BlackBerry has issued a public advisory identifying an integer overflow issue with multiple Real Time Operating Systems (“RTOS”) from multiple vendors, including older versions of the QNX RTOS.
BlackBerry says it is aware of this matter and can confirm that it does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier.
The advisory addresses an integer overflow vulnerability in the calloc() function of the C runtime library in affected versions of the BlackBerry QNX Software Development Platform (SDP)version 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety1.0.1 earlier that could potentially allow a successful attacker to perform a denial of service or execute arbitrary code.
BlackBerry says it is not aware of any exploitation of this vulnerability.
The company said in a statement:
BlackBerry is aware of this matter and can confirm that it does not impact current or recent versions of the QNX RTOS, but rather versions dating from 2012 and earlier.
All potentially affected customers have been notified. BlackBerry has made software patches available to resolve the matter. Additionally, BlackBerry is providing 24/7 support to customers as required. At this time no customers have indicated that they have been impacted.
Keeping our software secure is imperative to BlackBerry and the company takes its critical role in other companies embedded software supply chains with the utmost seriousness.
BlackBerry is assisting relevant Government agencies and other industry groups.
