CVE Vulnerabilities

CVE-2021-38487

Insufficient Control of Network Message Volume (Network Amplification)

Published: May 05, 2022 | Modified: May 13, 2022
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

RTI Connext DDS Professional, Connext DDS Secure versions 4.2x to 6.1.0, and Connext DDS Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.

Weakness

The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.

Affected Software

Name Vendor Start Version End Version
Connext_dds_micro Rti 2.4 (including) *
Connext_dds_professional Rti 4.2 (including) 6.1.0 (excluding)
Connext_dds_secure Rti 4.2 (including) 6.1.0 (excluding)

Potential Mitigations

References