Anolis OS update for kernel(RHCK)3.10



| Updated: 2025-03-28
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2020-25704
CVE-2020-36322
CVE-2021-28950
CVE-2021-42739
CWE-ID CWE-401
CWE-404
CWE-834
CWE-119
Exploitation vector Local
Public exploit N/A
Vulnerable software
 Anolis OS
Operating systems & Components / Operating system

kernel-doc
Operating systems & Components / Operating system package or component

kernel-abi-whitelists
Operating systems & Components / Operating system package or component

python-perf
Operating systems & Components / Operating system package or component

perf
Operating systems & Components / Operating system package or component

kernel-tools-libs-devel
Operating systems & Components / Operating system package or component

kernel-tools-libs
Operating systems & Components / Operating system package or component

kernel-tools
Operating systems & Components / Operating system package or component

kernel-headers
Operating systems & Components / Operating system package or component

kernel-devel
Operating systems & Components / Operating system package or component

kernel-debug-devel
Operating systems & Components / Operating system package or component

kernel-debug
Operating systems & Components / Operating system package or component

kernel
Operating systems & Components / Operating system package or component

bpftool
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU55258

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-25704

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the Linux kernel performance monitoring subsystem when using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 7

kernel-doc: before 3.10.0-1160.53.1.0.1

kernel-abi-whitelists: before 3.10.0-1160.53.1.0.1

python-perf: before 3.10.0-1160.53.1.0.1

perf: before 3.10.0-1160.53.1.0.1

kernel-tools-libs-devel: before 3.10.0-1160.53.1.0.1

kernel-tools-libs: before 3.10.0-1160.53.1.0.1

kernel-tools: before 3.10.0-1160.53.1.0.1

kernel-headers: before 3.10.0-1160.53.1.0.1

kernel-devel: before 3.10.0-1160.53.1.0.1

kernel-debug-devel: before 3.10.0-1160.53.1.0.1

kernel-debug: before 3.10.0-1160.53.1.0.1

kernel: before 3.10.0-1160.53.1.0.1

bpftool: before 3.10.0-1160.53.1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0076


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Resource Shutdown or Release

EUVDB-ID: #VU59473

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-36322

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists in the FUSE filesystem implementation in the Linux kernel due to fuse_do_getattr() calls make_bad_inode() in inappropriate situations. A local user can run a specially crafted program to trigger kernel crash.

Note, the vulnerability exists due to incomplete fix for #VU58207 (CVE-2021-28950).

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 7

kernel-doc: before 3.10.0-1160.53.1.0.1

kernel-abi-whitelists: before 3.10.0-1160.53.1.0.1

python-perf: before 3.10.0-1160.53.1.0.1

perf: before 3.10.0-1160.53.1.0.1

kernel-tools-libs-devel: before 3.10.0-1160.53.1.0.1

kernel-tools-libs: before 3.10.0-1160.53.1.0.1

kernel-tools: before 3.10.0-1160.53.1.0.1

kernel-headers: before 3.10.0-1160.53.1.0.1

kernel-devel: before 3.10.0-1160.53.1.0.1

kernel-debug-devel: before 3.10.0-1160.53.1.0.1

kernel-debug: before 3.10.0-1160.53.1.0.1

kernel: before 3.10.0-1160.53.1.0.1

bpftool: before 3.10.0-1160.53.1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0076


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Excessive Iteration

EUVDB-ID: #VU58207

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-28950

CWE-ID: CWE-834 - Excessive Iteration

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive iteration in fs/fuse/fuse_i.h in the Linux kernel. A local user can run a specially crafted program to perform a denial of service attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 7

kernel-doc: before 3.10.0-1160.53.1.0.1

kernel-abi-whitelists: before 3.10.0-1160.53.1.0.1

python-perf: before 3.10.0-1160.53.1.0.1

perf: before 3.10.0-1160.53.1.0.1

kernel-tools-libs-devel: before 3.10.0-1160.53.1.0.1

kernel-tools-libs: before 3.10.0-1160.53.1.0.1

kernel-tools: before 3.10.0-1160.53.1.0.1

kernel-headers: before 3.10.0-1160.53.1.0.1

kernel-devel: before 3.10.0-1160.53.1.0.1

kernel-debug-devel: before 3.10.0-1160.53.1.0.1

kernel-debug: before 3.10.0-1160.53.1.0.1

kernel: before 3.10.0-1160.53.1.0.1

bpftool: before 3.10.0-1160.53.1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0076


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU59474

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-42739

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary within the firewire subsystem in the Linux kernel in drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c files. A local privileged user can run a specially crafted program tat calls avc_ca_pmt() function to trigger memory corruption and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 7

kernel-doc: before 3.10.0-1160.53.1.0.1

kernel-abi-whitelists: before 3.10.0-1160.53.1.0.1

python-perf: before 3.10.0-1160.53.1.0.1

perf: before 3.10.0-1160.53.1.0.1

kernel-tools-libs-devel: before 3.10.0-1160.53.1.0.1

kernel-tools-libs: before 3.10.0-1160.53.1.0.1

kernel-tools: before 3.10.0-1160.53.1.0.1

kernel-headers: before 3.10.0-1160.53.1.0.1

kernel-devel: before 3.10.0-1160.53.1.0.1

kernel-debug-devel: before 3.10.0-1160.53.1.0.1

kernel-debug: before 3.10.0-1160.53.1.0.1

kernel: before 3.10.0-1160.53.1.0.1

bpftool: before 3.10.0-1160.53.1.0.1

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0076


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###