Multiple vulnerabilities in Oracle Linux
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 44 |
| CVE-ID | CVE-2022-0235 CVE-2022-42011 CVE-2022-42012 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-4144 CVE-2022-2601 CVE-2022-3775 CVE-2021-46848 CVE-2022-35737 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3821 CVE-2022-42895 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-42010 CVE-2022-42896 CVE-2022-46340 CVE-2021-44906 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2022-42856 CVE-2022-2132 CVE-2022-40303 CVE-2022-40304 CVE-2022-42920 CVE-2022-4378 CVE-2022-2625 CVE-2022-2964 CVE-2022-4139 CVE-2022-4283 CVE-2019-25058 CVE-2023-21538 CVE-2022-43680 CVE-2022-24999 CVE-2022-3517 CVE-2022-43548 |
| CWE-ID | CWE-200 CWE-125 CWE-416 CWE-415 CWE-617 CWE-763 CWE-787 CWE-193 CWE-129 CWE-191 CWE-824 CWE-369 CWE-121 CWE-400 CWE-843 CWE-399 CWE-190 CWE-264 CWE-119 CWE-863 CWE-20 CWE-94 CWE-185 CWE-350 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #11 is available. Vulnerability #29 is being exploited in the wild. Public exploit code for vulnerability #34 is available. Public exploit code for vulnerability #42 is available. |
| Vulnerable software |
Oracle Linux Operating systems & Components / Operating system |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 44 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU61471
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-0235
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the application follows the "Location" HTTP header redirect and passes authorization cookie to a third-party resource. A remote attacker can gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds read
EUVDB-ID: #VU67970
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-42011
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error caused by an invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element. A local user can trigger an out-of-bounds read and gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU67971
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-42012
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a local user to escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Double Free
EUVDB-ID: #VU69402
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2519
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the rotateImage() function in tiffcrop.c. A remote attacker can pass a specially crafted file to the application, trigger a double free and perform a denial of service (DoS) attack. MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Reachable Assertion
EUVDB-ID: #VU69400
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2520
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the rotateImage() function in tiffcrop.c. A remote attacker can pass a specially crafted file to the application, trigger assertion failure and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Release of invalid pointer or reference
EUVDB-ID: #VU69401
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2521
CWE-ID:
CWE-763 - Release of invalid pointer or reference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an invalid pointer free operation within the TIFFClose() function in tif_close.c. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack. MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU71136
Risk: Medium
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-4144
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a malicious guest user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the qxl_phys2virt() function in the QXL display device emulation in QEMU. A malicious guest user can trigger an out-of-bounds read error and crash the QEMU process on the host
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds write
EUVDB-ID: #VU69394
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2601
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows an attacker to bypass implemented security restrictions.
The vulnerability exists due to a boundary error within the grub_font_construct_glyph() function when handling pf2 font. An attacker with physical access to the affected system can trigger an out-of-bounds write and bypass secure boot restrictions.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds write
EUVDB-ID: #VU69395
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-3775
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows an attacker to crash the system.
The vulnerability exists due to a boundary error when rendering certain unicode sequences in grub2 font code. An attacker with physical access to device can trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Off-by-one
EUVDB-ID: #VU68858
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-46848
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an ETYPE_OK off-by-one error in asn1_encode_simple_der in Libtasn1. A remote attacker can pass specially crafted data to the application, trigger an off-by-one error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper Validation of Array Index
EUVDB-ID: #VU67414
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-35737
CWE-ID:
CWE-129 - Improper Validation of Array Index
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when handling an overly large input passed as argument to a C API. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Integer underflow
EUVDB-ID: #VU67137
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-2867
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow within the tiffcrop utility. A remote attacker can pass a specially crafted file to the affected application, trigger an integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Out-of-bounds read
EUVDB-ID: #VU67140
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2868
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the tiffcrop utility. A remote attacker can pass a specially crafted file to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Integer underflow
EUVDB-ID: #VU67138
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-2869
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer underflow within the extractContigSamples8bits routine in the tiffcrop utility. A remote attacker can pass a specially crafted file to the affected application, trigger an integer underflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Out-of-bounds read
EUVDB-ID: #VU68820
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2953
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the extractImageSection() function in tools/tiffcrop.c. A remote attacker can pass a specially crafted TIFF file to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack. MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Off-by-one
EUVDB-ID: #VU69807
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-3821
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an off-by-one error within the format_timespan() function in time-util.c. A local user can trigger an off-by-one error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Access of Uninitialized Pointer
EUVDB-ID: #VU69796
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-42895
CWE-ID:
CWE-824 - Access of Uninitialized Pointer
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to unauthorized access of uninitialized pointer within the l2cap_parse_conf_req() function in net/bluetooth/l2cap_core.c. An attacker with physical proximity to the affected device can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Division by zero
EUVDB-ID: #VU65440
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2056
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to a division by zero error when parsing TIFF
files in tiffcrop. A remote attacker can trick the victim to open a specially
crafted file and crash the affected application.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Division by zero
EUVDB-ID: #VU65441
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2057
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a division by zero error when parsing TIFF files in tiffcrop. A remote attacker can trick the victim to open a specially crafted file and crash the affected application. MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Division by zero
EUVDB-ID: #VU65439
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2058
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a division by zero error when parsing TIFF files in tiffcrop. A remote attacker can trick the victim to open a specially crafted file and crash the affected application.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Reachable Assertion
EUVDB-ID: #VU67969
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-42010
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in debug builds caused by a syntactically invalid type signature with incorrectly nested parentheses and curly brackets. A local user can perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Use-after-free
EUVDB-ID: #VU69795
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-42896
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows an attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the l2cap_connect() and l2cap_le_connect_req() function in net/bluetooth/l2cap_core.c. An attacker with physical proximity to the affected device can trigger a use-after-free error and execute arbitrary code on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Stack-based buffer overflow
EUVDB-ID: #VU70433
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46340
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the swap handler for the XTestFakeInput request of the XTest extension if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request. A local user can trigger a stack-based buffer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Resource exhaustion
EUVDB-ID: #VU64030
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-44906
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Out-of-bounds read
EUVDB-ID: #VU70434
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46341
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when handling XIPassiveUngrab requests. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Use-after-free
EUVDB-ID: #VU70435
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46342
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error when handling XvdiSelectVideoNotify requests. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Use-after-free
EUVDB-ID: #VU70436
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46343
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The
vulnerability exists due to a use-after-free error when handling
ScreenSaverSetAttributes requests. A local user can trigger a
use-after-free error and execute arbitrary code with elevated
privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Out-of-bounds read
EUVDB-ID: #VU70437
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46344
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when handling XIChangeProperty requests. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Type Confusion
EUVDB-ID: #VU70195
Risk: Critical
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2022-42856
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
30) Resource management error
EUVDB-ID: #VU66871
Risk: Medium
CVSSv4.0: 5.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2022-2132
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the copy_desc_to_mbuf() function when processing Vhost header. A remote guest can send a packet with the Vhost header crossing more than two descriptors and force application to allocate all available mbufs, causing a denial of service condition for the other guest running on the hypervisor.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Integer overflow
EUVDB-ID: #VU68828
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-40303
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in parse.c when processing content when XML_PARSE_HUGE is set. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Resource management error
EUVDB-ID: #VU68829
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-40304
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in entities.c due to the way libxml2 handles reference cycles. The library does not anticipate that entity content can be allocated from a dict and clears it upon reference cycle detection by setting its first byte to zero. This can lead to memory corruption issues, such as double free errors and result in a denial of service.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Out-of-bounds write
EUVDB-ID: #VU69809
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-42920
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the API. A remote attacker can create a specially crafted request to the affected application, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Stack-based buffer overflow
EUVDB-ID: #VU70442
Risk: Low
CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-4378
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the __do_proc_dointvec() function. A local user can trigger a stack-based buffer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
35) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU66429
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2625
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the database.
The vulnerability exists due to extension scripts can replace objects that do not belong to the extension when using the CREATE OR REPLACE or CREATE IF NOT EXISTS commands. A remote user with (1) permissions to create non-temporary objects in at least one schema, (2) ability to lure
or wait for an administrator to create or update an affected extension
in that schema, and (3) ability to lure or wait for a victim to use the
object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS can run arbitrary code as the victim role.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Out-of-bounds write
EUVDB-ID: #VU67811
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-2964
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices driver in Linux kernel. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Buffer overflow
EUVDB-ID: #VU70460
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-4139
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the i915 kernel driver on Linux kernel. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Use-after-free
EUVDB-ID: #VU70438
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-4283
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Incorrect authorization
EUVDB-ID: #VU69702
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-25058
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to unspecified error within the usbguard-dbus daemon. A local user can allow all USB devices to be connected in the future.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Input validation error
EUVDB-ID: #VU71039
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-21538
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in .NET. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Use-after-free
EUVDB-ID: #VU68718
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-43680
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate. A remote attacker can trigger a use-after-free error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Prototype pollution
EUVDB-ID: #VU69675
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2022-24999
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
43) Incorrect Regular Expression
EUVDB-ID: #VU69942
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3517
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Reliance on Reverse DNS Resolution for a Security-Critical Action
EUVDB-ID: #VU69354
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-43548
CWE-ID:
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DNS rebinding attacks.
The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can
resolve the invalid octal address via DNS. When combined with an active
--inspect session, such as when using VSCode, an attacker can perform DNS
rebinding and execute arbitrary code in client's browser.
Install update from vendor's website.
Vulnerable software versionsOracle Linux: 7 - 9.0
CPE2.3- cpe:2.3:o:oracle:oracle_linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:7.1:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/linuxbulletinjan2023.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
