SB20230821201 - Fedora 37 update for microcode_ctl

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2022-21216)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.

2) Information exposure through microarchitectural state after transient execution (CVE-ID: CVE-2022-40982)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to the way data is shared between threads whereby the AVX GATHER instructions on Intel processors can forward the content of stale vector registers to dependent instructions. A malicious guest can infer data from different contexts on the same core and execute arbitrary code with elevated privileges.

3) Unauthorized error injection (CVE-ID: CVE-2022-41804)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unauthorized error injection in some Intel Xeon Processors with Intel Software Guard Extensions (SGX). A local user can execute arbitrary code with elevated privileges.

4) Improper access control (CVE-ID: CVE-2023-23908)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A local privileged user can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2023-10d34be85a