SSA-663999
PUBLISHED
CVSS 7.800000190734863 HIGH
Siemens has released version V13.1.0.1 for JT2Go and Teamcenter Visualization to fix multiple vulnerabilities that could be triggered when the products read files in different file formats (BMP, TIFF, CGM, TGA, PCT, HPG, PLT, RAS, PAR, ASM, DXF, DWG). If a user is tricked to opening of a malicious file with the affected products, this could lead to application crash, or potentially arbitrary code execution or data extraction on the target host system.
Siemens recommends to update to the latest versions and to limit opening of untrusted files from unknown sources in the affected products.
Notes:
- Previous versions of this advisory incorrectly listed the following vulnerabilities as being fixed in V13.1.0.1: CVE-2020-26991, CVE-2020-26998, CVE-2020-26999, CVE-2020-27001 and CVE-2020-27002. Those were fixed in V13.1.0.2 and are therefore addressed in advisory SSA-695540 [0]
- The vulnerability CVE-2020-28383 was incorrectly listed in SSA-622830 [1] as being fixed in V13.1.0.0. This was fixed in V13.1.0.1 and therefore added here
- The Open Design Alliance [2] recently disclosed an additional vulnerability (CVE-2021-31784) which is also covered in this advisory
[0] https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf
[1] https://cert-portal.siemens.com/productcert/pdf/ssa-695540.pdf
[2] https://www.opendesign.com/security-advisories
