Multiple vulnerabilities in Oracle Linux



Published: 2022-10-20 | Updated: 2023-05-21
Risk Critical
Patch available YES
Number of vulnerabilities 89
CVE-ID CVE-2022-21418
CVE-2022-21435
CVE-2022-21427
CVE-2022-21417
CVE-2022-21415
CVE-2022-21414
CVE-2022-21413
CVE-2022-21412
CVE-2022-21539
CVE-2022-33987
CVE-2022-21437
CVE-2022-21528
CVE-2022-21527
CVE-2022-21509
CVE-2022-21479
CVE-2022-21478
CVE-2022-21459
CVE-2022-21440
CVE-2022-21425
CVE-2022-2078
CVE-2022-21436
CVE-2022-21438
CVE-2022-40957
CVE-2022-21537
CVE-2022-21423
CVE-2022-21538
CVE-2022-21522
CVE-2022-21460
CVE-2022-21451
CVE-2022-21444
CVE-2022-21553
CVE-2022-21547
CVE-2022-21534
CVE-2022-21452
CVE-2022-21531
CVE-2022-21530
CVE-2022-21529
CVE-2022-21526
CVE-2022-21525
CVE-2022-21517
CVE-2022-21515
CVE-2022-21462
CVE-2022-21455
CVE-2021-3669
CVE-2022-21457
CVE-2022-40674
CVE-2022-40959
CVE-2022-32212
CVE-2022-29244
CVE-2021-3807
CVE-2021-33502
CVE-2020-28469
CVE-2022-2509
CVE-2022-40962
CVE-2022-40960
CVE-2022-31213
CVE-2022-3033
CVE-2022-31212
CVE-2022-38178
CVE-2022-38177
CVE-2022-3080
CVE-2022-34918
CVE-2022-2585
CVE-2022-41032
CVE-2022-32893
CVE-2022-41318
CVE-2022-25857
CVE-2022-34903
CVE-2022-32215
CVE-2022-36059
CVE-2022-3034
CVE-2022-3032
CVE-2022-40958
CVE-2022-40956
CVE-2022-28739
CVE-2022-28738
CVE-2022-21385
CVE-2022-32214
CVE-2020-7788
CVE-2022-32213
CVE-2022-21569
CVE-2022-21556
CVE-2022-21454
CVE-2022-3028
CVE-2022-21499
CVE-2022-2588
CVE-2022-2586
CVE-2022-1280
CVE-2022-21546
CWE-ID CWE-20
CWE-601
CWE-119
CWE-125
CWE-400
CWE-416
CWE-254
CWE-703
CWE-200
CWE-185
CWE-415
CWE-476
CWE-401
CWE-843
CWE-399
CWE-264
CWE-787
CWE-347
CWE-444
CWE-704
CWE-94
CWE-362
CWE-284
Exploitation vector Network
Public exploit Public exploit code for vulnerability #56 is available.
Public exploit code for vulnerability #58 is available.
Public exploit code for vulnerability #62 is available.
Public exploit code for vulnerability #63 is available.
Vulnerability #65 is being exploited in the wild.
Public exploit code for vulnerability #86 is available.
Public exploit code for vulnerability #87 is available.
Vulnerable software
Subscribe
Oracle Linux
Operating systems & Components / Operating system

Vendor Oracle

Security Bulletin

This security bulletin contains information about 89 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU62415

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21418

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU62421

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21435

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU62418

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21427

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: FTS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU62416

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21417

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU62427

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21415

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Improper input validation

EUVDB-ID: #VU62420

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21414

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU62417

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21413

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU62419

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21412

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Improper input validation

EUVDB-ID: #VU65511

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21539

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Open redirect

EUVDB-ID: #VU66400

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33987

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to requested URLs are not verified and allow open redirection to a local UNIX socket. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU62423

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21437

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Improper input validation

EUVDB-ID: #VU65509

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21528

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Improper input validation

EUVDB-ID: #VU65508

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21527

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Improper input validation

EUVDB-ID: #VU65510

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21509

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Input validation error

EUVDB-ID: #VU62414

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21479

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Optimizer component. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Improper input validation

EUVDB-ID: #VU62413

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21478

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Improper input validation

EUVDB-ID: #VU62412

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21459

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Improper input validation

EUVDB-ID: #VU62411

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21440

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Improper input validation

EUVDB-ID: #VU62410

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21425

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Buffer overflow

EUVDB-ID: #VU65642

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2078

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the nft_set_desc_concat_parse() function in Linux kernel. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Improper input validation

EUVDB-ID: #VU62422

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21436

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Improper input validation

EUVDB-ID: #VU62424

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21438

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

23) Input validation error

EUVDB-ID: #VU67504

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40957

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to inconsistent data in instruction and data cache when creating wasm code. A remote attacker can trick the victim to open a specially crafted web page, trigger memory corruption and potentially execute arbitrary code.

Note, the vulnerability affects Firefox on ARM64 platforms only.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

24) Improper input validation

EUVDB-ID: #VU65513

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21537

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

25) Improper input validation

EUVDB-ID: #VU62434

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21423

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

26) Improper input validation

EUVDB-ID: #VU65526

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21538

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

27) Improper input validation

EUVDB-ID: #VU65524

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21522

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

28) Improper input validation

EUVDB-ID: #VU62430

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21460

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: Logging component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

29) Improper input validation

EUVDB-ID: #VU62428

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21451

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

30) Improper input validation

EUVDB-ID: #VU62429

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21444

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

31) Improper input validation

EUVDB-ID: #VU65520

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21553

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

32) Improper input validation

EUVDB-ID: #VU65514

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21547

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

33) Improper input validation

EUVDB-ID: #VU65523

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21534

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

34) Improper input validation

EUVDB-ID: #VU62425

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21452

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

35) Improper input validation

EUVDB-ID: #VU65519

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21531

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

36) Improper input validation

EUVDB-ID: #VU65518

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21530

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

37) Improper input validation

EUVDB-ID: #VU65517

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21529

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

38) Improper input validation

EUVDB-ID: #VU65516

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21526

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

39) Improper input validation

EUVDB-ID: #VU65515

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21525

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

40) Improper input validation

EUVDB-ID: #VU65512

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21517

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

41) Improper input validation

EUVDB-ID: #VU65521

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21515

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Options component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

42) Improper input validation

EUVDB-ID: #VU62426

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21462

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

43) Improper input validation

EUVDB-ID: #VU65522

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21455

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Server: PAM Auth Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

44) Resource exhaustion

EUVDB-ID: #VU63911

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-3669

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to measuring usage of the shared memory does not scale with large shared memory segment counts. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

45) Improper input validation

EUVDB-ID: #VU62409

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21457

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: PAM Auth Plugin component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

46) Use-after-free

EUVDB-ID: #VU67532

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40674

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the doContent() function in xmlparse.c. A remote attacker can pass specially crafted input to the application that is using the affected library, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

47) Security features bypass

EUVDB-ID: #VU67500

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40959

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect initialization of FeaturePolicy on all pages during iframe navigation. A remote attacker can trick the victim to open a specially crafted website, bypass FeaturePolicy restrictions and force the browser to leak device permissions into untrusted subdocuments.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

48) Improper Check or Handling of Exceptional Conditions

EUVDB-ID: #VU65273

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32212

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to IsIPAddress does not properly checks if an IP address is invalid or not. A remote unauthenticated attacker can exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

49) Information disclosure

EUVDB-ID: #VU66698

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-29244

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, may be affected and have published files into the npm registry they did not intend to include.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

50) Input validation error

EUVDB-ID: #VU57967

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3807

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

51) Incorrect Regular Expression

EUVDB-ID: #VU63698

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33502

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to exponential performance for data. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

52) Incorrect Regular Expression

EUVDB-ID: #VU52985

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28469

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of user-supplied input in regular expression. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

53) Double Free

EUVDB-ID: #VU65915

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2509

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within gnutls_pkcs7_verify() function when verifying the pkcs7 signatures. A remote attacker can pass specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

54) Buffer overflow

EUVDB-ID: #VU67505

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40962

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

55) Use-after-free

EUVDB-ID: #VU67501

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40960

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error caused by a concurrent use of the URL parser with non-UTF-8 data. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

56) NULL pointer dereference

EUVDB-ID: #VU67528

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31213

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: Yes

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when handling a malformed XML config file. A local user can supply a specially crafted XML file to the service and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

57) Information disclosure

EUVDB-ID: #VU66919

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3033

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way Thunderbird handles the meta tag having the http-equiv="refresh" attribute in email messages when the user replies to an email. A remote attacker can send a specially crafted email to the victim and force the application to initiate requests to an external URL regardless of the configuration to block remote content.

Combined with other HTML elements and attributes in the email, it is possible to execute arbitrary JavaScript code included into the malicious message in the context of the message compose document and read or modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

58) Out-of-bounds read

EUVDB-ID: #VU67527

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31212

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: Yes

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when parsing DBus service Exec line in c-uitl/c-shquote. A local user can pass specially crafted input to the service, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

59) Memory leak

EUVDB-ID: #VU67550

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-38178

CWE-ID: CWE-401 - Memory leak

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the DNSSEC verification code for the EdDSA algorithm. A remote attacker can spoof the target resolver with responses that have a malformed EdDSA signature and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

60) Memory leak

EUVDB-ID: #VU67549

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-38177

CWE-ID: CWE-401 - Memory leak

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the DNSSEC verification code for the ECDSA algorithm. A remote attacker can spoof the target resolver with responses that have a malformed ECDSA signature and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

61) Input validation error

EUVDB-ID: #VU67548

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3080

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when resolvers are configured to answer from stale cache with zero stale-answer-client-timeout and there is a stale CNAME in the cache for an incoming query. A remote attacker can send a specially crafted request to the DNS resolver and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

62) Type Confusion

EUVDB-ID: #VU65360

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-34918

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in the Linux kernel’s Netfilter subsystem in the way a user provides incorrect input of the NFT_DATA_VERDICT type. A local user can pass specially crafted data to the application, trigger a type confusion error and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

63) Resource management error

EUVDB-ID: #VU66394

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2585

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack or escalate privileges on the system.

The vulnerability exists due to improper management of internal resources in POSIX CPU timers when handling death of a process. A local user can crash the kernel or execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

64) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU68170

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-41032

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in the NuGet Client, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

65) Out-of-bounds write

EUVDB-ID: #VU66587

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-32893

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

66) Out-of-bounds read

EUVDB-ID: #VU67609

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-41318

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the server.

The vulnerability exists due to a boundary condition within SSPI and SMB authentication helpers. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system or crash the server.

Successful exploitation of the vulnerability requires that Squid is configured to use NTLM or Negotiate authentication with one of the vulnerable helpers.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

67) Resource exhaustion

EUVDB-ID: #VU67665

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25857

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling YAML files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

68) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU64909

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-34903

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error in GnuPG, which allows signature spoofing via arbitrary injection into the status line. A remote attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

69) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65282

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32215

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

70) Input validation error

EUVDB-ID: #VU66922

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-36059

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Matrix SDK. A remote attacker sharing a room with a victim can hide some of the rooms or spaces from users and cause minor temporary corruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

71) Security features bypass

EUVDB-ID: #VU66921

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3034

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to iframe elements in an HTML email force the application to initiate network requests. A remote attacker can use an iframe to confirm that the email was read by the victim and obtain victim's IP address.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

72) Security features bypass

EUVDB-ID: #VU66920

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-3032

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists doe to incorrect processing of HTML emails with an iframe</code> element that uses a <code>srcdoc attribute to define the inner HTML document. A remote attacker can trick the victim to open a specially crafted email message and bypass blocking of remote objects specified in the nested document, for example images or videos.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

73) Security features bypass

EUVDB-ID: #VU67502

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40958

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect handling of cookies. A remote attacker with access to a shared subdomain can inject a cookies with certain special characters, bypass Secure Context restriction for cookies with __Host and __Secure prefix and overwrite these cookies, potentially allowing session fixation attacks. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

74) Security features bypass

EUVDB-ID: #VU67503

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40956

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to some requests may ignore the CSP's base-uri settings when handling HTML base element injection. A remote attacker can force the browser to accept the injected element's base instead of the original code, leading to Content Security Policy bypass.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

75) Type conversion

EUVDB-ID: #VU62081

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-28739

CWE-ID: CWE-704 - Type conversion

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a type conversion error in some convertion methods like Kernel#Float</code> and <code>String#to_f. A remote attacker can pass specially crafted data to the affected application, trigger memory corruption and execute arbitrary code in the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

76) Double Free

EUVDB-ID: #VU62080

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-28738

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Regexp compilation process in Ruby. A remote attacker can pass specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

77) Input validation error

EUVDB-ID: #VU67475

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21385

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the net_rds_alloc_sgs() function in net/rds/message.c in Linux kernel. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

78) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65278

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32214

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

79) Prototype pollution

EUVDB-ID: #VU66955

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7788

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

80) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65275

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32213

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially-crafted request to lead to HTTP Request Smuggling to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

81) Improper input validation

EUVDB-ID: #VU65505

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21569

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

82) Improper input validation

EUVDB-ID: #VU65504

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21556

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

83) Improper input validation

EUVDB-ID: #VU62404

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21454

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

84) Race condition

EUVDB-ID: #VU67477

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-3028

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. A local user can exploit the race and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

85) Improper access control

EUVDB-ID: #VU63961

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21499

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions to the kernel debugger when booted in secure boot environments. A local privileged user can bypass UEFI Secure Boot restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

86) Double Free

EUVDB-ID: #VU66397

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2588

CWE-ID: CWE-415 - Double Free

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a double free error within the network packet scheduler implementation in the route4_change() function in Linux kernel when removing all references to a route filter before freeing it. A local user can run a specially crafted program to crash the kernel or execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

87) Use-after-free

EUVDB-ID: #VU66396

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2586

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the the netfilter subsystem implementation in Linux kernel when preventing one nft object from referencing an nft set in another nft table. A local user can trigger a use-after-free error and execute arbitrary code on the system with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7 - 8.6


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

88) Use-after-free

EUVDB-ID: #VU62358

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1280

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a use-after-free error within the drm_lease_held() function in drivers/gpu/drm/drm_lease.c in the Linux kernel. A local user can run a specially crafted program to trigger a use-after-free error and crash the kernel or gain access to sensitive information.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7 - 8.6


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

89) Buffer overflow

EUVDB-ID: #VU68553

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21546

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the scsi subsystem within the OS kernel. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 8.6


CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###