publication Date	Aug. 5, 2022, 4:15 p.m.
Registration Date	Aug. 5, 2022, 8 p.m.
Last Update	Nov. 21, 2024, 4:14 p.m.

CVSS3.1 : CRITICAL
スコア	9.8
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:zlib:zlib::::::::			1.2.12

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:35:::::::*
cpe:2.3:o:fedoraproject:fedora:36:::::::*
cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:hci:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:o:netapp:h300s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h300s:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:netapp:h500s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h500s:-:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:o:netapp:h700s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h700s:-:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:netapp:h700s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h700s:-:::::::*

Configuration9	or higher	or less	more than	less than
cpe:2.3:o:apple:macos::::::::	11.0			11.7.1
cpe:2.3:o:apple:iphone_os::::::::	16.0			16.1
cpe:2.3:o:apple:watchos::::::::				9.1
cpe:2.3:o:apple:macos::::::::	12.0.0			12.6.1
cpe:2.3:o:apple:iphone_os::::::::				15.7.1
cpe:2.3:o:apple:ipados::::::::				15.7.1

Configuration10	or higher	or less	more than	less than
cpe:2.3:a:stormshield:stormshield_network_security::::::::	4.6.0			4.6.3
cpe:2.3:a:stormshield:stormshield_network_security::::::::	4.3.0			4.3.16
cpe:2.3:a:stormshield:stormshield_network_security::::::::	3.11.0			3.11.22
cpe:2.3:a:stormshield:stormshield_network_security::::::::	3.7.31			3.7.34

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2022/Oct/37	Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2022/Oct/38	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2022/Oct/41	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2022/Oct/42	Mailing List Third Party Advisory
5	http://www.openwall.com/lists/oss-security/2022/08/05/2	Mailing List Third Party Advisory
6	http://www.openwall.com/lists/oss-security/2022/08/09/1	Mailing List Patch Third Party Advisory
7	https://github.com/curl/curl/issues/9271	Exploit Issue Tracking Third Party Advisory
8	https://github.com/ivd38/zlib_overflow	Exploit Third Party Advisory
9	https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063	Exploit Third Party Advisory
10	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1	Patch Third Party Advisory
11	https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764	Exploit Third Party Advisory
12	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html	Mailing List Third Party Advisory
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/	Mailing List Third Party Advisory
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/	Mailing List Third Party Advisory
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/	Mailing List Third Party Advisory
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/	Mailing List Third Party Advisory
17	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/	Mailing List Third Party Advisory
18	https://security.netapp.com/advisory/ntap-20220901-0005/	Third Party Advisory
19	https://security.netapp.com/advisory/ntap-20230427-0007/	Third Party Advisory
20	https://support.apple.com/kb/HT213488	Third Party Advisory
21	https://support.apple.com/kb/HT213489	Third Party Advisory
22	https://support.apple.com/kb/HT213490	Third Party Advisory
23	https://support.apple.com/kb/HT213491	Third Party Advisory
24	https://support.apple.com/kb/HT213493	Third Party Advisory
25	https://support.apple.com/kb/HT213494	Third Party Advisory
26	https://www.debian.org/security/2022/dsa-5218	Third Party Advisory
27	http://seclists.org/fulldisclosure/2022/Oct/37	Mailing List Third Party Advisory
28	https://www.debian.org/security/2022/dsa-5218	Third Party Advisory
29	https://support.apple.com/kb/HT213494	Third Party Advisory
30	https://support.apple.com/kb/HT213493	Third Party Advisory
31	https://support.apple.com/kb/HT213491	Third Party Advisory
32	https://support.apple.com/kb/HT213490	Third Party Advisory
33	https://support.apple.com/kb/HT213489	Third Party Advisory
34	https://support.apple.com/kb/HT213488	Third Party Advisory
35	https://security.netapp.com/advisory/ntap-20230427-0007/	Third Party Advisory
36	https://security.netapp.com/advisory/ntap-20220901-0005/	Third Party Advisory
37	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/	Mailing List Third Party Advisory
38	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/	Mailing List Third Party Advisory
39	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/	Mailing List Third Party Advisory
40	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/	Mailing List Third Party Advisory
41	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/	Mailing List Third Party Advisory
42	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html	Mailing List Third Party Advisory
43	https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764	Exploit Third Party Advisory
44	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1	Patch Third Party Advisory
45	https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063	Exploit Third Party Advisory
46	https://github.com/ivd38/zlib_overflow	Exploit Third Party Advisory
47	https://github.com/curl/curl/issues/9271	Exploit Issue Tracking Third Party Advisory
48	http://www.openwall.com/lists/oss-security/2022/08/09/1	Mailing List Patch Third Party Advisory
49	http://www.openwall.com/lists/oss-security/2022/08/05/2	Mailing List Third Party Advisory
50	http://seclists.org/fulldisclosure/2022/Oct/42	Mailing List Third Party Advisory
51	http://seclists.org/fulldisclosure/2022/Oct/41	Mailing List Third Party Advisory
52	http://seclists.org/fulldisclosure/2022/Oct/38	Mailing List Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html

JVN Vulnerability Information

zlib における境界外書き込みに関する脆弱性

Title	zlib における境界外書き込みに関する脆弱性
Summary	zlib には、境界外書き込みに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 31, 2022, midnight
Registration Date	April 6, 2023, 5:52 p.m.
Last Update	Dec. 15, 2025, 2:45 p.m.

Affected System

アップル

iPadOS

日立

日立アドバンストサーバ HA8000V シリーズ

Debian

Debian GNU/Linux

zlib

zlib 1.2.12 まで

Fedora Project

Fedora

NetApp

Active IQ Unified Manager

Management Services for Element Software

NetApp HCI

OnCommand Workflow Automation

ONTAP Select Deploy administration utility

StorageGRID

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-37434	https://www.cve.org/CVERecord?id=CVE-2022-37434
National Vulnerability Database (NVD)
2	CVE-2022-37434	https://nvd.nist.gov/vuln/detail/CVE-2022-37434

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT213488	https://support.apple.com/en-us/HT213488
2	HT213489	https://support.apple.com/en-us/HT213489
3	HT213490	https://support.apple.com/en-us/HT213490
4	HT213491	https://support.apple.com/en-us/HT213491
5	HT213493	https://support.apple.com/en-us/HT213493
6	HT213494	https://support.apple.com/en-us/HT213494
Apple セキュリティアップデート
7	HT213488	https://support.apple.com/ja-jp/HT213488
8	HT213489	https://support.apple.com/ja-jp/HT213489
9	HT213490	https://support.apple.com/ja-jp/HT213490
10	HT213491	https://support.apple.com/ja-jp/HT213491
11	HT213493	https://support.apple.com/ja-jp/HT213493
12	HT213494	https://support.apple.com/ja-jp/HT213494
Debian
13	[SECURITY] [DLA 3103-1] zlib security update	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
Debian Security Advisory
14	DSA-5218-1	https://www.debian.org/security/2022/dsa-5218
Fedora Update Notification
15	FEDORA-2022-0b517a5397	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
16	FEDORA-2022-15da0cf165	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
17	FEDORA-2022-25e4dbedf9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
18	FEDORA-2022-3c28ae0cd8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
19	FEDORA-2022-b8232d1cca	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
GitHub
20	Fix a bug when getting a gzip header extra field with inflate().	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
NetApp Advisory
21	NTAP-20220901-0005	https://security.netapp.com/advisory/ntap-20220901-0005/
サーバ・クライアント製品セキュリティ情報
22	hitachi-sec-2023-206	https://www.hitachi.co.jp/products/it/server/security/info/vulnerable/hitachi_sec_2023_206.html

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-23-005-03	https://www.cisa.gov/news-events/ics-advisories/icsa-23-005-03
2	ICSA-23-320-12	https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-12
3	ICSA-25-105-08	https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08
JVN
4	JVNVU#92488108	https://jvn.jp/vu/JVNVU92488108/
5	JVNVU#92598492	https://jvn.jp/vu/JVNVU92598492/
6	JVNVU#95292697	http://jvn.jp/vu/JVNVU95292697/index.html
7	JVNVU#99514792	https://jvn.jp/vu/JVNVU99514792/index.html
8	JVNVU#99602271	https://jvn.jp/vu/JVNVU99602271/index.html
関連文書
9	Re: zlib buffer overflow	https://www.openwall.com/lists/oss-security/2022/08/09/1

Change Log

No	Changed Details	Date of change
3	[2023年11月22日] 参考情報：JVN (JVNVU#92598492) を追加参考情報：ICS-CERT ADVISORY (ICSA-23-320-12) を追加	Nov. 21, 2023, 5:30 p.m.
4	[2025年04月17日] 参考情報：JVN (JVNVU#92488108) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-105-08) を追加	April 17, 2025, 4:40 p.m.
1	[2023年04月06日] 掲載	April 6, 2023, 5:52 p.m.
2	[2023年07月19日] 参考情報：JVN (JVNVU#95292697) を追加	July 19, 2023, 3:47 p.m.
5	[2025年12月15日] 参考情報：JVN (JVNVU#99514792) を追加	Dec. 15, 2025, 1:55 p.m.

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:hci:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*