Login Sign Up

CVE-2021-44502

7.5 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability in FIS GT.M/YottaDB allows attackers to control the size parameter of a memset function through crafted input to util_format in sr_unix/util_output.c. This can lead to memory corruption and potential arbitrary code execution. Systems running affected versions of FIS GT.M or YottaDB are vulnerable.

💻 Affected Systems

Products:
  • FIS GT.M
  • YottaDB
Versions: All versions through V7.0-000
Operating Systems: All supported platforms (Linux, UNIX variants)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the util_format function in sr_unix/util_output.c; any application using this function with untrusted input is vulnerable

📦 What is this software?

Gt.m by Fisglobal

View all CVEs affecting Gt.m →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Denial of service through application crashes or memory corruption

🟢

If Mitigated

Limited impact if proper input validation and memory protections are in place

🌐 Internet-Facing: MEDIUM - Requires specific crafted input but could be exploited remotely if service is exposed
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific input to control memset size parameter; no public exploit code has been disclosed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V7.0-002 and later

Vendor Advisory: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html

Restart Required: Yes

Instructions:

1. Download V7.0-002 or later from official sources. 2. Backup current installation and data. 3. Install the updated version following vendor documentation. 4. Restart all GT.M/YottaDB processes and applications.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement strict input validation for all calls to util_format functions

# Review application code for util_format calls
# Add bounds checking and input sanitization before util_format calls

🧯 If You Can't Patch

  • Implement network segmentation to isolate GT.M/YottaDB systems from untrusted networks
  • Deploy application-level firewalls or WAFs to filter malicious input patterns

🔍 How to Verify

Check if Vulnerable:

Check GT.M version with: $gtm_dist/mumps -version | grep 'GT.M'

Check Version:

$gtm_dist/mumps -version

Verify Fix Applied:

Verify version is V7.0-002 or later: $gtm_dist/mumps -version

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory corruption errors
  • Unusual process termination in GT.M/YottaDB logs
  • Segmentation faults in system logs

Network Indicators:

  • Unusual network traffic patterns to GT.M/YottaDB ports
  • Multiple connection attempts with malformed data

SIEM Query:

source="gtm.log" AND ("segmentation fault" OR "memory corruption" OR "util_format")

📊 Metadata

CVE ID: CVE-2021-44502
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44502, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)