Red Hat Enterprise Linux 9 update for krb5
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-17049 CVE-2022-37967 |
| CWE-ID | CWE-254 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat Enterprise Linux for ARM 64 Operating systems & Components / Operating system Red Hat Enterprise Linux for Power, little endian Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux for x86_64 Operating systems & Components / Operating system krb5 (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Security Features
EUVDB-ID: #VU48269
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-17049
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to security feature bypass issue in Kerberos. A remote administrator can bypass authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
krb5 (Red Hat package): before 1.20.1-8.el9
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_arm_64:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux:9:*:*:*:*:*:*:*
- cpe:2.3:o:red_hat:krb5_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:2570
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU69104
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-37967
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Kerberos, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
krb5 (Red Hat package): before 1.20.1-8.el9
CPE2.3- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_arm_64:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_power_little_endian:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux_for_ibm_z_systems:9:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:red_hat_enterprise_linux:9:*:*:*:*:*:*:*
- cpe:2.3:o:red_hat:krb5_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:2570
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
