Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5658
Session Smart Router: Multiple vulnerabilities resolved
8 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Session Smart Router
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25315 CVE-2022-25236 CVE-2022-25235
CVE-2022-24903 CVE-2022-24407 CVE-2022-1271
CVE-2022-0847 CVE-2022-0778 CVE-2021-45417
CVE-2021-43527 CVE-2021-42574 CVE-2021-41617
CVE-2021-37750 CVE-2021-37576 CVE-2021-35603
CVE-2021-35588 CVE-2021-35586 CVE-2021-35578
CVE-2021-35567 CVE-2021-35565 CVE-2021-35564
CVE-2021-35561 CVE-2021-35559 CVE-2021-35556
CVE-2021-35550 CVE-2021-32399 CVE-2021-29650
CVE-2021-29154 CVE-2021-27365 CVE-2021-27364
CVE-2021-27363 CVE-2021-22555 CVE-2021-22543
CVE-2021-20271 CVE-2021-20265 CVE-2021-4034
CVE-2021-3715 CVE-2021-3656 CVE-2021-3653
CVE-2021-3347 CVE-2021-0543 CVE-2020-29661
CVE-2020-28374 CVE-2020-27777 CVE-2020-27170
CVE-2020-25717 CVE-2020-25710 CVE-2020-25709
CVE-2020-25705 CVE-2020-25656 CVE-2020-25645
CVE-2020-25643 CVE-2020-25212 CVE-2020-25211
CVE-2020-24394 CVE-2020-14385 CVE-2020-14351
CVE-2020-14314 CVE-2020-12364 CVE-2020-12363
CVE-2020-12362 CVE-2020-10769 CVE-2020-8648
CVE-2020-7053 CVE-2020-0427 CVE-2019-20934
CVE-2019-20811 CVE-2019-19532 CVE-2019-18282
CVE-2019-12735 CVE-2018-25032 CVE-2018-20534
CVE-2018-20533 CVE-2018-20532 CVE-2018-10689
CVE-2016-4658 CVE-2016-2124 CVE-2015-9262
CVE-2008-5161
Original Bulletin:
https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Session-Smart-Router-Multiple-vulnerabilities-resolved
Comment: CVSS (Max): 9.8 CVE-2022-25315 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA69889
Product Affected: These issues affect Session Smart Router all versions prior
to 5.4.7, 5.5.
Severity Level: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Problem:
Multiple vulnerabilities have been resolved in Juniper Networks Session Smart
Router by updating third party software included with Session Smart Router or
by fixing vulnerabilities found during external security research.
These issues affect:
Juniper Networks Session Smart Router:
All versions prior to 5.4.7;
5.5 versions prior to 5.5.3.
Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
These issues were seen during production usage.
Important security issues resolved include:
CVE CVSS Summary
CVE-2008-5161 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) Error handling in the
SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through
4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and
ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server
for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through
4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other
versions, when using a block cipher algorithm in Cipher Block Chaining (CBC)
mode, makes it easier for remote attackers to recover certain plaintext data
from an arbitrary block of ciphertext in an SSH session via unknown vectors.
CVE-2015-9262 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote
attackers to cause denial of service or potentially code execution via a
one-byte heap overflow.
CVE-2016-2124 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) A flaw
was found in the way samba implemented SMB1 authentication. An attacker could
use this flaw to retrieve the plaintext password sent over the wire even if
Kerberos authentication was required.
CVE-2016-4658 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before
10.12, tvOS before 10, and watchOS before 3, and other products) does not
forbid namespace nodes in XPointer ranges, which allows remote attackers to
execute arbitrary code or cause a denial of service (use-after-free and memory
corruption) via a crafted XML document.
CVE-2018-10689 5.5 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
Android, has a buffer overflow in the dev_map_read function in btt/devmap.c
because the device and devno arrays are too small, as demonstrated by an
invalid free when using the btt program with a crafted file.
CVE-2018-20532 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) There
is a NULL pointer dereference at ext/testcase.c (function testcase_read) in
libsolvext.a in libsolv through 0.7.2 that will cause a denial of service.
CVE-2018-20533 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) There
is a NULL pointer dereference at ext/testcase.c (function
testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will
cause a denial of service.
CVE-2018-20534 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) **
DISPUTED ** There is an illegal address access at ext/testcase.c in libsolv.a
in libsolv through 0.7.2 that will cause a denial of service. NOTE: third
parties dispute this issue stating that the issue affects the test suite and
not the underlying library. It cannot be exploited in any real-world
application.
CVE-2018-25032 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) zlib
before 1.2.12 allows memory corruption when deflating (i.e., when compressing)
if the input has many distant matches.
CVE-2019-12735 8.6 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote
attackers to execute arbitrary OS commands via the :source! command in a
modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in
Neovim.
CVE-2019-18282 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) The
flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a
device tracking vulnerability, aka CID-55667441c84f. This occurs because the
auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a
secret, and because jhash (instead of siphash) is used. The hashrnd value
remains the same starting from boot time, and can be inferred by an attacker.
This affects net/core/flow_dissector.c and related code.
CVE-2019-19532 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In the Linux kernel before
5.3.9, there are multiple out-of-bounds write bugs that can be caused by a
malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95.
This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,
drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,
drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c,
drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c,
and drivers/hid/hid-zpff.c.
CVE-2019-20811 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N An issue was discovered in the
Linux kernel before 5.0.6. In rx_queue_add_kobject() and
netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is
mishandled, aka CID-a3e23f719f5c.
CVE-2019-20934 5.3 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H) An
issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the
Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA
fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-0427 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) In
create_pinctrl of core.c, there is a possible out of bounds read due to a use
after free. This could lead to local information disclosure with no additional
execution privileges needed. User interaction is not needed for
exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171
CVE-2020-10769 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) A
buffer over-read flaw was found in RH kernel versions before 5.0 in
crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic
algorithm's module, authenc. When a payload longer than 4 bytes, and is not
following 4-byte alignment boundary guidelines, it causes a buffer over-read
threat, leading to a system crash. This flaw allows a local attacker with user
privileges to cause a denial of service.
CVE-2020-12362 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Integer
overflow in the firmware for some Intel(R) Graphics Drivers for Windows *
before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a
privileged user to potentially enable an escalation of privilege via local
access.
CVE-2020-12363 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Improper input validation in some Intel(R) Graphics Drivers for Windows* before
version 26.20.100.7212 and before Linux kernel version 5.5 may allow a
privileged user to potentially enable a denial of service via local access.
CVE-2020-12364 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) Null
pointer reference in some Intel(R) Graphics Drivers for Windows* before version
26.20.100.7212 and before version Linux kernel version 5.5 may allow a
privileged user to potentially enable a denial of service via local access.
CVE-2020-14314 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) A
memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2
with the ext3/ext4 file system, in the way it accesses a directory with broken
indexing. This flaw allows a local user to crash the system if the directory
exists. The highest threat from this vulnerability is to system availability.
CVE-2020-14351 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A flaw
was found in the Linux kernel. A use-after-free memory flaw was found in the
perf subsystem allowing a local attacker with permission to monitor perf events
to corrupt memory and possibly escalate privileges. The highest threat from
this vulnerability is to data confidentiality and integrity as well as system
availability.
CVE-2020-14385 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) A flaw
was found in the Linux kernel before 5.9-rc4. A failure of the file system
metadata validator in XFS can cause an inode with a valid, user-creatable
extended attribute to be flagged as corrupt. This can lead to the filesystem
being shutdown, or otherwise rendered inaccessible until it is remounted,
leading to a denial of service. The highest threat from this vulnerability is
to system availability.
CVE-2020-24394 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) In the
Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect
permissions on new filesystem objects when the filesystem lacks ACL support,
aka CID-22cf8419f131. This occurs because the current umask is not considered.
CVE-2020-25211 6.0 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) In the
Linux kernel through 5.8.7, local attackers able to inject conntrack netlink
configuration could overflow a local buffer, causing crashes or triggering use
of incorrect protocol numbers in ctnetlink_parse_tuple_filter in
net/netfilter/nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.
CVE-2020-25212 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) A
TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could
be used by local attackers to corrupt memory or possibly have unspecified other
impact because a size check is in fs/nfs/nfs4proc.c instead of
fs/nfs/nfs4xdr.c, aka CID-b4487b935452.
CVE-2020-25643 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) A flaw
was found in the HDLC_PPP module of the Linux kernel in versions before
5.9-rc7. Memory corruption and a read overflow is caused by improper input
validation in the ppp_cp_parse_cr function which can cause the system to crash
or cause a denial of service. The highest threat from this vulnerability is to
data confidentiality and integrity as well as system availability.
CVE-2020-25645 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) A flaw
was found in the Linux kernel in versions before 5.9-rc7. Traffic between two
Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic
for the specific UDP port used by the GENEVE tunnel allowing anyone between the
two endpoints to read the traffic unencrypted. The main threat from this
vulnerability is to data confidentiality.
CVE-2020-25656 4.1 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) A flaw
was found in the Linux kernel. A use-after-free was found in the way the
console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could
use this flaw to get read memory access out of bounds. The highest threat from
this vulnerability is to data confidentiality.
CVE-2020-25705 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) A flaw
in ICMP packets in the Linux kernel may allow an attacker to quickly scan open
UDP ports. This flaw allows an off-path remote attacker to effectively bypass
source port UDP randomization. Software that relies on UDP source port
randomization are indirectly affected as well on the Linux Based Products
(RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All
versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and
v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1,
v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500
Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions
3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version
CVE-2020-25709 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) A flaw
was found in OpenLDAP. This flaw allows an attacker who can send a malicious
packet to be processed by OpenLDAP’s slapd server, to trigger an assertion
failure. The highest threat from this vulnerability is to system availability.
CVE-2020-25710 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) A flaw
was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker
who sends a malicious packet processed by OpenLDAP to force a failed assertion
in csnNormalize23(). The highest threat from this vulnerability is to system
availability.
CVE-2020-25717 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) A flaw
was found in the way Samba maps domain users to local users. An authenticated
attacker could use this flaw to cause possible privilege escalation.
CVE-2020-27170 4.7 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) An
issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c
performs undesirable out-of-bounds speculation on pointer arithmetic, leading
to side-channel attacks that defeat Spectre mitigations and obtain sensitive
information from kernel memory, aka CID-f232326f6966. This affects pointer
types that do not define a ptr_limit.
CVE-2020-27777 6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) A flaw
was found in the way RTAS handled memory accesses in userspace to kernel
communication. On a locked down (usually due to Secure Boot) guest system
running on top of PowerVM or KVM hypervisors (pseries platform) a root like
local user could use this flaw to further increase their privileges to that of
a running kernel.
CVE-2020-28374 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) In
drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7,
insufficient identifier checking in the LIO SCSI target code can be used by
remote attackers to read or write files via directory traversal in an XCOPY
request, aka CID-2896c93811e3. For example, an attack can occur over a network
if the attacker has access to one iSCSI LUN. The attacker gains control over
file access because I/O operations are proxied via an attacker-selected
backstore.
CVE-2020-29661 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A
locking issue was discovered in the tty subsystem of the Linux kernel through
5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against
TIOCSPGRP, aka CID-54ffccbf053b.
CVE-2020-7053 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P In the Linux kernel 4.14
longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before
5.2), there is a use-after-free (write) in the i915_ppgtt_close function in
drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to
i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.
CVE-2020-8648 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) There
is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the
n_tty_receive_buf_common function in drivers/tty/n_tty.c.
CVE-2021-0543 6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) In
phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out of
bounds write due to an integer overflow. This could lead to local escalation of
privilege with System execution privileges needed. User interaction is not
needed for exploitation.Product: AndroidVersions: Android-11Android ID:
A-169258743
CVE-2021-20265 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) A flaw
was found in the way memory resources were freed in the unix_stream_recvmsg
function in the Linux kernel when a signal was pending. This flaw allows an
unprivileged local user to crash the system by exhausting available memory. The
highest threat from this vulnerability is to system availability.
CVE-2021-20271 7.0 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A flaw
was found in RPM's signature check functionality when reading a package file.
This flaw allows an attacker who can convince a victim to install a seemingly
verifiable package, whose signature header was modified, to cause RPM database
corruption and execute code. The highest threat from this vulnerability is to
data integrity, confidentiality, and system availability.
CVE-2021-22543 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An
issue was discovered in Linux: KVM through Improper handling of VM_IO|VM_PFNMAP
vmas in KVM can bypass RO checks and can lead to pages being freed while still
accessible by the VMM and guest. This allows users with the ability to start
and control a VM to read/write random pages of memory and can result in local
privilege escalation.
CVE-2021-22555 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A heap
out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in
net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a
DoS (via heap memory corruption) through user name space
CVE-2021-27363 4.4 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) An
issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak
can be used to determine the address of the iscsi_transport structure. When an
iSCSI transport is registered with the iSCSI subsystem, the transport's handle
is available to unprivileged users via the sysfs file system, at
/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the
show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is
called, which leaks the handle. This handle is actually the pointer to an
iscsi_transport struct in the kernel module's global variables.
CVE-2021-27364 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) An
issue was discovered in the Linux kernel through 5.11.3.
drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an
unprivileged user to craft Netlink messages.
CVE-2021-27365 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An
issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data
structures do not have appropriate length constraints or checks, and can exceed
the PAGE_SIZE value. An unprivileged user can send a Netlink message that is
associated with iSCSI, and has a length up to the maximum length of a Netlink
message.
CVE-2021-29154 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) BPF JIT
compilers in the Linux kernel through 5.11.12 have incorrect computation of
branch displacements, allowing them to execute arbitrary code within the kernel
context. This affects arch/x86/net/bpf_jit_comp.c and
arch/x86/net/bpf_jit_comp32.c.
CVE-2021-29650 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) An
issue was discovered in the Linux kernel before 5.11.11. The netfilter
subsystem allows attackers to cause a denial of service (panic) because
net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full
memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
CVE-2021-32399 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race
condition for removal of the HCI controller.
CVE-2021-3347 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An
issue was discovered in the Linux kernel through 5.10.11. PI futexes have a
kernel stack use-after-free during fault handling, allowing local users to
execute code in the kernel, aka CID-34b1a1ce1458.
CVE-2021-35550 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: JSSE). Supported versions that are affected are Java
SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and
21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with
network access via TLS to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Java SE, Oracle GraalVM
Enterprise Edition accessible data. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run untrusted code (e.g., code that
comes from the internet) and rely on the Java sandbox for security. This
vulnerability can also be exploited by using APIs in the specified Component,
e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base
Score 5.9 (Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2021-35556 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Swing). Supported versions that are affected are
Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3
and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability does not apply to Java deployments, typically in servers,
that load and run only trusted code (e.g., code installed by an administrator).
CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35559 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Swing). Supported versions that are affected are
Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3
and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. CVSS
3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35561 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Utility). Supported versions that are affected are
Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3
and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. CVSS
3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35564 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Keytool). Supported versions that are affected are
Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3
and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access to some of Java SE, Oracle
GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. CVSS
3.1 Base Score 5.3 (Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2021-35565 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: JSSE). Supported versions that are affected are Java
SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and
21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with
network access via TLS to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE, Oracle
GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by
supplying data to APIs in the specified Component without using Untrusted Java
Web Start applications or Untrusted Java applets, such as through a web
service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35567 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Libraries). Supported versions that are affected are
Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and
21.2.0. Easily exploitable vulnerability allows low privileged attacker with
network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Java SE, Oracle GraalVM
Enterprise Edition, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all Java SE, Oracle GraalVM Enterprise
Edition accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed
Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can
also be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 6.8
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
CVE-2021-35578 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: JSSE). Supported versions that are affected are Java
SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0.
Easily exploitable vulnerability allows unauthenticated attacker with network
access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM
Enterprise Edition. Note: This vulnerability can only be exploited by supplying
data to APIs in the specified Component without using Untrusted Java Web Start
applications or Untrusted Java applets, such as through a web service. CVSS 3.1
Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35586 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: ImageIO). Supported versions that are affected are
Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3
and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Oracle
GraalVM Enterprise Edition. Successful attacks of this vulnerability can result
in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to
Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. CVSS
3.1 Base Score 5.3 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35588 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: Hotspot). Supported versions that are affected are
Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0.
Difficult to exploit vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS) of Java
SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run untrusted code (e.g., code that
comes from the internet) and rely on the Java sandbox for security. This
vulnerability can also be exploited by using APIs in the specified Component,
e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base
Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVE-2021-35603 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: JSSE). Supported versions that are affected are Java
SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and
21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with
network access via TLS to compromise Java SE, Oracle GraalVM Enterprise
Edition. Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed
Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can
also be exploited by using APIs in the specified Component, e.g., through a web
service which supplies data to the APIs. CVSS 3.1 Base Score 3.7
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2021-3653 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) A flaw
was found in the KVM's AMD code for supporting SVM nested virtualization. The
flaw occurs when processing the VMCB (virtual machine control block) provided
by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation
of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC
support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result,
the L2 guest would be allowed to read/write physical pages of the host,
resulting in a crash of the entire system, leak of sensitive data or potential
guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.
CVE-2021-3656 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) A flaw
was found in the KVM's AMD code for supporting SVM nested virtualization. The
flaw occurs when processing the VMCB (virtual machine control block) provided
by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation
of the "virt_ext" field, this issue could allow a malicious L1 to disable both
VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a
result, the L2 guest would be allowed to read/write physical pages of the host,
resulting in a crash of the entire system, leak of sensitive data or potential
guest-to-host escape.
CVE-2021-3715 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A flaw
was found in the "Routing decision" classifier in the Linux kernel's Traffic
Control networking subsystem in the way it handled changing of classification
filters, leading to a use-after-free condition. This flaw allows unprivileged
local users to escalate their privileges on the system. The highest threat from
this vulnerability is to confidentiality, integrity, as well as system
availability.
CVE-2021-37576 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the
powerpc platform allows KVM guest OS users to cause host OS memory corruption
via rtas_args.nargs, aka CID-f62f3c20647e.
CVE-2021-37750 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) The Key
Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x
before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST
inner body that lacks a server field.
CVE-2021-4034 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A local
privilege escalation vulnerability was found on polkit's pkexec utility. The
pkexec application is a setuid tool designed to allow unprivileged users to run
commands as privileged users according predefined policies. The current version
of pkexec doesn't handle the calling parameters count correctly and ends trying
to execute environment variables as commands. An attacker can leverage this by
crafting environment variables in such a way it'll induce pkexec to execute
arbitrary code. When successfully executed the attack can cause a local
privilege escalation given unprivileged users administrative rights on the
target machine.
CVE-2021-41617 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) sshd in
OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are
used, allows privilege escalation because supplemental groups are not
initialized as expected. Helper programs for AuthorizedKeysCommand and
AuthorizedPrincipalsCommand may run with privileges associated with group
memberships of the sshd process, if the configuration specifies running the
command as a different user.
CVE-2021-42574 8.3 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) **
DISPUTED ** An issue was discovered in the Bidirectional Algorithm in the
Unicode Specification through 14.0. It permits the visual reordering of
characters via control sequences, which can be used to craft source code that
renders different logic than the logical ordering of tokens ingested by
compilers and interpreters. Adversaries can leverage this to encode source code
for compilers accepting Unicode such that targeted vulnerabilities are
introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers
the following alternative approach to presenting this concern. An issue is
noted in the nature of international text that can affect applications that
implement support for The Unicode Standard and the Unicode Bidirectional
Algorithm (all versions). Due to text display behavior when text includes
left-to-right and right-to-left characters, the visual order of tokens may be
different from their logical order. Additionally, control characters needed to
fully support the requirements of bidirectional text can further obfuscate the
logical order of tokens. Unless mitigated, an adversary could craft source code
such that the ordering of tokens perceived by human reviewers does not match
what will be processed by a compiler/interpreter/etc. The Unicode Consortium
has documented this class of vulnerability in its document, Unicode Technical
Report https://supportportal.juniper.net/36, Unicode Security Considerations.
The Unicode Consortium also provides guidance on mitigations for this class of
issues in Unicode Technical Standard https://supportportal.juniper.net/39,
Unicode Security Mechanisms, and in Unicode Standard Annex
https://supportportal.juniper.net/31, Unicode Identifier and Pattern Syntax.
Also, the BIDI specification allows applications to tailor the implementation
in ways that can mitigate misleading visual reordering in program text; see HL4
in Unicode Standard Annex https://supportportal.juniper.net/9, Unicode
Bidirectional Algorithm.
CVE-2021-43527 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NSS
(Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS
\https://supportportal.juniper.net/7, or PKCS
\https://supportportal.juniper.net/12 are likely to be impacted. Applications
using NSS for certificate validation or other TLS, X.509, OCSP or CRL
functionality may be impacted, depending on how they configure NSS. *Note: This
vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF
viewers that use NSS for signature verification, such as Thunderbird,
LibreOffice, Evolution and Evince are believed to be impacted. This
vulnerability affects NSS < 3.73 and NSS < 3.68.1.
CVE-2021-45417 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) AIDE
before 0.17.4 allows local users to obtain root privileges via crafted file
metadata (such as XFS extended attributes or tmpfs ACLs), because of a
heap-based buffer overflow.
CVE-2022-0778 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) The
BN_mod_sqrt() function, which computes a modular square root, contains a bug
that can cause it to loop forever for non-prime moduli. Internally this
function is used when parsing certificates that contain elliptic curve public
keys in compressed form or explicit elliptic curve parameters with a base point
encoded in compressed form. It is possible to trigger the infinite loop by
crafting a certificate that has invalid explicit curve parameters. Since
certificate parsing happens prior to verification of the certificate signature,
any process that parses an externally supplied certificate may thus be subject
to a denial of service attack. The infinite loop can also be reached when
parsing crafted private keys as they can contain explicit elliptic curve
parameters. Thus vulnerable situations include: - TLS clients consuming server
certificates - TLS servers consuming client certificates - Hosting providers
taking certificates or private keys from customers - Certificate authorities
parsing certification requests from subscribers - Anything else which parses
ASN.1 elliptic curve parameters Also any other applications that use the
BN_mod_sqrt() where the attacker can control the parameter values are
vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is
not parsed during initial parsing of the certificate which makes it slightly
harder to trigger the infinite loop. However any operation which requires the
public key from the certificate will trigger the infinite loop. In particular
the attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature. This issue affects OpenSSL versions
1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on
the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in
OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected
1.0.2-1.0.2zc).
CVE-2022-0847 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A flaw
was found in the way the "flags" member of the new pipe buffer structure was
lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions
in the Linux kernel and could thus contain stale values. An unprivileged local
user could use this flaw to write to pages in the page cache backed by read
only files and as such escalate their privileges on the system.
CVE-2022-1271 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An
arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When
zgrep is applied on the attacker's chosen file name (for example, a crafted
file name), this can overwrite an attacker's content to an arbitrary
attacker-selected file. This flaw occurs due to insufficient validation when
processing filenames with two or more newlines where selected content and the
target file names are embedded in crafted multi-line file names. This flaw
allows a remote, low privileged attacker to force zgrep to write arbitrary
files on the system.
CVE-2022-24407 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) In
Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape
the password for a SQL INSERT or UPDATE statement.
CVE-2022-24903 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Rsyslog
is a rocket-fast system for log processing. Modules for TCP syslog reception
have a potential heap buffer overflow when octet-counted framing is used. This
can result in a segfault or some other malfunction. As of our understanding,
this vulnerability can not be used for remote code execution. But there may
still be a slight chance for experts to do that. The bug occurs when the octet
count is read. While there is a check for the maximum number of octets, digits
are written to a heap buffer even when the octet count is over the maximum,
This can be used to overrun the memory buffer. However, once the sequence of
digits stop, no additional characters can be added to the buffer. In our
opinion, this makes remote exploits impossible or at least highly complex.
Octet-counted framing is one of two potential framing modes. It is relatively
uncommon, but enabled by default on receivers. Modules `imtcp`, `imptcp`,
`imgssapi`, and `imhttp` are used for regular syslog message reception. It is
best practice not to directly expose them to the public. When this practice is
followed, the risk is considerably lower. Module `imdiag` is a diagnostics
module primarily intended for testbench runs. We do not expect it to be present
on any production installation. Octet-counted framing is not very common.
Usually, it needs to be specifically enabled at senders. If users do not need
it, they can turn it off for the most important modules. This will mitigate the
vulnerability.
CVE-2022-25235 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of
encoding, such as checks for whether a UTF-8 character is valid in a certain
context.
CVE-2022-25236 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert
namespace-separator characters into namespace URIs.
CVE-2022-25315 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) In
Expat (aka libexpat) before 2.4.5, there is an integer overflow in
storeRawNames.
Solution:
The following software releases have been updated to resolve these specific
issues: 5.4.7, 5.5.3, and all subsequent releases.
These issues is are being tracked as I95-46059, I95-45060, I95-45123,
I95-41870, I95-41868, I95-45056, I95-45059, I95-41802, I95-45165, I95-44618,
I95-41877, I95-45054, I95-41800, I95-45061, I95-45062, I95-45063 and I95-45064.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
IMPLEMENTATION:
Software Releases, patches and updates are available at
https://support.juniper.net/support/downloads/.
Workaround:
There are no known workarounds to mitigate the exploitation of all of these
issues.
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Modification History:
2022-10-12: Initial Publication.
Related Information:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
Last Updated: 2022-10-12
Created: 2022-10-12
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2oAsMkNZI30y1K9AQjkSQ//bkCmGCS6NuKG9TFryOjDMkNSEadsnbXs
yIMbXaOzkAzfbR9PcfkVJokCtmo/Bll1GzD1Lj8eiB5ijB0GLkUUjhijPyVHhCkk
OZN9OqEBs5vhx7VWUBAQxiRnXHp7AMe/+ALCw+tXuUB/WOI1mCxNUFm8irTNL/L+
nqtsKz51v3CLidvTZyxqrqC99RklaYwPwpCQRm1BdENwTJdNEMQEuCQKI5eMAvOT
SOSp3kQI3AZqs8KZ2pgIV4jsKJe6tUmbFn/IL1Q+KTpMefTk0zkIRbm0zf2CJEo4
GeKfFKWwjSBg8btjLPuc45gvuH9zeJYkMei80WDp0zworLx197WHShffh45gR297
RmFa/OkZ4EuA5O+z+2Zq7Xi+6ubD6GGVjfrsZ1kmSvgk37H29joFMkKTofyB6wS/
K4zyWRkDzZE/rfd3runsKsWggbal3Tq/+dZP2ppUHaCXoSsUkGKT4dVor165DNCR
lHq6Im3gaPS1QSZ/efC7vT9IDqWaZqyxYLQ75ocLEGxZEcfLuaczqHpssW2a1lAp
u2Z/iSCy5Wwba8KEcjp+18EpjExOSMkE6KCtT6Y6eJIGk0ZB0qvGFeKRBDo7JX6y
0rYZoH4IUpql+oH5N9ymTXLfC6yYzwyKH3F92P60ImEhVZJUudVk8+W513w8ROyR
Z2ckMTBiVto=
=HRd1
-----END PGP SIGNATURE-----