SUSE update for kernel-firmware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-33139 CVE-2021-33155 |
| CWE-ID | CWE-754 CWE-20 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system ucode-amd Operating systems & Components / Operating system package or component kernel-firmware Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Check for Unusual or Exceptional Conditions
EUVDB-ID: #VU60467
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-33139
CWE-ID:
CWE-754 - Improper Check for Unusual or Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper check for unusual or exceptional conditions in firmware. A remote authenticated attacker on the local network can perform a denial of service (DoS) attack.
MitigationUpdate the affected package kernel-firmware to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-ESPOS
SUSE Linux Enterprise Server: 15-LTSS
ucode-amd: before 20191118-3.39.1
kernel-firmware: before 20191118-3.39.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:a:suse:ucode-amd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-firmware:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20220933-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU60468
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-33155
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in firmware. A remote authenticated attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationUpdate the affected package kernel-firmware to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP3
SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-ESPOS
SUSE Linux Enterprise Server: 15-LTSS
ucode-amd: before 20191118-3.39.1
kernel-firmware: before 20191118-3.39.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP3:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-ESPOS:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
- cpe:2.3:a:suse:ucode-amd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-firmware:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20220933-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
