SB2022090827 - Multiple vulnerabilities in OpenShift Container Platform 4.10 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022090827

SB2022090827 - Multiple vulnerabilities in OpenShift Container Platform 4.10

Published: September 8, 2022

Security Bulletin ID SB2022090827
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 50% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2022-26945)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Input validation error (CVE-ID: CVE-2022-30321)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


3) Input validation error (CVE-ID: CVE-2022-30322)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


4) Input validation error (CVE-ID: CVE-2022-30323)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an unspecified error. A remote attacker can perform a denial of service (DoS) attack.


5) Information disclosure (CVE-ID: CVE-2022-0494)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the scsi_ioctl() function in drivers/scsi/scsi_ioctl.c in the Linux kernel. A local user with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) can gain unauthorized access to sensitive information on the system.


6) Information disclosure (CVE-ID: CVE-2022-1353)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the pfkey_register function in net/key/af_key.c in the Linux kernel. A local user can gain unauthorized access to kernel memory, leading to a system crash or a leak of internal kernel information.


7) Use-after-free (CVE-ID: CVE-2022-2526)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the on_stream_io() and dns_stream_complete() functions in resolved-dns-stream.c, which do not increment the reference counting for the DnsStream object. A remote attacker can send to the system specially crafted DNS responses, trigger a use-after-free error and perform a denial of service (DoS) attack.


8) Path traversal (CVE-ID: CVE-2022-29154)

The vulnerability allows a remote server to perform directory traversal attacks.

The vulnerability exists due to input validation error within the rsync client  when processing file names. A remote malicious server overwrite arbitrary files in the rsync client target directory and subdirectories on the connected peer.


Remediation

Install update from vendor's website.

References