NVD脆弱性詳細

CVE-2022-37434

概要	zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
公表日	2022年8月5日16:15
登録日	2022年8月5日20:00
最終更新日	2024年11月21日16:14

CVSS3.1 : CRITICAL
スコア	9.8
ベクター	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

影響を受けるソフトウェアの構成

構成1		以上	以下	より上	未満
cpe:2.3:a:zlib:zlib::::::::			1.2.12

構成2	以上	以下	より上	未満
cpe:2.3:o:fedoraproject:fedora:35:::::::*
cpe:2.3:o:fedoraproject:fedora:36:::::::*
cpe:2.3:o:fedoraproject:fedora:37:::::::*

構成3		以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:10.0:::::::*

構成4	以上	以下	より上	未満
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:hci:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*

構成5		以上	以下	より上	未満
cpe:2.3:o:netapp:h300s_firmware:-:::::::*
実行環境
1	cpe:2.3:h:netapp:h300s:-:::::::*

構成6		以上	以下	より上	未満
cpe:2.3:o:netapp:h500s_firmware:-:::::::*
実行環境
1	cpe:2.3:h:netapp:h500s:-:::::::*

構成7		以上	以下	より上	未満
cpe:2.3:o:netapp:h700s_firmware:-:::::::*
実行環境
1	cpe:2.3:h:netapp:h700s:-:::::::*

構成8		以上	以下	より上	未満
cpe:2.3:o:netapp:h700s_firmware:-:::::::*
実行環境
1	cpe:2.3:h:netapp:h700s:-:::::::*

構成9	以上	以下	より上	未満
cpe:2.3:o:apple:macos::::::::	11.0			11.7.1
cpe:2.3:o:apple:iphone_os::::::::	16.0			16.1
cpe:2.3:o:apple:watchos::::::::				9.1
cpe:2.3:o:apple:macos::::::::	12.0.0			12.6.1
cpe:2.3:o:apple:iphone_os::::::::				15.7.1
cpe:2.3:o:apple:ipados::::::::				15.7.1

構成10	以上	以下	より上	未満
cpe:2.3:a:stormshield:stormshield_network_security::::::::	4.6.0			4.6.3
cpe:2.3:a:stormshield:stormshield_network_security::::::::	4.3.0			4.3.16
cpe:2.3:a:stormshield:stormshield_network_security::::::::	3.11.0			3.11.22
cpe:2.3:a:stormshield:stormshield_network_security::::::::	3.7.31			3.7.34

関連情報、対策とツール

No	URL	タグ
1	http://seclists.org/fulldisclosure/2022/Oct/37	Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2022/Oct/38	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2022/Oct/41	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2022/Oct/42	Mailing List Third Party Advisory
5	http://www.openwall.com/lists/oss-security/2022/08/05/2	Mailing List Third Party Advisory
6	http://www.openwall.com/lists/oss-security/2022/08/09/1	Mailing List Patch Third Party Advisory
7	https://github.com/curl/curl/issues/9271	Exploit Issue Tracking Third Party Advisory
8	https://github.com/ivd38/zlib_overflow	Exploit Third Party Advisory
9	https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063	Exploit Third Party Advisory
10	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1	Patch Third Party Advisory
11	https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764	Exploit Third Party Advisory
12	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html	Mailing List Third Party Advisory
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/	Mailing List Third Party Advisory
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/	Mailing List Third Party Advisory
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/	Mailing List Third Party Advisory
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/	Mailing List Third Party Advisory
17	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/	Mailing List Third Party Advisory
18	https://security.netapp.com/advisory/ntap-20220901-0005/	Third Party Advisory
19	https://security.netapp.com/advisory/ntap-20230427-0007/	Third Party Advisory
20	https://support.apple.com/kb/HT213488	Third Party Advisory
21	https://support.apple.com/kb/HT213489	Third Party Advisory
22	https://support.apple.com/kb/HT213490	Third Party Advisory
23	https://support.apple.com/kb/HT213491	Third Party Advisory
24	https://support.apple.com/kb/HT213493	Third Party Advisory
25	https://support.apple.com/kb/HT213494	Third Party Advisory
26	https://www.debian.org/security/2022/dsa-5218	Third Party Advisory
27	http://seclists.org/fulldisclosure/2022/Oct/37	Mailing List Third Party Advisory
28	https://www.debian.org/security/2022/dsa-5218	Third Party Advisory
29	https://support.apple.com/kb/HT213494	Third Party Advisory
30	https://support.apple.com/kb/HT213493	Third Party Advisory
31	https://support.apple.com/kb/HT213491	Third Party Advisory
32	https://support.apple.com/kb/HT213490	Third Party Advisory
33	https://support.apple.com/kb/HT213489	Third Party Advisory
34	https://support.apple.com/kb/HT213488	Third Party Advisory
35	https://security.netapp.com/advisory/ntap-20230427-0007/	Third Party Advisory
36	https://security.netapp.com/advisory/ntap-20220901-0005/	Third Party Advisory
37	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/	Mailing List Third Party Advisory
38	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/	Mailing List Third Party Advisory
39	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/	Mailing List Third Party Advisory
40	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/	Mailing List Third Party Advisory
41	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/	Mailing List Third Party Advisory
42	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html	Mailing List Third Party Advisory
43	https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764	Exploit Third Party Advisory
44	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1	Patch Third Party Advisory
45	https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063	Exploit Third Party Advisory
46	https://github.com/ivd38/zlib_overflow	Exploit Third Party Advisory
47	https://github.com/curl/curl/issues/9271	Exploit Issue Tracking Third Party Advisory
48	http://www.openwall.com/lists/oss-security/2022/08/09/1	Mailing List Patch Third Party Advisory
49	http://www.openwall.com/lists/oss-security/2022/08/05/2	Mailing List Third Party Advisory
50	http://seclists.org/fulldisclosure/2022/Oct/42	Mailing List Third Party Advisory
51	http://seclists.org/fulldisclosure/2022/Oct/41	Mailing List Third Party Advisory
52	http://seclists.org/fulldisclosure/2022/Oct/38	Mailing List Third Party Advisory

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html

JVN脆弱性情報

zlib における境界外書き込みに関する脆弱性

タイトル	zlib における境界外書き込みに関する脆弱性
概要	zlib には、境界外書き込みに関する脆弱性が存在します。
想定される影響	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2022年7月31日0:00
登録日	2023年4月6日17:52
最終更新日	2025年12月15日14:45

影響を受けるシステム

アップル

iPadOS

日立

日立アドバンストサーバ HA8000V シリーズ

Debian

Debian GNU/Linux

zlib

zlib 1.2.12 まで

Fedora Project

Fedora

NetApp

Active IQ Unified Manager

Management Services for Element Software

NetApp HCI

OnCommand Workflow Automation

ONTAP Select Deploy administration utility

StorageGRID

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-37434	https://www.cve.org/CVERecord?id=CVE-2022-37434
National Vulnerability Database (NVD)
2	CVE-2022-37434	https://nvd.nist.gov/vuln/detail/CVE-2022-37434

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-787	https://cwe.mitre.org/data/definitions/787.html

ベンダー情報

No	名前	URL
Apple Security Updates
1	HT213488	https://support.apple.com/en-us/HT213488
2	HT213489	https://support.apple.com/en-us/HT213489
3	HT213490	https://support.apple.com/en-us/HT213490
4	HT213491	https://support.apple.com/en-us/HT213491
5	HT213493	https://support.apple.com/en-us/HT213493
6	HT213494	https://support.apple.com/en-us/HT213494
Apple セキュリティアップデート
7	HT213488	https://support.apple.com/ja-jp/HT213488
8	HT213489	https://support.apple.com/ja-jp/HT213489
9	HT213490	https://support.apple.com/ja-jp/HT213490
10	HT213491	https://support.apple.com/ja-jp/HT213491
11	HT213493	https://support.apple.com/ja-jp/HT213493
12	HT213494	https://support.apple.com/ja-jp/HT213494
Debian
13	[SECURITY] [DLA 3103-1] zlib security update	https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
Debian Security Advisory
14	DSA-5218-1	https://www.debian.org/security/2022/dsa-5218
Fedora Update Notification
15	FEDORA-2022-0b517a5397	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
16	FEDORA-2022-15da0cf165	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
17	FEDORA-2022-25e4dbedf9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
18	FEDORA-2022-3c28ae0cd8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
19	FEDORA-2022-b8232d1cca	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
GitHub
20	Fix a bug when getting a gzip header extra field with inflate().	https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
NetApp Advisory
21	NTAP-20220901-0005	https://security.netapp.com/advisory/ntap-20220901-0005/
サーバ・クライアント製品セキュリティ情報
22	hitachi-sec-2023-206	https://www.hitachi.co.jp/products/it/server/security/info/vulnerable/hitachi_sec_2023_206.html

その他

No	名前	URL
ICS-CERT ADVISORY
1	ICSA-23-005-03	https://www.cisa.gov/news-events/ics-advisories/icsa-23-005-03
2	ICSA-23-320-12	https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-12
3	ICSA-25-105-08	https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08
JVN
4	JVNVU#92488108	https://jvn.jp/vu/JVNVU92488108/
5	JVNVU#92598492	https://jvn.jp/vu/JVNVU92598492/
6	JVNVU#95292697	http://jvn.jp/vu/JVNVU95292697/index.html
7	JVNVU#99514792	https://jvn.jp/vu/JVNVU99514792/index.html
8	JVNVU#99602271	https://jvn.jp/vu/JVNVU99602271/index.html
関連文書
9	Re: zlib buffer overflow	https://www.openwall.com/lists/oss-security/2022/08/09/1

変更履歴

No	変更内容	変更日
3	[2023年11月22日] 参考情報：JVN (JVNVU#92598492) を追加参考情報：ICS-CERT ADVISORY (ICSA-23-320-12) を追加	2023年11月21日17:30
4	[2025年04月17日] 参考情報：JVN (JVNVU#92488108) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-105-08) を追加	2025年4月17日16:40
1	[2023年04月06日] 掲載	2023年4月6日17:52
2	[2023年07月19日] 参考情報：JVN (JVNVU#95292697) を追加	2023年7月19日15:47
5	[2025年12月15日] 参考情報：JVN (JVNVU#99514792) を追加	2025年12月15日13:55

構成4	以上	以下	より上	未満
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:hci:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*