SB2022051078 - Fedora 36 update for microcode_ctl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022051078

SB2022051078 - Fedora 36 update for microcode_ctl

Published: May 10, 2022

Security Bulletin ID SB2022051078
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Physical access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2022-0005)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to sensitive information becomes accessible by physical probing of JTAG interface in the Intel Software Guard Extensions (SGX) Platform. An attacker with physical access to the affected device can gain access to sensitive data.


2) Improper access control (CVE-ID: CVE-2022-21131)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions. A local user can gain access to sensitive information.


3) Input validation error (CVE-ID: CVE-2022-21136)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A local privileged user can perform a denial of service (DoS) attack.


4) Information disclosure (CVE-ID: CVE-2022-21151)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error during processor optimization removal or modification of security-critical code. A local privileged user can gain access to potentially sensitive information.


Remediation

Install update from vendor's website.

References