SB2022042120 - IBM Security Guardium update for PolicyKit
Published: April 21, 2022 Updated: April 27, 2023
Security Bulletin ID
SB2022042120
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2021-4034)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper handling of the calling parameters count in the pkexec setuid binary, which causes the binary to execute environment variables as commands. A local user can craft environment variables in a way that they will be processed and executed by pkexec and execute arbitrary commands on the system as root.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-policykit-vulnerability-cve-2021-4034/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-policykit-vulnerability-cve-2021-4034/</a></p><p>
- https://www.ibm.com/support/pages/node/6572981</p><p><br></p>