ICSA-21-315-02 · Published 2022-02-01 · View on CISA ICS-CERT ↗

Multiple Data Distribution Service (DDS) Implementations (Update A)

CVSS 8.6 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure.

CVEs (13)

CVE-2021-38441 CVE-2021-38443 CVE-2021-38425 CVE-2021-38423 CVE-2021-38439 CVE-2021-38445 CVE-2021-38447 CVE-2021-38429 CVE-2021-38427 CVE-2021-38433 CVE-2021-38435 CVE-2021-38487 CVE-2021-43547

Remediations

Eclipse recommends users apply the latest CycloneDDS patches.
eProsima recommends users apply the latest Fast DDS patches.
OCI recommends users update to Version 3.18.1 of OpenDDS or later.
Twin Oaks Computing recommends users apply CoreDX DDS Version 5.9.1 or later, which can be downloaded on the Twin Oaks website (login required).
RTI recommends users apply the available patches for these issues. A patch is available on the RTI customer portal or by contacting RTI Support. Also, contact RTI Support for mitigations, including how to use RTI DDS Secure to mitigate against the network amplification issue defined by CVE-2021-38487

Affected Vendors

Eclipse GurumNetworks Object Computing, Inc. (OCI) Real-Time Innovations (RTI) TwinOaks Computing eProsima

Affected Products (7)

Eclipse · Eclipse CycloneDDS <0.8.0

eProsima · eProsima Fast DDS <2.4.0

GurumNetworks · GurumNetworks GurumDDS vers:all/*

Object Computing, Inc. (OCI) · Object Computing Inc. (OCI) OpenDDS <3.18.1

Real-Time Innovations (RTI) · RTI Connext DDS Micro >=3.0.0

Real-Time Innovations (RTI) · Real-Time Innovations (RTI) Connext DDS Professional and Connext DDS Secure >=4.2x|<6.1.0

TwinOaks Computing · TwinOaks Computing CoreDX DDS <5.9.1

Affected Sectors

Multiple

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more