CVE-2022-21685

描述

### Impact A bug in Frontier's MODEXP precompile implementation can cause an integer underflow in certain conditions. This will cause a node crash for debug builds. For release builds (and production WebAssembly binaries), the impact is limited as it can only cause a normal EVM out-of-gas. It is recommended that you apply the patch as soon as possible. If you do not use MODEXP precompile in your runtime, then you are not impacted. ### Patches Patches are applied in PR #549. ### Workarounds None. ### References Patch PR: #549 ### Credits Thanks to SR-Labs for discovering the security vulnerability, and thanks to PureStake team for the patches. ### For more information If you have any questions or comments about this advisory: * Open an issue in the [Frontier repo](https://github.com/paritytech/frontier)

如何修補 CVE-2022-21685

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2022-21685 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 1.0.0

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21685
• PATCHgithub.com/paritytech/frontier
• WEBgithub.com/paritytech/frontier/commit/8a93fdc6c9f4eb1d2f2a11b7ff1d12d70bf5a664
• WEBgithub.com/paritytech/frontier/pull/549