Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir(). — CVE-2022-33103

Zusammenfassung

Sicherheitshinweis CVE-2022-33103. Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir(). Hersteller: Microsoft. Quelle: MSRC. Risiko: high. CVSS 7.8. Details in der…

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

• Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
• Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
• Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
• Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Zur offiziellen Quelle

Mehr dazu

• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2022-2206
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2022-2207
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2022-2257
• <vuln:Note Title="Mariner" Type="Tag" Ordinal="20">Mariner CVE-2022-2210
• A memory leak flaw was found in the Linux kernel in acrn_dev_ioctl in the drivers/virt/acrn/hsm.c function in how the ACRN Device Model emulates virtual NICs in VM. This flaw allows a local privileged attacker to leak unauthorized kernel information causing a denial of service. CVE-2022-1651
• A NULL pointer dereference flaw was found in rxrpc_preparse_s in net/rxrpc/server_key.c in the Linux kernel. This flaw allows a local attacker to crash the system or leak internal kernel information. CVE-2022-1671
• A OS Command Injection vulnerability exists in Node.js versions &lt;14.20.0 &lt;16.20.0 &lt;18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. CVE-2022-32212
• Active Directory Federation Services Elevation of Privilege Vulnerability CVE-2022-30215
• An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user. CVE-2022-30550
• An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges a different vulnerability than CVE-2022-32250. (The attacker can obtain root access but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. CVE-2022-34918
• Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets CVE-2022-34169
• Azure Site Recovery Elevation of Privilege Vulnerability CVE-2022-33674