Description

CVE-2024-21502

Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

Amazon Corretto Java (used by Operations Manager) of version < 11.0.26.4.1 is affected by this vulnerability.

Solution

A hotfix is now available for this issue in the current version(s) of the product(s) mentioned. Refer to the Hotfix link under Related Articles to obtain the hotfix needed to resolve the issue.

This vulnerability is addressed in VIOM 8.0.2.550, and is available here. The update incorporates Amazon Corretto Java version: 11.0.26.4.1.