CVE-2022-39154: 
Siemens Simcenter Femap vulnerability analysis and mitigation

CVE-2022-39154 is a vulnerability discovered in Siemens Simcenter Femap and Parasolid software, disclosed on September 1, 2022. The vulnerability affects multiple versions of Parasolid (V33.1, V34.0, V34.1, V35.0) and Simcenter Femap (V2022.1, V2022.2). It involves an out-of-bounds write past the end of an allocated buffer while parsing specially crafted X_T files (CISA, CVE).

The vulnerability is classified as an out-of-bounds write (CWE-787) issue that occurs during the parsing of specially crafted X_T files. It has been assigned a CVSS v3 base score of 7.8, with the vector string (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability requires local access and user interaction to be exploited (ZDI, CISA).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process, potentially leading to full system compromise. The high CVSS score reflects the severe potential impact on confidentiality, integrity, and availability of the affected system (CISA).

Siemens has released patches for affected versions and recommends users update to the following versions: Parasolid V33.1.263 or later, V34.0.252 or later, V34.1.242 or later, V35.0.164 or later, and Simcenter Femap V2022.1.3 or later, V2022.2.2 or later. Additionally, users are advised not to open untrusted X_T files in Simcenter Femap or Parasolid (CISA).