openEuler 22.03 LTS update for lxc
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-47952 CVE-2018-6556 |
| CWE-ID | CWE-668 CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system lxc-help Operating systems & Components / Operating system package or component lxc-devel Operating systems & Components / Operating system package or component lxc-debuginfo Operating systems & Components / Operating system package or component lxc-libs Operating systems & Components / Operating system package or component lxc-debugsource Operating systems & Components / Operating system package or component lxc Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU71474
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-47952
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the system.
The vulnerability exists due to exposure of resource to wrong sphere in lxc-user-nic. A local user can obtain file existence information.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
lxc-help: before 4.0.3-2022102408
lxc-devel: before 4.0.3-2022102408
lxc-debuginfo: before 4.0.3-2022102408
lxc-libs: before 4.0.3-2022102408
lxc-debugsource: before 4.0.3-2022102408
lxc: before 4.0.3-2022102408
CPE2.3 External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1076
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU14510
Risk: Low
CVSSv3.1: 3.5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-6556
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to lxc-user-nic unconditionally opens a user provided path when asked to delete a network interface. A local attacker can check for the existence of a path which he wouldn't otherwise be able to reach and trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys).
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
lxc-help: before 4.0.3-2022102408
lxc-devel: before 4.0.3-2022102408
lxc-debuginfo: before 4.0.3-2022102408
lxc-libs: before 4.0.3-2022102408
lxc-debugsource: before 4.0.3-2022102408
lxc: before 4.0.3-2022102408
CPE2.3 External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1076
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
