CVE-2022-36025 Besu is a Java-based Ethereum client subject to an Incorrect Conversion between Numeric Types.

In versions later than 22.7.1, Besu is vulnerable to an Unchecked Conversion between Numeric Types. Conversion between numeric types may result in negative numbers being passed to the contract. These negative numbers will be treated as zero, and will be passed to the contract as if they were positive numbers, resulting in incorrect results for calculations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution. Besu is vulnerable to an Undefined Behaviour in a Numeric Calculation. Undefined behaviour may be triggered in contracts that have a contract address in their constructor. This can lead to issues when using conversion between addresses and numbers, as the result of conversion and evaluation may yield unexpected results. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution. Besu is vulnerable to an Unchecked Conversion between Numeric Types. Conversion between numeric types may result in negative numbers being passed to the contract. These negative numbers will be treated as zero, and will be passed to the contract as if they were positive numbers, resulting in incorrect results for calculations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution. Besu is vulnerable to an Undefined Behaviour in a Numeric Calculation.

Summary

Besu is a smart contract platform that provides a way to manage funds through a decentralized network. It has been developed by the Ethereum Foundation and offers several benefits for businesses, such as increased security and transparency.

In version later than 22.7.1, Besu is vulnerable to an Unchecked Conversion between Numeric Types. Conversion between numeric types may result in negative numbers being passed to the contract. These negative numbers will be treated as zero, and will be passed to the contract as if they were positive numbers, resulting in incorrect results for calculations. This issue is patched in version 22.7.1

Overview of CVE-2022-36025

Besu is vulnerable to an Unchecked Conversion between Numeric Types. Conversion between numeric types may result in negative numbers being passed to the contract. These negative numbers will be treated as zero, and will be passed to the contract as if they were positive numbers, resulting in incorrect results for calculations. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution. Besu is vulnerable to an Undefined Behaviour in a Numeric Calculation. Undefined behaviour may be triggered in contracts that have a contract address in their constructor. This can lead to issues when using conversion between addresses and numbers, as the result of conversion and evaluation may yield unexpected results. This issue is patched in version 22.7.1. As a workaround, reverting to version 22.1.3 or earlier will prevent incorrect execution.>>END>>

Timeline

Published on: 09/24/2022 02:15:00 UTC
Last modified on: 09/28/2022 14:41:00 UTC

References