Do you know the design weaknesses of Eclipse Cyclone DDS? 23-08-2021

Preface: DDS is used in the following industries.

DDS is used to share Flight data within and across Air Traffic control centers.
DDS is used to Smart Factories to provide horizontal and vertical data integration across the traditional SCADA layers.
DDS used to control the 100.000 mirrors that make up ELT’s optics.

Technical background: DDS applications cooperate by autonomously and asynchronously reading and writing data on a Data Space that provides spatial and temporal decoupling. Eclipse Cyclone DDS is an implementation of the OMG Data Distribution Service (DDS) specification. Eclipse Cyclone DDS offers unique data-sharing capabilities compared to the already existing Eclipse solutions (i.e. for messaging). You can use the code from repositories to experiment, test, build, create patches, issue pull requests, etc.

Example: cyclonedds-python – Project repository hosted on GitHub.

https://github.com/eclipse-cyclonedds/cyclonedds-python

Vulnerability details:

CVE-2020-18735 – A heap buffer overflow in [/]src[/]dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/501

CVE-2020-18734 – A stack buffer overflow in [/]ddsi[/]q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. – https://github.com/eclipse-cyclonedds/cyclonedds/issues/476

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.