Headline
CVE-2023-22291: Multiple vulnerabilities in JustSystems products
An invalid free vulnerability exists in the Frame stream parser functionality of Ichitaro 2022 1.0.1.57600. A specially crafted document can lead to an attempt to free a stack pointer, which causes memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
Published:2023/04/04 Last Updated:2023/04/04
Overview
Multiple products provided by JustSystems Corporation contain multiple vulnerabilities.
Products Affected
- Ichitaro series
- Hanako series
- Rakuraku Hagaki series
- Label Mighty series
- JUST Office series
- JUST Government series
- JUST Police series
- Homepage Builder 21
A wide range of products is affected. For the details, refer to the information provided by the developer.
Description
Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below.
Use After Free (CWE-416) - CVE-2022-43664
CVSS v3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
CVSS v2
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Heap-based Buffer Overflow (CWE-122) - CVE-2022-45115
CVSS v3
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.8
CVSS v2
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Free of Memory not on the Heap (CWE-590) - CVE-2023-22291
CVSS v3
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.0
CVSS v2
AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score: 5.1
Heap-based Buffer Overflow (CWE-122) - CVE-2023-22660
CVSS v3
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 7.0
CVSS v2
AV:N/AC:H/Au:N/C:P/I:P/A:P
Base Score: 5.1
Impact
Processing a specialy crafted file may cause a buffer overflow and/or denial-of-service (DoS) condition.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer
For more information, refer to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Cisco Talos Security Intelligence & Research Group reported these vulnerabilities to JustSystems Corporation and coordinated. JustSystems Corporation and JPCERT/CC published respective advisories in order to notify users of the solutions through JVN.
Other Information
Related news
A use-after-free vulnerability exists within the way Ichitaro Word Processor 2022, version 1.0.1.57600, processes protected documents. A specially crafted document can trigger reuse of freed memory, which can lead to further memory corruption and potentially result in arbitrary code execution. An attacker can provide a malicious document to trigger this vulnerability.
A heap-based buffer overflow vulnerability exists in the way Ichitaro version 2022 1.0.1.57600 processes certain LayoutBox stream record types. A specially crafted document can cause a buffer overflow, leading to memory corruption, which can result in arbitrary code execution.To trigger this vulnerability, the victim would need to open a malicious, attacker-created document.
A buffer overflow vulnerability exists in the Attribute Arena functionality of Ichitaro 2022 1.0.1.57600. A specially crafted document can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.
Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.
Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.
Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.
Ichitaro uses the ATOK input method (IME) and uses the proprietary .jtd file extension. It’s the second most-popular word processing system in Japan behind only Microsoft word.