SB2022091531 - Multiple vulnerabilities in OpenShift Virtualization
Published: September 15, 2022 Updated: February 22, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 59 secuirty vulnerabilities.
1) Infinite loop (CVE-ID: CVE-2022-0778)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.
2) Use-after-free (CVE-ID: CVE-2021-20232)
The vulnerability allows a remote attacker to compromise vulnerable system.
The
vulnerability exists due to a use-after-free error in client_send_params in lib/ext/pre_shared_key.c. A remote attacker can trick the victim to connect
to a malicious server using a large Client Hello message over TLS 1.3,
trigger a use-after-free error and crash the application or execute
arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) UNIX symbolic link following (CVE-ID: CVE-2021-23177)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue when extracting files from archive, which can lean to changing ACLs of the target of the link. A local user can create a specially crafted archive, trick the victim into extracting files from it and escalate privileges on the system.
4) Resource exhaustion (CVE-ID: CVE-2021-25219)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to BIND does not properly control consumption of internal resources when processing lame cache. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2021-31535)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of color names within the XLookupColor() function. A local user can run a specially crafted application on the system and perform a denial of service (DoS) attack.
6) UNIX symbolic link following (CVE-ID: CVE-2021-31566)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue when extracting files from the archive. A local user can create a specially crafted symbolic link to a critical file on the system, place it into an archive and modify modes, times, access control lists, and flags of a file outside of the archive.
7) Use-after-free (CVE-ID: CVE-2021-36084)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the __cil_verify_classperms() function in CIL compiler in SELinux. A local user can perform a denial of service (DoS) attack.
8) Use-after-free (CVE-ID: CVE-2021-36085)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the __cil_verify_classperms() function in CIL compiler in SELinux. A local user can perform a denial of service (DoS) attack.9) Use-after-free (CVE-ID: CVE-2021-36086)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the cil_reset_classpermission() function in CIL compiler in SELinux. A local user can perform a denial of service (DoS) attack.10) Out-of-bounds read (CVE-ID: CVE-2021-36087)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the ebitmap_match_any() function within the CIL compiler in SELinux. A local user can trigger an out-of-bounds read error and perform denial of service attack.
11) Integer overflow (CVE-ID: CVE-2021-38185)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the "ds_fgetstr" parameter in "dstring.c". A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2021-40528)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the ElGamal implementation. A remote attacker can gain unauthorized access to sensitive information on the system.
13) Heap-based buffer overflow (CVE-ID: CVE-2021-43527)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling DER-encoded DSA or RSA-PSS signatures. A remote attacker can send specially crafted signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Input validation error (CVE-ID: CVE-2022-1271)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation when processing filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
15) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-4189)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. A remote attacker can set up a malicious FTP server, trick the FTP client in Python into connecting back to a given IP address and port, which can lead to FTP client scanning ports which otherwise would not have been possible.
16) OS Command Injection (CVE-ID: CVE-2022-1292)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with ability to pass data to c_rehash script can and execute arbitrary OS commands with the privileges of the script.
17) Heap-based buffer overflow (CVE-ID: CVE-2022-1621)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
18) Out-of-bounds read (CVE-ID: CVE-2022-1629)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a boundary condition in find_next_quote() function. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error, perform a denial of service attack, modify memory, and execute arbitrary code.
19) OS Command Injection (CVE-ID: CVE-2022-2068)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with ability to pass data to c_rehash script can and execute arbitrary OS commands with the privileges of the script.
The vulnerability exists due to incomplete fix for #VU62765 (CVE-2022-1292).
20) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-2097)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn't written. A remote attacker can gain access to potentially sensitive information.
21) Improper Authentication (CVE-ID: CVE-2022-22576)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.
A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.
22) SQL injection (CVE-ID: CVE-2022-24407)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of password in the SQL plugin shipped with Cyrus SASL. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
23) Stack-based buffer overflow (CVE-ID: CVE-2022-25313)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in build_model. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
24) Integer overflow (CVE-ID: CVE-2022-25314)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in copyString. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
25) Information disclosure (CVE-ID: CVE-2022-27774)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl attempts to follow redirects during authentication process and does not consider different port numbers or protocols to be separate authentication targets. If the web application performs redirection to a different port number of protocol, cURL will allow such redirection and will pass credentials. It could also leak the TLS SRP credentials this way.
By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
26) Information disclosure (CVE-ID: CVE-2022-27776)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.
The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).
27) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.
28) Integer overflow (CVE-ID: CVE-2022-29824)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*). A remote attacker can pass specially crafted multi-gigabyte XML file to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
29) Use-after-free (CVE-ID: CVE-2021-20231)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in client sending key_share extension. A remote attacker can trick the victim to connect to a malicious server using a large Client Hello message over TLS 1.3, trigger a use-after-free error and crash the application or execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
30) Resource exhaustion (CVE-ID: CVE-2021-4115)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to process file descriptor exhaustion in polkit. A local user can perform a denial of service (DoS) attack.
31) Out-of-bounds read (CVE-ID: CVE-2021-38561)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
32) Integer overflow (CVE-ID: CVE-2019-5827)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in SQLite component via WebSQL in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Input validation error (CVE-ID: CVE-2021-44716)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
34) Resource exhaustion (CVE-ID: CVE-2021-44717)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 requests. A remote attacker can send multiple HTTP/2 requests to the server and exhaust all available memory resources.
35) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-1798)
The vulnerability allows a remote user to read arbitrary files on the system.
The vulnerability exists due to a logic issue in kubeVirt API. A remote user can use the kubeVirt API to provide access to host files (like /etc/passwd, for example) in a KubeVirt VM as a disk device that can be written to and read from.36) Input validation error (CVE-ID: CVE-2022-21698)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
37) Resource exhaustion (CVE-ID: CVE-2022-23772)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Rat.SetString(0 function in math/big. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
38) Incorrect authorization (CVE-ID: CVE-2022-23773)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.
39) Unchecked Return Value (CVE-ID: CVE-2022-23806)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to unchecked return value within the Curve.IsOnCurve() function in crypto/elliptic. A remote attacker can force the application to incorrectly return true in situations with a big.Int value that is not a valid field element. As a result, an attacker can modify application flow, which can lead to unauthorized data modification or denial of service.
40) Buffer overflow (CVE-ID: CVE-2022-24675)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the Golang's library encoding/pem. A remote attacker can send to victim a large (more than 5 MB) PEM input to cause a stack overflow in Decode and perform a denial of service (DoS) attack.
41) Incorrect Regular Expression (CVE-ID: CVE-2022-24921)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in regexp.Compile in Go. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.
42) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-27191)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b, as used in Go programming language. A remote attacker can crash a server in certain circumstances involving AddHostKey.
43) Integer overflow (CVE-ID: CVE-2022-28327)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow in the Golang's library crypto/elliptic. A remote attacker can send a specially crafted scalar input longer than 32 bytes to cause P256().ScalarMult or P256().ScalarBaseMult to panic and perform a denial of service attack.
44) Buffer overflow (CVE-ID: CVE-2018-25032)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when compressing data. A remote attacker can pass specially crafted input to the application, trigger memory corruption and perform a denial of service (DoS) attack.
45) Input validation error (CVE-ID: CVE-2019-13750)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in SQLite in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
46) Infinite loop (CVE-ID: CVE-2021-3737)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.
47) Use of uninitialized resource (CVE-ID: CVE-2019-13751)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in SQLite in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger uninitialized usage of resources and bypass implemented security mechanisms.
48) Heap-based buffer overflow (CVE-ID: CVE-2019-17594)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "_nc_find_entry" function in "tinfo/comp_hash.c" in the terminfo library. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
49) Buffer Over-read (CVE-ID: CVE-2019-17595)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read issue in the "fmt_entry" function in "tinfo/comp_hash.c" in the terminfo library. A remote attacker can trigger a buffer over-read condition and cause a denial of service condition on the target system.50) Heap-based buffer overflow (CVE-ID: CVE-2019-18218)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the cdf_read_property_info() function in cdf.c in file due to improper restrictions of the number of CDF_VECTOR elements. A local user can place a specially crafted CDF (Composite Document File) file on the system, trick the victim into reading it with the affected software, trigger heap-based buffer overflow (4-byte out-of-bounds write) and execute arbitrary code on the target system with elevated privileges.
51) Input validation error (CVE-ID: CVE-2019-19603)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing SELECT statements with a nonexistent VIEW. A remote attacker can perform a denial of service attack.
52) Out-of-bounds read (CVE-ID: CVE-2019-20838)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and X or R has more than one fixed quantifier, a related issue to CVE-2019-20454.
53) Input validation error (CVE-ID: CVE-2020-13435)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in sqlite3ExprCodeTarget() function in expr.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
54) Integer overflow (CVE-ID: CVE-2020-14155)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow. A remote attacker can pass a large number after a (?C substring, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
55) Stack-based buffer overflow (CVE-ID: CVE-2020-17541)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the in the "transform" component in Libjpeg-turb. A remote attacker can create a specially crafted JPEG image, pass it to the affected aplication, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
56) Integer underflow (CVE-ID: CVE-2020-24370)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
57) Stack-based buffer overflow (CVE-ID: CVE-2020-35492)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.
58) Input validation error (CVE-ID: CVE-2021-3580)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in nettle's RSA decryption functions due to insufficient validation of certain ciphertexts. A remote attacker can send specially crafted data to the server and perform a denial of service (DoS) attack.
59) Buffer overflow (CVE-ID: CVE-2021-3634)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling shared secrets. A remote attacker can supply a shared secret of a different size, trigger a memory corruption during the second key re-exchange and crash the application or potentially execute arbitrary code.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.