SB2023011012 - Ubuntu update for linux 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023011012

SB2023011012 - Ubuntu update for linux

Published: January 10, 2023 Updated: May 21, 2023

Security Bulletin ID SB2023011012
Severity
Low
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2021-4159)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak in Linux kernel EBPF verifier when handling internal data structures. A local user with permissions to insert eBPF code to the kernel can force the kernel to leak internal kernel memory details and bypass mitigations, related to exploitation protection.


2) Race condition (CVE-ID: CVE-2022-20421)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition within the Binder driver in Android kernel in drivers/android/binder.c. A local application can exploit the race to trigger a use-after-free error and execute arbitrary code with elevated privileges.


3) Division by zero (CVE-ID: CVE-2022-3061)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to missing checks of the "pixclock" value in the Linux kernel i740 driver. A local user can pass arbitrary values to the driver through ioctl() interface, trigger a divide by zero error and perform a denial of service (DoS) attack.


4) Use-after-free (CVE-ID: CVE-2022-3586)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. A local user can perform a denial of service (DoS) attack.


5) Race condition (CVE-ID: CVE-2022-39188)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within include/asm-generic/tlb.h in the Linux kernel. A local user can exploit the race and escalate privileges on the system.

Note, this only occurs in situations with VM_PFNMAP VMAs.


6) Use-after-free (CVE-ID: CVE-2022-40307)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the drivers/firmware/efi/capsule-loader.c in Linux kernel. A local user can trigger a use-after-free error and perform a denial of service (DoS) attack.


7) Double Free (CVE-ID: CVE-2022-4095)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the cmd_hdl_filter() function in drivers/staging/rtl8712/rtl8712_cmd.c. A local user can trigger a double free error and execute arbitrary code with escalated privileges.



Remediation

Install update from vendor's website.

References