阿里云漏洞库

漏洞描述

A vulnerability has been found in Axiomatic Bento4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component mp4mux. The manipulation leads to memory leak. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212683.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/axiomatic-systems/Bento4/files/9727057/POC_mp4mux_1729452038.zip
https://github.com/axiomatic-systems/Bento4/issues/792
https://vuldb.com/?id.212683

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	axiosys	bento4	1.6.0-639	-
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	bind	*		Up to (excluding) 9.11.4-26.P2.5.al7.10
	运行在以下环境
	系统	alma_linux_8	bind	*		Up to (excluding) 9.11.36-3.el8_6.1
	运行在以下环境
	系统	alma_linux_9	bind	*		Up to (excluding) 9.16.23-1.el9_0.1
	运行在以下环境
	系统	amazon_2	bind	*		Up to (excluding) 9.11.4-26.P2.amzn2.13
	运行在以下环境
	系统	amazon_2023	bind	*		Up to (excluding) 9.16.38-1.amzn2023
	运行在以下环境
	系统	anolis_os_7	bind	*		Up to (excluding) 9.11.4-26
	运行在以下环境
	系统	anolis_os_8	bind	*		Up to (excluding) 9.11.36-3
	运行在以下环境
	系统	centos_7	bind	*		Up to (excluding) 9.11.4-26.P2.el7_9.10
	运行在以下环境
	系统	fedora_35	bind	*		Up to (excluding) 9.16.33-1.fc35
	运行在以下环境
	系统	fedora_36	bind	*		Up to (excluding) 9.16.33-1.fc36
	运行在以下环境
	系统	fedora_37	bind	*		Up to (excluding) 9.18.7-1.fc37
	运行在以下环境
	系统	fedora_38	bind	*		Up to (excluding) 9.18.7-1.fc38
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	bind	*		Up to (excluding) 9.11.21-8.p02.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	bind	*		Up to (excluding) 9.11.21-10.p02.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	bind	*		Up to (excluding) 9.11.21-10.p01.a.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	bind	*		Up to (excluding) 9.11.21-10.p01.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	bind	*		Up to (excluding) 9.11.21-8.p02.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	bind	*		Up to (excluding) 9.11.21-10.p02.ky10
	运行在以下环境
	系统	opensuse_Leap_15.3	bind	*		Up to (excluding) 9.16.6-150300.22.21.2
	运行在以下环境
	系统	opensuse_Leap_15.4	bind	*		Up to (excluding) 9.16.33-150400.5.11.1
	运行在以下环境
	系统	oracle_7	bind	*		Up to (excluding) 9.11.4-26.P2.el7_9.10
	运行在以下环境
	系统	oracle_8	bind	*		Up to (excluding) 9.11.36-3.el8_6.1
	运行在以下环境
	系统	oracle_9	bind	*		Up to (excluding) 9.16.23-1.el9_0.1
	运行在以下环境
	系统	redhat_7	bind	*		Up to (excluding) 9.11.4-26.P2.el7_9.10
	运行在以下环境
	系统	redhat_8	bind	*		Up to (excluding) 9.11.36-3.el8_6.1
	运行在以下环境
	系统	redhat_9	bind	*		Up to (excluding) 9.16.23-1.el9_0.1
	运行在以下环境
	系统	rocky_linux_8	bind	*		Up to (excluding) 39.11.36-3.el8_6.1
	运行在以下环境
	系统	rocky_linux_9	bind	*		Up to (excluding) 39.16.23-1.el9_0.1
	运行在以下环境
	系统	suse_12_SP5	bind	*		Up to (excluding) 9.11.22-3.43.1

攻击路径

网络
攻击复杂度

低
权限要求

无
影响范围

未更改
用户交互

需要
可用性

高
保密性

无
完整性

无

CWE-ID	漏洞类型
CWE-401	在移除最后引用时对内存的释放不恰当（内存泄露）
CWE-404	不恰当的资源关闭或释放

axiosys bento4 在移除最后引用时对内存的释放不恰当（内存泄露）

漏洞描述

解决建议

参考链接

受影响软件情况