Several new HDF5 CVE issues have been filed in MITRE and these should be released to the public sometime in the next few weeks. These CVE issues are similar to previous HDF5 CVEs in that they were discovered through fuzzing HDF5 files and involve segfaults or other problems when parsing malformed HDF5 files. These are typically rated as “medium” security by MITRE. They are all fixed in HDF5 1.14.4 (released April 15, 2024) and no MITRE CVE issues are unaddressed.
The MITRE CVE numbers are:
CVE-2024-29157
CVE-2024-29158
CVE-2024-29159
CVE-2024-29160
CVE-2024-29161
CVE-2024-29162
CVE-2024-29163
CVE-2024-29164
CVE-2024-29165
CVE-2024-29166
CVE-2024-32605
CVE-2024-32606
CVE-2024-32607
CVE-2024-32608
CVE-2024-32609
CVE-2024-32610
CVE-2024-32611
CVE-2024-32612
CVE-2024-32613
CVE-2024-32614
CVE-2024-32615
CVE-2024-32616
CVE-2024-32617
CVE-2024-32618
CVE-2024-32619
CVE-2024-32620
CVE-2024-32621
CVE-2024-32622
CVE-2024-32623
CVE-2024-32624
CVE-2024-33873
CVE-2024-33874
CVE-2024-33875
CVE-2024-33876
CVE-2024-33877
More information about the issues can be found in:
- The HDF5 1.14.4 release notes
- The HDF5 CVE test repository’s list of CVE issues:
- The MITRE website (though the new CVEs are not active yet):
These files have been added to the HDF5 CVE test repo, which includes a test script that is run on every HDF5 pull request. The HDF5 developers will continue to fuzz test HDF5 in order to locate and fix further file parsing issues.
Will this some day appear on maven central? The last version there is still 1.14.3-1.5.10.
Hi Tilman,
We do not upload to Maven Central ourselves. We assume it will be added there, there’s no reason for it not to be. Feel free to email help -at- hdfgroup.org for further questions or clarification.