Bloomberg Comdb2 Null Pointer Dereference Vulnerability in Distributed Transaction Component Allowing Denial-of-Service

A null pointer dereference vulnerability has been identified in Bloomberg Comdb2 version 8.1, specifically within the Distributed Transaction component. The vulnerability arises when the application processes certain coordination fields. An attacker can exploit this issue by sending a specially crafted protocol buffer message over TCP, which leads to a denial-of-service condition by causing the application to crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the Comdb2 database process. This is confirmed by a memory access violation error, where the application attempts to read from a null pointer, a common indication of a null pointer dereference vulnerability.

Reproduction

The vulnerability can be reproduced by sending a crafted protocol buffer message that omits the optional 'name' field in the 'disttxn' message, while including a valid 'txnid' and other required fields. This can be done by connecting to the Comdb2 database instance over TCP, either directly or through the 'pmux' port multiplexer service, which can be queried to find the correct database port.

Remediation

Users are advised to update to the patched version of Bloomberg Comdb2, which is available through the Bloomberg software distribution channels.