SB2022060827 - Ubuntu update for linux-oem-5.17

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022060827

SB2022060827 - Ubuntu update for linux-oem-5.17

Published: June 8, 2022 Updated: August 10, 2022

Security Bulletin ID SB2022060827
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 13% Low 88%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2022-1012)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient randomization in the net/ipv4/tcp.c when calculating port offsets in Linux kernel cause by small table perturb size. A remote attacker can cause memory leak and gain access to sensitive information.


2) NULL pointer dereference (CVE-ID: CVE-2022-1205)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a null pointer dereference and use after free errors in the net/ax25/ax25_timer.c. A local user can simulate Amateur Radio and perform a denial of service (DoS) attack.


3) Use-after-free (CVE-ID: CVE-2022-1734)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Marvell NFC device driver implementation in the Linux kernel did not properly perform memory cleanup operations in some situations. A local user can trigger use-after-free to escalate privileges on the system.


4) Use-after-free (CVE-ID: CVE-2022-1836)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use-after-free error in the drivers/block/floppy.c in the floppy driver module in the Linux kernel when working with raw_cmd_ioctl and seek_interrupt. A local user can trigger use-after-free to escalate privileges on the system.


5) Use-after-free (CVE-ID: CVE-2022-1966)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. A local user can trigger use-after-free error to escalate privileges on the system.


6) Out-of-bounds write (CVE-ID: CVE-2022-1972)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input in the Linux kernel's netfilter subsystem. A local user can trigger out-of-bounds write to escalate privileges on the system.


7) Improper access control (CVE-ID: CVE-2022-21499)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions to the kernel debugger when booted in secure boot environments. A local privileged user can bypass UEFI Secure Boot restrictions.


8) Improper Initialization (CVE-ID: CVE-2022-29968)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to io_uring subsystem in the Linux kernel does not properly initialize data in some situations. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.


Remediation

Install update from vendor's website.

References