Anolis OS update for linux-firmware
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-46329 CVE-2023-20569 CVE-2023-20592 |
| CWE-ID | CWE-693 CWE-200 CWE-758 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system linux-firmware Operating systems & Components / Operating system package or component libertas-usb8388-olpc-firmware Operating systems & Components / Operating system package or component libertas-usb8388-firmware Operating systems & Components / Operating system package or component libertas-sd8787-firmware Operating systems & Components / Operating system package or component libertas-sd8686-firmware Operating systems & Components / Operating system package or component iwl7260-firmware Operating systems & Components / Operating system package or component iwl6050-firmware Operating systems & Components / Operating system package or component iwl6000g2b-firmware Operating systems & Components / Operating system package or component iwl6000g2a-firmware Operating systems & Components / Operating system package or component iwl6000-firmware Operating systems & Components / Operating system package or component iwl5150-firmware Operating systems & Components / Operating system package or component iwl5000-firmware Operating systems & Components / Operating system package or component iwl4965-firmware Operating systems & Components / Operating system package or component iwl3945-firmware Operating systems & Components / Operating system package or component iwl3160-firmware Operating systems & Components / Operating system package or component iwl2030-firmware Operating systems & Components / Operating system package or component iwl2000-firmware Operating systems & Components / Operating system package or component iwl135-firmware Operating systems & Components / Operating system package or component iwl105-firmware Operating systems & Components / Operating system package or component iwl1000-firmware Operating systems & Components / Operating system package or component iwl100-firmware Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Protection Mechanism Failure
EUVDB-ID: #VU79525
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46329
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A local user can bypass implemented security restrictions and elevate privileges on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
linux-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-olpc-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-firmware: before 20240111-121.gitb3132c18
libertas-sd8787-firmware: before 20240111-121.gitb3132c18
libertas-sd8686-firmware: before 20240111-121.gitb3132c18
iwl7260-firmware: before 25.30.13.0-121
iwl6050-firmware: before 41.28.5.1-121
iwl6000g2b-firmware: before 18.168.6.1-121
iwl6000g2a-firmware: before 18.168.6.1-121
iwl6000-firmware: before 9.221.4.1-121
iwl5150-firmware: before 8.24.2.2-121
iwl5000-firmware: before 8.83.5.1_1-121
iwl4965-firmware: before 228.61.2.24-121
iwl3945-firmware: before 15.32.2.9-121
iwl3160-firmware: before 25.30.13.0-121
iwl2030-firmware: before 18.168.6.1-121
iwl2000-firmware: before 18.168.6.1-121
iwl135-firmware: before 18.168.6.1-121
iwl105-firmware: before 18.168.6.1-121
iwl1000-firmware: before 39.31.5.1-121
iwl100-firmware: before 39.31.5.1-121
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:linux-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-olpc-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8787-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8686-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl7260-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6050-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2b-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2a-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5150-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl4965-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3945-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3160-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2030-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl135-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl105-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl1000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl100-firmware:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0429
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU79263
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-20569
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a side channel issue in AMD CPUs. A remote user can influence the return address prediction and gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
linux-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-olpc-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-firmware: before 20240111-121.gitb3132c18
libertas-sd8787-firmware: before 20240111-121.gitb3132c18
libertas-sd8686-firmware: before 20240111-121.gitb3132c18
iwl7260-firmware: before 25.30.13.0-121
iwl6050-firmware: before 41.28.5.1-121
iwl6000g2b-firmware: before 18.168.6.1-121
iwl6000g2a-firmware: before 18.168.6.1-121
iwl6000-firmware: before 9.221.4.1-121
iwl5150-firmware: before 8.24.2.2-121
iwl5000-firmware: before 8.83.5.1_1-121
iwl4965-firmware: before 228.61.2.24-121
iwl3945-firmware: before 15.32.2.9-121
iwl3160-firmware: before 25.30.13.0-121
iwl2030-firmware: before 18.168.6.1-121
iwl2000-firmware: before 18.168.6.1-121
iwl135-firmware: before 18.168.6.1-121
iwl105-firmware: before 18.168.6.1-121
iwl1000-firmware: before 39.31.5.1-121
iwl100-firmware: before 39.31.5.1-121
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:linux-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-olpc-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8787-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8686-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl7260-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6050-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2b-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2a-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5150-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl4965-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3945-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3160-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2030-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl135-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl105-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl1000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl100-firmware:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0429
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reliance on undefined behavior
EUVDB-ID: #VU84028
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-20592
CWE-ID:
CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to unexpected behavior of the INVD instruction in some AMD CPUs. A malicious hypervisor can affect cache line write-back behavior of the CPU and modify guest virtual machine (VM) memory.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
linux-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-olpc-firmware: before 20240111-121.gitb3132c18
libertas-usb8388-firmware: before 20240111-121.gitb3132c18
libertas-sd8787-firmware: before 20240111-121.gitb3132c18
libertas-sd8686-firmware: before 20240111-121.gitb3132c18
iwl7260-firmware: before 25.30.13.0-121
iwl6050-firmware: before 41.28.5.1-121
iwl6000g2b-firmware: before 18.168.6.1-121
iwl6000g2a-firmware: before 18.168.6.1-121
iwl6000-firmware: before 9.221.4.1-121
iwl5150-firmware: before 8.24.2.2-121
iwl5000-firmware: before 8.83.5.1_1-121
iwl4965-firmware: before 228.61.2.24-121
iwl3945-firmware: before 15.32.2.9-121
iwl3160-firmware: before 25.30.13.0-121
iwl2030-firmware: before 18.168.6.1-121
iwl2000-firmware: before 18.168.6.1-121
iwl135-firmware: before 18.168.6.1-121
iwl105-firmware: before 18.168.6.1-121
iwl1000-firmware: before 39.31.5.1-121
iwl100-firmware: before 39.31.5.1-121
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:linux-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-olpc-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-usb8388-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8787-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libertas-sd8686-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl7260-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6050-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2b-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000g2a-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl6000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5150-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl5000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl4965-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3945-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl3160-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2030-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl2000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl135-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl105-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl1000-firmware:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:iwl100-firmware:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:0429
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
