SB2021120727 - Ubuntu update for busybox 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021120727

SB2021120727 - Ubuntu update for busybox

Published: December 7, 2021

Security Bulletin ID SB2021120727
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Improper Handling of Exceptional Conditions (CVE-ID: CVE-2021-28831)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of error bit on the huft_build result pointer in decompress_gunzip.c. A remote attacker can pass malformed gzip data to the application, trigger an invalid free and perform a denial of service (DoS) attack.


2) Out-of-bounds read (CVE-ID: CVE-2021-42374)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "unlzma". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.


3) Use-after-free (CVE-ID: CVE-2021-42378)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_i" function. A remote administrator can execute arbitrary code on the target system.


4) Use-after-free (CVE-ID: CVE-2021-42379)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.


5) Use-after-free (CVE-ID: CVE-2021-42380)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.


6) Use-after-free (CVE-ID: CVE-2021-42381)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "hash_init" function. A remote administrator can execute arbitrary code on the target system.


7) Use-after-free (CVE-ID: CVE-2021-42382)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_s" function. A remote administrator can execute arbitrary code on the target system.


8) Use-after-free (CVE-ID: CVE-2021-42384)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "handle_special" function. A remote administrator can execute arbitrary code on the target system.


9) Use-after-free (CVE-ID: CVE-2021-42385)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "evaluate" function. A remote administrator can execute arbitrary code on the target system.


10) Use-after-free (CVE-ID: CVE-2021-42386)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "nvalloc" function. A remote administrator can execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References