CVE-2022-1210
NixOS vulnerability analysis and mitigation

Overview

A vulnerability was discovered in LibTIFF 4.3.0, specifically affecting the TIFF File Handler of tiff2ps. The issue was disclosed on April 3, 2022, and is tracked as CVE-2022-1210. The vulnerability affects the file conversion functionality when processing TIFF files to PostScript format (NVD, Gitlab Issue).

Technical details

The vulnerability is caused by an incorrect memory size request in the tiff2ps conversion process. When attempting to allocate memory, the system requests an excessive amount (0x2000000000 bytes), leading to an out-of-memory condition. The issue has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

Impact

When exploited, this vulnerability leads to a denial of service condition. The attack can be triggered remotely but requires user interaction, specifically when attempting to convert a maliciously crafted TIFF file to PostScript format (NVD).

Mitigation and workarounds

The vulnerability has been addressed in LibTIFF version 4.4.0. Users are advised to upgrade to this version or later. For Gentoo users, the fix is available through package update to media-libs/tiff-4.4.0 or later versions (Gentoo Advisory).

Community reactions

Various organizations have responded to this vulnerability. NetApp has issued an advisory (NTAP-20220513-0005) for their affected products, specifically the ONTAP Select Deploy administration utility (NetApp Advisory).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management