NVD Vulnerability Detail

CVE-2014-8095

Summary	The XInput extension in X.Org X Window System (aka X11 or X) X11R4 and X.Org Server (aka xserver and xorg-server) before 1.16.3 allows remote authenticated users to cause a denial of service (out-of-bounds read or write) or possibly execute arbitrary code via a crafted length or index value to the (1) SProcXChangeDeviceControl, (2) ProcXChangeDeviceControl, (3) ProcXChangeFeedbackControl, (4) ProcXSendExtensionEvent, (5) SProcXIAllowEvents, (6) SProcXIChangeCursor, (7) ProcXIChangeHierarchy, (8) SProcXIGetClientPointer, (9) SProcXIGrabDevice, (10) SProcXIUngrabDevice, (11) ProcXIUngrabDevice, (12) SProcXIPassiveGrabDevice, (13) ProcXIPassiveGrabDevice, (14) SProcXIPassiveUngrabDevice, (15) ProcXIPassiveUngrabDevice, (16) SProcXListDeviceProperties, (17) SProcXDeleteDeviceProperty, (18) SProcXIListProperties, (19) SProcXIDeleteProperty, (20) SProcXIGetProperty, (21) SProcXIQueryDevice, (22) SProcXIQueryPointer, (23) SProcXISelectEvents, (24) SProcXISetClientPointer, (25) SProcXISetFocus, (26) SProcXIGetFocus, or (27) SProcXIWarpPointer function.
Publication Date	Dec. 11, 2014, 12:59 a.m.
Registration Date	Jan. 26, 2021, 3:19 p.m.
Last Update	Nov. 21, 2024, 11:18 a.m.

CVSS2.0 : MEDIUM
Score	6.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	単一
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:7.0:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:x.org:x11:4.0:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:x.org:xorg-server::::::::			1.16.2.99.901

Related information, measures and tools

No	URL	タグ
1	http://advisories.mageia.org/MGASA-2014-0532.html
2	http://advisories.mageia.org/MGASA-2014-0532.html
3	http://secunia.com/advisories/61947
4	http://secunia.com/advisories/61947
5	http://secunia.com/advisories/62292
6	http://secunia.com/advisories/62292
7	http://www.debian.org/security/2014/dsa-3095
8	http://www.debian.org/security/2014/dsa-3095
9	http://www.mandriva.com/security/advisories?name=MDVSA-2015:119
10	http://www.mandriva.com/security/advisories?name=MDVSA-2015:119
11	http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
12	http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
13	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
14	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
15	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
16	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
17	http://www.securityfocus.com/bid/71599
18	http://www.securityfocus.com/bid/71599
19	http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/	Patch Vendor Advisory
20	http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/	Patch Vendor Advisory
21	https://security.gentoo.org/glsa/201504-06
22	https://security.gentoo.org/glsa/201504-06

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

JVN Vulnerability Information

X.Org X Window System および X.Org Server の XInput エクステンションにおけるサービス運用妨害 (DoS) の脆弱性

Title	X.Org X Window System および X.Org Server の XInput エクステンションにおけるサービス運用妨害 (DoS) の脆弱性
Summary	X.Org X Window System (別名 X11 または X) および X.Org Server (別名 xserver および xorg-server) の XInput エクステンションには、サービス運用妨害 (out-of-bounds read または out-of-bounds write) 状態にされる脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、以下の関数に対する巧妙に細工された length 値または index 値を介して、サービス運用妨害 (out-of-bounds read または out-of-bounds write) 状態にされる、または任意のコードを実行される可能性があります。 (1) SProcXChangeDeviceControl (2) ProcXChangeDeviceControl (3) ProcXChangeFeedbackControl (4) ProcXSendExtensionEvent (5) SProcXIAllowEvents (6) SProcXIChangeCursor (7) ProcXIChangeHierarchy (8) SProcXIGetClientPointer (9) SProcXIGrabDevice (10) SProcXIUngrabDevice (11) ProcXIUngrabDevice (12) SProcXIPassiveGrabDevice (13) ProcXIPassiveGrabDevice (14) SProcXIPassiveUngrabDevice (15) ProcXIPassiveUngrabDevice (16) SProcXListDeviceProperties (17) SProcXDeleteDeviceProperty (18) SProcXIListProperties (19) SProcXIDeleteProperty (20) SProcXIGetProperty (21) SProcXIQueryDevice (22) SProcXIQueryPointer (23) SProcXISelectEvents (24) SProcXISetClientPointer (25) SProcXISetFocus (26) SProcXIGetFocus (27) SProcXIWarpPointer
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 9, 2014, midnight
Registration Date	Dec. 15, 2014, 6:54 p.m.
Last Update	Nov. 6, 2015, 3:19 p.m.

Affected System

オラクル

Oracle Virtualization の Oracle Secure Global Desktop 4.63

Oracle Virtualization の Oracle Secure Global Desktop 4.71

Oracle Virtualization の Oracle Secure Global Desktop 5.1

Oracle Virtualization の Oracle Secure Global Desktop 5.2

X.Org Foundation

X Window System X11R4

X.Org Server 1.16.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-8095	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
National Vulnerability Database (NVD)
2	CVE-2014-8095	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8095

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Oracle Critical Patch Update
1	Oracle Critical Patch Update Advisory - July 2015	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
2	Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html
Oracle Technology Network
3	Oracle Solaris Third Party Bulletin - October 2015	http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
SECURITY BLOG
4	July 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
X.Org Security Advisory
5	Advisory-2014-12-09	http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/

その他

No	Name	URL
関連文書
1	MGASA-2014-0532	http://advisories.mageia.org/MGASA-2014-0532.html

Change Log

No	Changed Details	Date of change
0	[2014年12月15日] 掲載 [2015年06月04日] 参考情報：関連文書 (MGASA-2014-0532) を追加 [2015年07月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices) を追加ベンダ情報：オラクル (July 2015 Critical Patch Update Released) を追加 [2015年11月06日] ベンダ情報：オラクル (Oracle Solaris Third Party Bulletin - October 2015) を追加	Feb. 17, 2018, 10:37 a.m.