Main Vulnerability Database SB2022102607

SB2022102607 - SUSE update for multipath-tools

Published: October 26, 2022 Updated: December 15, 2022

Security Bulletin ID SB2022102607

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authorization (CVE-ID: CVE-2022-41974)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrectly implemented authorization process within multipathd daemon. A local unprivileged user can bypass build-in authorization and execute privileged commands on the system.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2022/suse-su-20223712-1/

Vulnerable Software

SUSE Linux Enterprise Server for SAP: 15-SP2
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-LTSS
openSUSE Leap: 15.3 - 15.4
SUSE Linux Enterprise Server: 15-LTSS
multipath-tools-devel: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
multipath-tools-debugsource: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
multipath-tools-debuginfo: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
multipath-tools: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
libdmmp-devel: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
kpartx-debuginfo: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
kpartx: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
multipath-tools-rbd-debuginfo: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
multipath-tools-rbd: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
libdmmp0_1_0-debuginfo: before 0.7.3+173+suse.7dd1b01-150000.3.29.1
libdmmp0_1_0: before 0.7.3+173+suse.7dd1b01-150000.3.29.1