Multiple vulnerabilities in Oracle Linux



Published: 2022-10-20 | Updated: 2023-10-12
Risk Critical
Patch available YES
Number of vulnerabilities 405
CVE-ID CVE-2022-21418
CVE-2022-21435
CVE-2022-21427
CVE-2022-21417
CVE-2022-21415
CVE-2022-21414
CVE-2022-21413
CVE-2022-21412
CVE-2022-21539
CVE-2022-33987
CVE-2022-21437
CVE-2022-21528
CVE-2022-21527
CVE-2022-21509
CVE-2022-21479
CVE-2022-21478
CVE-2022-21459
CVE-2022-21440
CVE-2022-21425
CVE-2022-2078
CVE-2022-21436
CVE-2022-21438
CVE-2022-40957
CVE-2022-21537
CVE-2022-21423
CVE-2022-21538
CVE-2022-21522
CVE-2022-21460
CVE-2022-21451
CVE-2022-21444
CVE-2022-21553
CVE-2022-21547
CVE-2022-21534
CVE-2022-21452
CVE-2022-21531
CVE-2022-21530
CVE-2022-21529
CVE-2022-21526
CVE-2022-21525
CVE-2022-21517
CVE-2022-21515
CVE-2022-21462
CVE-2022-21455
CVE-2021-3669
CVE-2022-21457
CVE-2022-40674
CVE-2022-40959
CVE-2022-32212
CVE-2022-29244
CVE-2021-3807
CVE-2021-33502
CVE-2020-28469
CVE-2022-2509
CVE-2022-40962
CVE-2022-40960
CVE-2022-31213
CVE-2022-3033
CVE-2022-31212
CVE-2022-38178
CVE-2022-38177
CVE-2022-3080
CVE-2022-34918
CVE-2022-2585
CVE-2022-41032
CVE-2022-32893
CVE-2022-41318
CVE-2022-25857
CVE-2022-34903
CVE-2022-32215
CVE-2022-36059
CVE-2022-3034
CVE-2022-3032
CVE-2022-40958
CVE-2022-40956
CVE-2022-28739
CVE-2022-28738
CVE-2022-21385
CVE-2022-32214
CVE-2020-7788
CVE-2022-32213
CVE-2022-21569
CVE-2022-21556
CVE-2022-21454
CVE-2022-3028
CVE-2022-21499
CVE-2022-2588
CVE-2022-2586
CVE-2022-1280
CVE-2022-21546
CVE-2015-20107
CVE-2016-3709
CVE-2019-11358
CVE-2020-0256
CVE-2020-10735
CVE-2020-23903
CVE-2020-28851
CVE-2020-28852
CVE-2020-28948
CVE-2020-28949
CVE-2020-35525
CVE-2020-35527
CVE-2020-36193
CVE-2020-36516
CVE-2020-36558
CVE-2021-0308
CVE-2021-0561
CVE-2021-20199
CVE-2021-20291
CVE-2021-21707
CVE-2021-21708
CVE-2021-22570
CVE-2021-23648
CVE-2021-2478
CVE-2021-2479
CVE-2021-2481
CVE-2021-25220
CVE-2021-25636
CVE-2021-28861
CVE-2021-30002
CVE-2021-32610
CVE-2021-33195
CVE-2021-33197
CVE-2021-33198
CVE-2021-34558
CVE-2021-3497
CVE-2021-3507
CVE-2021-35546
CVE-2021-35575
CVE-2021-35577
CVE-2021-35591
CVE-2021-35596
CVE-2021-35597
CVE-2021-35602
CVE-2021-35604
CVE-2021-35607
CVE-2021-35608
CVE-2021-35610
CVE-2021-35612
CVE-2021-35622
CVE-2021-35623
CVE-2021-35624
CVE-2021-35625
CVE-2021-35626
CVE-2021-35627
CVE-2021-35628
CVE-2021-35630
CVE-2021-35631
CVE-2021-35632
CVE-2021-35633
CVE-2021-35634
CVE-2021-35635
CVE-2021-35636
CVE-2021-35637
CVE-2021-35638
CVE-2021-35639
CVE-2021-35640
CVE-2021-35641
CVE-2021-35642
CVE-2021-35643
CVE-2021-35644
CVE-2021-35645
CVE-2021-35646
CVE-2021-35647
CVE-2021-35648
CVE-2021-3611
CVE-2021-36221
CVE-2021-3631
CVE-2021-3640
CVE-2021-3750
CVE-2021-3839
CVE-2021-4024
CVE-2021-4048
CVE-2021-41190
CVE-2021-4158
CVE-2021-44269
CVE-2021-44531
CVE-2021-44532
CVE-2021-44533
CVE-2021-44906
CVE-2021-46143
CVE-2021-46828
CVE-2022-0168
CVE-2022-0216
CVE-2022-0396
CVE-2022-0494
CVE-2022-0561
CVE-2022-0562
CVE-2022-0617
CVE-2022-0854
CVE-2022-0865
CVE-2022-0891
CVE-2022-0897
CVE-2022-0908
CVE-2022-0909
CVE-2022-0918
CVE-2022-0924
CVE-2022-0934
CVE-2022-0996
CVE-2022-1016
CVE-2022-1048
CVE-2022-1055
CVE-2022-1122
CVE-2022-1184
CVE-2022-1304
CVE-2022-1328
CVE-2022-1348
CVE-2022-1353
CVE-2022-1354
CVE-2022-1355
CVE-2022-1471
CVE-2022-1679
CVE-2022-1705
CVE-2022-1706
CVE-2022-1708
CVE-2022-1852
CVE-2022-1962
CVE-2022-1998
CVE-2022-20368
CVE-2022-21123
CVE-2022-21125
CVE-2022-21166
CVE-2022-21245
CVE-2022-21249
CVE-2022-21253
CVE-2022-21254
CVE-2022-21256
CVE-2022-21264
CVE-2022-21265
CVE-2022-21270
CVE-2022-21278
CVE-2022-21297
CVE-2022-21301
CVE-2022-21302
CVE-2022-21303
CVE-2022-21304
CVE-2022-2132
CVE-2022-21339
CVE-2022-21342
CVE-2022-21344
CVE-2022-21348
CVE-2022-21351
CVE-2022-21352
CVE-2022-21358
CVE-2022-21362
CVE-2022-21367
CVE-2022-21368
CVE-2022-21370
CVE-2022-21372
CVE-2022-21374
CVE-2022-21378
CVE-2022-21379
CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21626
CVE-2022-21628
CVE-2022-21673
CVE-2022-21682
CVE-2022-21698
CVE-2022-21702
CVE-2022-21703
CVE-2022-21713
CVE-2022-21824
CVE-2022-2211
CVE-2022-22624
CVE-2022-22628
CVE-2022-22629
CVE-2022-22662
CVE-2022-22719
CVE-2022-22721
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
CVE-2022-22844
CVE-2022-2309
CVE-2022-2319
CVE-2022-2320
CVE-2022-23645
CVE-2022-23816
CVE-2022-23825
CVE-2022-2393
CVE-2022-23943
CVE-2022-23960
CVE-2022-2414
CVE-2022-24448
CVE-2022-24735
CVE-2022-24736
CVE-2022-24795
CVE-2022-25255
CVE-2022-25308
CVE-2022-25309
CVE-2022-25310
CVE-2022-2602
CVE-2022-26125
CVE-2022-2625
CVE-2022-26373
CVE-2022-26377
CVE-2022-2639
CVE-2022-26700
CVE-2022-26709
CVE-2022-26710
CVE-2022-26716
CVE-2022-26717
CVE-2022-26719
CVE-2022-27191
CVE-2022-27337
CVE-2022-27404
CVE-2022-27405
CVE-2022-27406
CVE-2022-27664
CVE-2022-27775
CVE-2022-27950
CVE-2022-28131
CVE-2022-28199
CVE-2022-28390
CVE-2022-2850
CVE-2022-28614
CVE-2022-28615
CVE-2022-28893
CVE-2022-29162
CVE-2022-2938
CVE-2022-29404
CVE-2022-29581
CVE-2022-2989
CVE-2022-2990
CVE-2022-29900
CVE-2022-29901
CVE-2022-30067
CVE-2022-30123
CVE-2022-30293
CVE-2022-30522
CVE-2022-30550
CVE-2022-30556
CVE-2022-30594
CVE-2022-30630
CVE-2022-30631
CVE-2022-30632
CVE-2022-30633
CVE-2022-30635
CVE-2022-30698
CVE-2022-30699
CVE-2022-31625
CVE-2022-31813
CVE-2022-32148
CVE-2022-32189
CVE-2022-3239
CVE-2022-32742
CVE-2022-32746
CVE-2022-32990
CVE-2022-33068
CVE-2022-33099
CVE-2022-3500
CVE-2022-3515
CVE-2022-3517
CVE-2022-35255
CVE-2022-35256
CVE-2022-3550
CVE-2022-3551
CVE-2022-3565
CVE-2022-3602
CVE-2022-36946
CVE-2022-37434
CVE-2022-3786
CVE-2022-3787
CVE-2022-39190
CVE-2022-39236
CVE-2022-39249
CVE-2022-39250
CVE-2022-39251
CVE-2022-39399
CVE-2022-40768
CVE-2022-41853
CVE-2022-41974
CVE-2022-42898
CVE-2022-42919
CVE-2022-42920
CVE-2022-42927
CVE-2022-42928
CVE-2022-42929
CVE-2022-42932
CVE-2022-43548
CVE-2022-4378
CVE-2022-45060
CVE-2022-45403
CVE-2022-45404
CVE-2022-45405
CVE-2022-45406
CVE-2022-45408
CVE-2022-45409
CVE-2022-45410
CVE-2022-45411
CVE-2022-45412
CVE-2022-45414
CVE-2022-45416
CVE-2022-45418
CVE-2022-45420
CVE-2022-45421
CVE-2022-46872
CVE-2022-46874
CVE-2022-46878
CVE-2022-46880
CVE-2022-46881
CVE-2022-46882
CWE-ID CWE-20
CWE-601
CWE-119
CWE-125
CWE-400
CWE-416
CWE-254
CWE-703
CWE-200
CWE-185
CWE-415
CWE-476
CWE-401
CWE-843
CWE-399
CWE-264
CWE-787
CWE-347
CWE-444
CWE-704
CWE-94
CWE-362
CWE-284
CWE-78
CWE-79
CWE-369
CWE-129
CWE-502
CWE-61
CWE-327
CWE-346
CWE-667
CWE-350
CWE-295
CWE-59
CWE-862
CWE-122
CWE-732
CWE-297
CWE-190
CWE-617
CWE-613
CWE-824
CWE-276
CWE-22
CWE-352
CWE-639
CWE-287
CWE-1037
CWE-611
CWE-909
CWE-121
CWE-191
CWE-388
CWE-911
CWE-863
CWE-120
CWE-341
CWE-908
CWE-755
CWE-330
CWE-285
CWE-345
CWE-749
CWE-918
CWE-451
Exploitation vector Network
Public exploit Public exploit code for vulnerability #20 is available.
Public exploit code for vulnerability #56 is available.
Public exploit code for vulnerability #58 is available.
Vulnerability #62 is being exploited in the wild.
Public exploit code for vulnerability #63 is available.
Vulnerability #65 is being exploited in the wild.
Public exploit code for vulnerability #86 is available.
Public exploit code for vulnerability #87 is available.
Public exploit code for vulnerability #92 is available.
Public exploit code for vulnerability #98 is available.
Vulnerability #99 is being exploited in the wild.
Vulnerability #102 is being exploited in the wild.
Public exploit code for vulnerability #110 is available.
Vulnerability #120 is being exploited in the wild.
Public exploit code for vulnerability #124 is available.
Public exploit code for vulnerability #195 is available.
Public exploit code for vulnerability #210 is available.
Public exploit code for vulnerability #267 is available.
Public exploit code for vulnerability #287 is available.
Public exploit code for vulnerability #296 is available.
Public exploit code for vulnerability #301 is available.
Public exploit code for vulnerability #306 is available.
Public exploit code for vulnerability #363 is available.
Public exploit code for vulnerability #364 is available.
Public exploit code for vulnerability #365 is available.
Public exploit code for vulnerability #366 is available.
Public exploit code for vulnerability #385 is available.
Vulnerable software
Subscribe
Oracle Linux
Operating systems & Components / Operating system

Vendor Oracle

Security Bulletin

This security bulletin contains information about 405 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU62415

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21418

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU62421

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21435

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU62418

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21427

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: FTS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU62416

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21417

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU62427

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21415

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Improper input validation

EUVDB-ID: #VU62420

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21414

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU62417

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21413

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU62419

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21412

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Improper input validation

EUVDB-ID: #VU65511

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21539

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Open redirect

EUVDB-ID: #VU66400

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-33987

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to requested URLs are not verified and allow open redirection to a local UNIX socket. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU62423

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21437

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Improper input validation

EUVDB-ID: #VU65509

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21528

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Improper input validation

EUVDB-ID: #VU65508

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21527

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Improper input validation

EUVDB-ID: #VU65510

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21509

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Input validation error

EUVDB-ID: #VU62414

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21479

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Optimizer component. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Improper input validation

EUVDB-ID: #VU62413

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21478

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Improper input validation

EUVDB-ID: #VU62412

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21459

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Improper input validation

EUVDB-ID: #VU62411

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21440

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Improper input validation

EUVDB-ID: #VU62410

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21425

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Buffer overflow

EUVDB-ID: #VU65642

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2078

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the nft_set_desc_concat_parse() function in Linux kernel. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Improper input validation

EUVDB-ID: #VU62422

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21436

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Improper input validation

EUVDB-ID: #VU62424

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21438

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

23) Input validation error

EUVDB-ID: #VU67504

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40957

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to inconsistent data in instruction and data cache when creating wasm code. A remote attacker can trick the victim to open a specially crafted web page, trigger memory corruption and potentially execute arbitrary code.

Note, the vulnerability affects Firefox on ARM64 platforms only.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

24) Improper input validation

EUVDB-ID: #VU65513

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21537

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

25) Improper input validation

EUVDB-ID: #VU62434

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21423

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

26) Improper input validation

EUVDB-ID: #VU65526

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21538

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

27) Improper input validation

EUVDB-ID: #VU65524

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21522

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

28) Improper input validation

EUVDB-ID: #VU62430

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21460

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: Logging component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

29) Improper input validation

EUVDB-ID: #VU62428

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21451

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

30) Improper input validation

EUVDB-ID: #VU62429

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21444

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

31) Improper input validation

EUVDB-ID: #VU65520

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21553

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

32) Improper input validation

EUVDB-ID: #VU65514

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21547

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

33) Improper input validation

EUVDB-ID: #VU65523

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21534

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

34) Improper input validation

EUVDB-ID: #VU62425

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21452

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

35) Improper input validation

EUVDB-ID: #VU65519

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21531

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

36) Improper input validation

EUVDB-ID: #VU65518

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21530

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

37) Improper input validation

EUVDB-ID: #VU65517

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21529

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

38) Improper input validation

EUVDB-ID: #VU65516

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21526

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

39) Improper input validation

EUVDB-ID: #VU65515

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21525

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

40) Improper input validation

EUVDB-ID: #VU65512

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21517

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

41) Improper input validation

EUVDB-ID: #VU65521

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21515

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Options component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

42) Improper input validation

EUVDB-ID: #VU62426

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21462

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

43) Improper input validation

EUVDB-ID: #VU65522

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21455

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Server: PAM Auth Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

44) Resource exhaustion

EUVDB-ID: #VU63911

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-3669

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to measuring usage of the shared memory does not scale with large shared memory segment counts. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

45) Improper input validation

EUVDB-ID: #VU62409

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21457

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: PAM Auth Plugin component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

46) Use-after-free

EUVDB-ID: #VU67532

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40674

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the doContent() function in xmlparse.c. A remote attacker can pass specially crafted input to the application that is using the affected library, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

47) Security features bypass

EUVDB-ID: #VU67500

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40959

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect initialization of FeaturePolicy on all pages during iframe navigation. A remote attacker can trick the victim to open a specially crafted website, bypass FeaturePolicy restrictions and force the browser to leak device permissions into untrusted subdocuments.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

48) Improper Check or Handling of Exceptional Conditions

EUVDB-ID: #VU65273

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32212

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to IsIPAddress does not properly checks if an IP address is invalid or not. A remote unauthenticated attacker can exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

49) Information disclosure

EUVDB-ID: #VU66698

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-29244

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, may be affected and have published files into the npm registry they did not intend to include.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

50) Input validation error

EUVDB-ID: #VU57967

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3807

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

51) Incorrect Regular Expression

EUVDB-ID: #VU63698

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33502

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to exponential performance for data. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

52) Incorrect Regular Expression

EUVDB-ID: #VU52985

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28469

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of user-supplied input in regular expression. A remote attacker can pass specially crafted input to the application and perform regular expression denial of service (ReDoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

53) Double Free

EUVDB-ID: #VU65915

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2509

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within gnutls_pkcs7_verify() function when verifying the pkcs7 signatures. A remote attacker can pass specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

54) Buffer overflow

EUVDB-ID: #VU67505

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40962

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

55) Use-after-free

EUVDB-ID: #VU67501

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-40960

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error caused by a concurrent use of the URL parser with non-UTF-8 data. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

56) NULL pointer dereference

EUVDB-ID: #VU67528

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31213

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when handling a malformed XML config file. A local user can supply a specially crafted XML file to the service and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

57) Information disclosure

EUVDB-ID: #VU66919

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3033

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way Thunderbird handles the meta tag having the http-equiv="refresh" attribute in email messages when the user replies to an email. A remote attacker can send a specially crafted email to the victim and force the application to initiate requests to an external URL regardless of the configuration to block remote content.

Combined with other HTML elements and attributes in the email, it is possible to execute arbitrary JavaScript code included into the malicious message in the context of the message compose document and read or modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

58) Out-of-bounds read

EUVDB-ID: #VU67527

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-31212

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when parsing DBus service Exec line in c-uitl/c-shquote. A local user can pass specially crafted input to the service, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

59) Memory leak

EUVDB-ID: #VU67550

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-38178

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the DNSSEC verification code for the EdDSA algorithm. A remote attacker can spoof the target resolver with responses that have a malformed EdDSA signature and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

60) Memory leak

EUVDB-ID: #VU67549

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-38177

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the DNSSEC verification code for the ECDSA algorithm. A remote attacker can spoof the target resolver with responses that have a malformed ECDSA signature and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

61) Input validation error

EUVDB-ID: #VU67548

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3080

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when resolvers are configured to answer from stale cache with zero stale-answer-client-timeout and there is a stale CNAME in the cache for an incoming query. A remote attacker can send a specially crafted request to the DNS resolver and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

62) Type Confusion

EUVDB-ID: #VU65360

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-34918

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in the Linux kernel’s Netfilter subsystem in the way a user provides incorrect input of the NFT_DATA_VERDICT type. A local user can pass specially crafted data to the application, trigger a type confusion error and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

63) Resource management error

EUVDB-ID: #VU66394

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2585

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack or escalate privileges on the system.

The vulnerability exists due to improper management of internal resources in POSIX CPU timers when handling death of a process. A local user can crash the kernel or execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

64) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU68170

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-41032

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions in the NuGet Client, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

65) Out-of-bounds write

EUVDB-ID: #VU66587

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-32893

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

66) Out-of-bounds read

EUVDB-ID: #VU67609

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-41318

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or crash the server.

The vulnerability exists due to a boundary condition within SSPI and SMB authentication helpers. A remote attacker can trigger an out-of-bounds read error and read contents of memory on the system or crash the server.

Successful exploitation of the vulnerability requires that Squid is configured to use NTLM or Negotiate authentication with one of the vulnerable helpers.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

67) Resource exhaustion

EUVDB-ID: #VU67665

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25857

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling YAML files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

68) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU64909

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-34903

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error in GnuPG, which allows signature spoofing via arbitrary injection into the status line. A remote attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

69) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65282

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32215

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

70) Input validation error

EUVDB-ID: #VU66922

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-36059

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Matrix SDK. A remote attacker sharing a room with a victim can hide some of the rooms or spaces from users and cause minor temporary corruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

71) Security features bypass

EUVDB-ID: #VU66921

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3034

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to iframe elements in an HTML email force the application to initiate network requests. A remote attacker can use an iframe to confirm that the email was read by the victim and obtain victim's IP address.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

72) Security features bypass

EUVDB-ID: #VU66920

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-3032

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists doe to incorrect processing of HTML emails with an iframe</code> element that uses a <code>srcdoc attribute to define the inner HTML document. A remote attacker can trick the victim to open a specially crafted email message and bypass blocking of remote objects specified in the nested document, for example images or videos.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

73) Security features bypass

EUVDB-ID: #VU67502

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40958

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect handling of cookies. A remote attacker with access to a shared subdomain can inject a cookies with certain special characters, bypass Secure Context restriction for cookies with __Host and __Secure prefix and overwrite these cookies, potentially allowing session fixation attacks. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

74) Security features bypass

EUVDB-ID: #VU67503

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-40956

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to some requests may ignore the CSP's base-uri settings when handling HTML base element injection. A remote attacker can force the browser to accept the injected element's base instead of the original code, leading to Content Security Policy bypass.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 8.0 - 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

75) Type conversion

EUVDB-ID: #VU62081

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-28739

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a type conversion error in some convertion methods like Kernel#Float</code> and <code>String#to_f. A remote attacker can pass specially crafted data to the affected application, trigger memory corruption and execute arbitrary code in the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

76) Double Free

EUVDB-ID: #VU62080

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-28738

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Regexp compilation process in Ruby. A remote attacker can pass specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

77) Input validation error

EUVDB-ID: #VU67475

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21385

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the net_rds_alloc_sgs() function in net/rds/message.c in Linux kernel. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

78) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65278

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32214

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

79) Prototype pollution

EUVDB-ID: #VU66955

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7788

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation when handling INI files. A remote attacker can pass a specially crafted INI file to the application and perform prototype pollution attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

80) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU65275

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32213

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially-crafted request to lead to HTTP Request Smuggling to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

81) Improper input validation

EUVDB-ID: #VU65505

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21569

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

82) Improper input validation

EUVDB-ID: #VU65504

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21556

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

83) Improper input validation

EUVDB-ID: #VU62404

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21454

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

84) Race condition

EUVDB-ID: #VU67477

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-3028

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. A local user can exploit the race and escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

85) Improper access control

EUVDB-ID: #VU63961

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21499

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improper access restrictions to the kernel debugger when booted in secure boot environments. A local privileged user can bypass UEFI Secure Boot restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

86) Double Free

EUVDB-ID: #VU66397

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2588

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a double free error within the network packet scheduler implementation in the route4_change() function in Linux kernel when removing all references to a route filter before freeing it. A local user can run a specially crafted program to crash the kernel or execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 9.0

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

87) Use-after-free

EUVDB-ID: #VU66396

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2586

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the the netfilter subsystem implementation in Linux kernel when preventing one nft object from referencing an nft set in another nft table. A local user can trigger a use-after-free error and execute arbitrary code on the system with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7 - 8.6

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

88) Use-after-free

EUVDB-ID: #VU62358

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1280

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a use-after-free error within the drm_lease_held() function in drivers/gpu/drm/drm_lease.c in the Linux kernel. A local user can run a specially crafted program to trigger a use-after-free error and crash the kernel or gain access to sensitive information.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7 - 8.6

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

89) Buffer overflow

EUVDB-ID: #VU68553

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21546

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the scsi subsystem within the OS kernel. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: 7.0 - 8.6

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

90) OS Command Injection

EUVDB-ID: #VU64573

Risk: High

CVSSv3.1:

CVE-ID: CVE-2015-20107

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the mailcap module, which does not escape characters into commands discovered in the system mailcap file. A remote unauthenticated attacker can pass specially crafted data to the applications that call mailcap.findmatch with untrusted input and execute arbitrary OS commands on the target system.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

91) Cross-site scripting

EUVDB-ID: #VU66123

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2016-3709

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

92) Prototype pollution

EUVDB-ID: #VU18092

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11358

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to prototype pollution. A remote attacker can trick the extend function can into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

93) Out-of-bounds write

EUVDB-ID: #VU45872

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-0256

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege when inserting a malicious USB device, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-152874864

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

94) Type conversion

EUVDB-ID: #VU67760

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-10735

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion in algorithms with quadratic time complexity when using non-binary bases within the int() call. A remote attacker can pass specially crafted data to the affected application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

95) Division by zero

EUVDB-ID: #VU69350

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-23903

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a division by zero error when handling .wav files. A remote attacker can trick the victim into opening a specially crafted .wav file and crash the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

96) Improper Validation of Array Index

EUVDB-ID: #VU68779

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28851,CVE-2020-28852

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of array index in language.ParseAcceptLanguage while processing a BCP 47 tag. A remote attacker can send a specially crafted HTTP request containing a malformed HTTP Accept-Language header and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

97) Deserialization of Untrusted Data

EUVDB-ID: #VU48669

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-28948

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data, related to case sensitivity issues (e.g. "phar:" protocol is blocked, however  "PHAR:" is not). A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

98) Input validation error

EUVDB-ID: #VU48668

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-28949

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper sanitization of the user-supplied input when processing URI handlers in filenames. A remote attacker can pass the "file://" string in the filename and overwrite arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

99) NULL pointer dereference

EUVDB-ID: #VU67411

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-35525

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the INTERSEC query processing. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

100) Out-of-bounds read

EUVDB-ID: #VU67412

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-35527

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when handling ALTER TABLE for views that have a nested FROM clause. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

101) UNIX symbolic link following

EUVDB-ID: #VU49907

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-36193

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue in tar.php file in Archive_Tar. A remote attacker can pass specially crafted archive to the application and force the application to overwrite arbitrary files on the system using directory traversal sequences.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

102) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU66811

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36516

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) or MitM attacks.

The vulnerability exists due to an error in the mixed IPID assignment method with the hash-based IPID assignment policy in Linux kernel. A remote attacker can inject data into a victim's TCP session or terminate that session.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

103) NULL pointer dereference

EUVDB-ID: #VU66589

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-36558

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel before 5.5.7 involving a VT_RESIZEX. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

104) Out-of-bounds write

EUVDB-ID: #VU49882

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0308

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local authenticated user to execute arbitrary code.

In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-158063095.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

105) Out-of-bounds read

EUVDB-ID: #VU69342

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0561

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the append_to_verify_fifo_interleaved_ in stream_encoder.c in Media Framework. A local application can trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

106) Origin validation error

EUVDB-ID: #VU50275

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-20199

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to missing authentication when connecting from all sources. A remote attacker can send a specially crafted request and bypass access restrictions to containerized applications.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

107) Improper locking

EUVDB-ID: #VU62797

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-20291

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service attack (DoS) on the target system.

The vulnerability exists due to double-locking error. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

108) Input validation error

EUVDB-ID: #VU58331

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-21707

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to inject arbitrary XML code.

The vulnerability exists due to insufficient validation of user-supplied input within the simplexml_load_file() PHP function when processing NULL byte character (e.g. %00). A remote attacker can pass specially crafted URL to the application and bypass implemented security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

109) Use-after-free

EUVDB-ID: #VU60707

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-21708

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the "php_filter_float()" function. A remote attacker can pass specially crafted input to the application that uses the affected PHP function, trigger a use-after-free error and crash the php-fpm process.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

110) Improper input validation

EUVDB-ID: #VU62403

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-22570

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Compiling (protobuf) component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

111) Cross-site scripting

EUVDB-ID: #VU66868

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23648

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in sanitizeUrl() function. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

112) Improper input validation

EUVDB-ID: #VU57516

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2478

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

113) Improper input validation

EUVDB-ID: #VU57517

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2479

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

114) Improper input validation

EUVDB-ID: #VU57503

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-2481

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

115) Reliance on Reverse DNS Resolution for a Security-Critical Action

EUVDB-ID: #VU61422

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-25220

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to poison DNS cache.

The vulnerability exists due to an error in DNS forwarder implementation. When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

116) Improper certificate validation

EUVDB-ID: #VU60762

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-25636

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to improper certificate validation when processing digital signatures of ODF documents. A remote attacker can modify the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag[1], which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

117) Open redirect

EUVDB-ID: #VU67591

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-28861

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data in lib/http/server.py due to missing protection against multiple (/) at the beginning of URI path. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

118) Memory leak

EUVDB-ID: #VU68552

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-30002

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform DoS attack on the target system.

The vulnerability exists due memory leak within the webcam support driver in video_usercopy() function in drivers/media/v4l2-core/v4l2-ioctl.c in Linux kernel. A local user can trigger leak memory and perform denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

119) Link following

EUVDB-ID: #VU55101

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-32610

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to the application does not check if the file in the archive is a symbolic link when extracting it. A remote attacker can pass a specially crafted file to the application and overwrite arbitrary files on the system. Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

120) Cross-site scripting

EUVDB-ID: #VU56022

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33195

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of data passed from DNS lookups. A remote attacker can send a specially crafted DNS reqponse and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

121) Missing Authorization

EUVDB-ID: #VU56023

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33197

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to an error in some configurations of ReverseProxy (from net/http/httputil). A remote attacker can drop arbitrary headers and bypass authorization process. 

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

122) Resource management error

EUVDB-ID: #VU56024

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33198

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a large exponent to the math/big.Rat SetString or UnmarshalText method.  A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

123) Improper Certificate Validation

EUVDB-ID: #VU55665

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-34558

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper certificate verification in crypto/tls package in Go when processing X.509 certificates. The application does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

124) Use-after-free

EUVDB-ID: #VU69294

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3497

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when demuxing certain malformed Matroska files. A remote attacker can trick the victim into opening a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

125) Heap-based buffer overflow

EUVDB-ID: #VU64569

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3507

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the fdctrl_transfer_handler() function in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A remote privileged user on the guest OS can trigger a heap-based buffer overflow and crash the QEMU process on the host OS.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

126) Improper input validation

EUVDB-ID: #VU57541

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35546

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

127) Improper input validation

EUVDB-ID: #VU57527

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35575

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

128) Improper input validation

EUVDB-ID: #VU57515

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35577

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

129) Improper input validation

EUVDB-ID: #VU57519

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35591

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

130) Improper input validation

EUVDB-ID: #VU57520

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35596

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Error Handling component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

131) Improper input validation

EUVDB-ID: #VU57501

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35597

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the C API component in MySQL Client. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

132) Improper input validation

EUVDB-ID: #VU57514

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35602

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Options component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

133) Improper input validation

EUVDB-ID: #VU57511

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35604

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

134) Improper input validation

EUVDB-ID: #VU57502

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35607

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

135) Improper input validation

EUVDB-ID: #VU57513

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35608

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

136) Improper input validation

EUVDB-ID: #VU57500

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35610

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

137) Improper input validation

EUVDB-ID: #VU57512

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35612

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

138) Improper input validation

EUVDB-ID: #VU57542

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35622

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

139) Improper input validation

EUVDB-ID: #VU57551

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35623

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: Security: Roles component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

140) Improper input validation

EUVDB-ID: #VU57543

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35624

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Server: Security: Privileges component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

141) Improper input validation

EUVDB-ID: #VU57550

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35625

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Server: Security: Privileges component in MySQL Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

142) Improper input validation

EUVDB-ID: #VU57523

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35626

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

143) Improper input validation

EUVDB-ID: #VU57524

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35627

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

144) Improper input validation

EUVDB-ID: #VU57525

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35628

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

145) Improper input validation

EUVDB-ID: #VU57539

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35630

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Server: Options component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

146) Improper input validation

EUVDB-ID: #VU57522

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35631

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: GIS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

147) Improper input validation

EUVDB-ID: #VU57545

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35632

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Data Dictionary component in MySQL Server. A local privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

148) Improper input validation

EUVDB-ID: #VU57549

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35633

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Logging component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

149) Improper input validation

EUVDB-ID: #VU57528

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35634

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

150) Improper input validation

EUVDB-ID: #VU57529

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35635

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

151) Improper input validation

EUVDB-ID: #VU57530

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35636

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

152) Improper input validation

EUVDB-ID: #VU57540

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35637

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: PS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

153) Improper input validation

EUVDB-ID: #VU57531

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35638

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

154) Improper input validation

EUVDB-ID: #VU57544

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35639

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

155) Improper input validation

EUVDB-ID: #VU57548

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-35640

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to manipulate data.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

156) Improper input validation

EUVDB-ID: #VU57532

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35641

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

157) Improper input validation

EUVDB-ID: #VU57533

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35642

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

158) Improper input validation

EUVDB-ID: #VU57534

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35643

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

159) Improper input validation

EUVDB-ID: #VU57535

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35644

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

160) Improper input validation

EUVDB-ID: #VU57536

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35645

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

161) Improper input validation

EUVDB-ID: #VU57537

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35646

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

162) Improper input validation

EUVDB-ID: #VU57538

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35647

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

163) Improper input validation

EUVDB-ID: #VU57521

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-35648

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: FTS component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

164) Out-of-bounds write

EUVDB-ID: #VU69352

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3611

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the Intel HD Audio device (intel-hda) of QEMU. A remote user of the guest OS trigger an out-of-bounds write and crash the QEMU process on the host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

165) Race condition

EUVDB-ID: #VU55668

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-36221

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in net/http/httputil ReverseProxy when handling ErrAbortHandler events. A remote attacker can trigger a race condition and crash the ReverseProxy.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

166) Incorrect permission assignment for critical resource

EUVDB-ID: #VU62735

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3631

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to an error in the way SELinux MCS category pairs for VMs' dynamic labels in security/security_selinux.c. An attacker with access to the guest OS can access files labeled for another guest.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

167) Use-after-free

EUVDB-ID: #VU63769

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-3640

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in sco_sock_sendmsg() function of the Linux kernel HCI subsystem. A privileged local user can call ioct UFFDIO_REGISTER or other way trigger race condition to escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

168) Use-after-free

EUVDB-ID: #VU69353

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3750

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the USB EHCI controller emulation of QEMU. A remote guest can trigger a use-after-free error and execute arbitrary code on the host OS.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

169) Out-of-bounds write

EUVDB-ID: #VU63625

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-3839

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to vhost_user_set_inflight_fd() function does not validate msg->payload.inflight.num_queues. A local user can trigger out-of-bounds write and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

170) Information disclosure

EUVDB-ID: #VU58668

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-4024

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the "podman machine" function. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

171) Out-of-bounds read

EUVDB-ID: #VU69295

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-4048

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack. A remote attacker can pass specially crafted data to the application, trigger an out-of-bounds read error and crash the affected application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

172) Type Confusion

EUVDB-ID: #VU58229

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-41190

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to a type confusion error. A remote authenticated attacker can pass specially crafted data to the application, trigger a type confusion error and interpret the resulting content differently.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

173) NULL pointer dereference

EUVDB-ID: #VU63781

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-4158

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the ACPI code of QEMU when handling certain values. A privileged user can crash the QEMU process on the host, resulting in a denial of service condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

174) Out-of-bounds read

EUVDB-ID: #VU65086

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-44269

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when processing *.WAV files within the WavpackPackSamples() function in src/pack_utils.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

175) Improper Certificate Validation

EUVDB-ID: #VU59548

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44531

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of URI Subject Alternative Names. Node.js accepts arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type. A remote attacker can bypass name-constrained intermediates and perform spoofing attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

176) Improper validation of certificate with host mismatch

EUVDB-ID: #VU59549

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44532

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

177) Improper Certificate Validation

EUVDB-ID: #VU59550

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44533

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

178) Resource exhaustion

EUVDB-ID: #VU64030

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-44906

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

179) Integer overflow

EUVDB-ID: #VU59643

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-46143

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the doProlog() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

180) Resource exhaustion

EUVDB-ID: #VU66152

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-46828

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library improperly handles idle TCP connections. A remote attacker can exhaust the file descriptors of a process that uses libtirpc and perform a denial of service (DoS)  attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

181) NULL pointer dereference

EUVDB-ID: #VU63789

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0168

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS). A privileged (CAP_SYS_ADMIN) attacker can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

182) Use-after-free

EUVDB-ID: #VU68551

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0216

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU when processing repeated messages to cancel the current SCSI request via the lsi_do_msgout() function. A remote user on the guest OS can trigger a use-after-free error and perform a denial of service attack against the QEMU host.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

183) Resource management error

EUVDB-ID: #VU61423

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0396

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. A remote attacker can initiate a specially crafted TCP stream that can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.

This issue can only be triggered on BIND servers which have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

184) Information disclosure

EUVDB-ID: #VU64259

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0494

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the scsi_ioctl() function in drivers/scsi/scsi_ioctl.c in the Linux kernel. A local user with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

185) NULL pointer dereference

EUVDB-ID: #VU63326

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0561

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFFetchStripThing() in tif_dirread.c. A remote attacker can trick victim to open specially crafted TIFF file and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

186) NULL pointer dereference

EUVDB-ID: #VU63328

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0562

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFReadDirectory() in tif_dirread.c. A remote attacker can trick victim to open specially crafted TIFF file and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

187) NULL pointer dereference

EUVDB-ID: #VU61210

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0617

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel UDF file system functionality. A local user can supply a malicious UDF image to the udf_file_write_iter() function and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

188) Memory leak

EUVDB-ID: #VU63427

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0854

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak in the Linux kernel’s DMA subsystem when processing DMA_FROM_DEVICE calls. A local user can trigger a memory leak error and read random memory from the kernel space.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

189) Reachable Assertion

EUVDB-ID: #VU63332

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0865

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in the tiffcp component. A remote attacker can trick a victim to open a specially crafted TIFF file and perform a denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

190) Out-of-bounds write

EUVDB-ID: #VU63329

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0891

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing TIFF file in ExtractImageSection() function in tiffcrop.c. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

191) Improper locking

EUVDB-ID: #VU62739

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0897

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service attack (DoS).

The vulnerability exists due to double-locking error within the nwfilterConnectNumOfNWFilters() function in nwfilter/nwfilter_driver.c in libvirt. An local user can abuse the libvirt API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

192) NULL pointer dereference

EUVDB-ID: #VU63374

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0908

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the memcpy() function within TIFFFetchNormalTag () in tif_dirread.c. A remote attacker can pass specially crafted TIFF file to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

193) Division by zero

EUVDB-ID: #VU63376

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0909

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error in the tiffcrop component. A remote attacker can pass a specially crafted TIFF file to the application and crash it.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

194) Buffer overflow

EUVDB-ID: #VU63128

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0918

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when handling network packets. A remote attacker can create a single TCP packet to the LDAP port, trigger a segmentation fault and crash the slapd daemon.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

195) Out-of-bounds read

EUVDB-ID: #VU63378

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0924

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial-of-service attack.

The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it, trigger out-of-bounds read error and perform a denial-of-service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

196) Use-after-free

EUVDB-ID: #VU63013

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0934

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error when handling DHCPv6 requests. A remote attacker can send specially crafted DHCPv6 packets to the affected application, trigger a use-after-free error and perform a denial of service (DoS) attack.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

197) Insufficient Session Expiration

EUVDB-ID: #VU64661

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0996

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue that allows expired passwords to access the database to cause improper authentication. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

198) Use-after-free

EUVDB-ID: #VU62028

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1016

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a use-after-free error in net/netfilter/nf_tables_core.c:nft_do_chain in Linux kernel.. A local user can trigger a use-after-free error and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

199) Use-after-free

EUVDB-ID: #VU63428

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1048

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to execute arbitrary code with elevated privileges.

The vulnerability exists due to a use-after-free error in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. A local user can execute arbitrary code with elevated privileges and perform a denial-of-service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

200) Use-after-free

EUVDB-ID: #VU61765

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1055

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the tc_new_tfilter in Linux kernel. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

201) Access of Uninitialized Pointer

EUVDB-ID: #VU63450

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1122

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to an invalid pointer initialization in the opj2_decompress program. A remote attacker can gain unauthorized access to sensitive information and perform a denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

202) Use-after-free

EUVDB-ID: #VU64438

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1184

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to a use-after-free error in fs/ext4/namei.c:dx_insert_block() function in the Linux kernel’s filesystem sub-component.. A local user can trigger use-after-free and perform a denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

203) Out-of-bounds write

EUVDB-ID: #VU64075

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1304

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can use a specially crafted filesystem, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

204) Buffer overflow

EUVDB-ID: #VU62357

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1328

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing email messages. A remote attacker can create a specially crafted message, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

205) Incorrect default permissions

EUVDB-ID: #VU63693

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1348

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the way logrotate uses the state file. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

206) Information disclosure

EUVDB-ID: #VU63388

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1353

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the pfkey_register function in net/key/af_key.c in the Linux kernel. A local user can gain unauthorized access to kernel memory, leading to a system crash or a leak of internal kernel information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

207) Heap-based buffer overflow

EUVDB-ID: #VU67498

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1354

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the TIFFReadRawDataStriped() function in tiffinfo.c. A remote attacker can pass specially crafted TIFF file to the application that is using the affected library, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

208) Buffer overflow

EUVDB-ID: #VU67497

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1355

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within tiffcp.c when processing TIFF files. A remote attacker can pass specially crafted TIFF file to the application that is using the affected library, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

209) Deserialization of Untrusted Data

EUVDB-ID: #VU70385

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1471

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

210) Use-after-free

EUVDB-ID: #VU64861

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1679

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ath9k_htc_wait_for_target() function in the Linux kernel’s Atheros wireless adapter driver. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

211) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU66064

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1705

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of Transfer-Encoding headers in HTTP/1 responses. A remote attacker can send a specially crafted HTTP/1 response to the client and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

212) Improper access control

EUVDB-ID: #VU63493

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1706

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in ignition configs. A remote user on the local network can bypass implemented security restrictions and obtain sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

213) Resource exhaustion

EUVDB-ID: #VU64008

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1708

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

214) NULL pointer dereference

EUVDB-ID: #VU64262

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1852

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the Linux kernel’s KVM module. A local user can perform a denial of service (DoS) attack in the x86_emulate_insn in arch/x86/kvm/emulate.c.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

215) Resource exhaustion

EUVDB-ID: #VU66065

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1962

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in go/parser. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

216) Use-after-free

EUVDB-ID: #VU69338

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1998

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the copy_event_to_user() function in Linux kernel. A local user can trigger a use-after-free error and escalate privileges on the system.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

217) Out-of-bounds read

EUVDB-ID: #VU67473

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-20368

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary condition within the packet_recvmsg() function in Linux kernel. A local user can trigger an out-of-bounds read error and potentially escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

218) Information disclosure

EUVDB-ID: #VU64364

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21123

CWE-ID:

Exploit availability:

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

219) Information disclosure

EUVDB-ID: #VU64365

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21125

CWE-ID:

Exploit availability:

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.



Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

220) Information disclosure

EUVDB-ID: #VU64366

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21166

CWE-ID:

Exploit availability:

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

221) Improper input validation

EUVDB-ID: #VU59792

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21245

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Server: Security: Privileges component in MySQL Server. A remote authenticated user can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

222) Improper input validation

EUVDB-ID: #VU59807

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21249

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: DDL component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

223) Improper input validation

EUVDB-ID: #VU59782

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21253

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

224) Improper input validation

EUVDB-ID: #VU59775

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21254

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

225) Improper input validation

EUVDB-ID: #VU59778

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21256

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

226) Improper input validation

EUVDB-ID: #VU59783

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21264

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

227) Improper input validation

EUVDB-ID: #VU59793

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21265

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to manipulate or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to manipulate or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

228) Improper input validation

EUVDB-ID: #VU59777

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21270

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Federated component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

229) Improper input validation

EUVDB-ID: #VU59735

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21278

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

230) Improper input validation

EUVDB-ID: #VU59784

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21297

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

231) Improper input validation

EUVDB-ID: #VU59772

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21301

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: DML component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

232) Improper input validation

EUVDB-ID: #VU59774

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21302

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

233) Improper input validation

EUVDB-ID: #VU59790

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21303

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Stored Procedure component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

234) Improper input validation

EUVDB-ID: #VU59788

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21304

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Parser component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

235) Resource management error

EUVDB-ID: #VU66871

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2132

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the copy_desc_to_mbuf() function when processing Vhost header. A remote guest can send a packet with the Vhost header crossing more than two descriptors and force application to allocate all available mbufs, causing a denial of service condition for the other guest running on the hypervisor.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

236) Improper input validation

EUVDB-ID: #VU59785

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21339

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

237) Improper input validation

EUVDB-ID: #VU59786

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21342

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

238) Improper input validation

EUVDB-ID: #VU59789

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21344

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Replication component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

239) Improper input validation

EUVDB-ID: #VU59776

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21348

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

240) Improper input validation

EUVDB-ID: #VU59736

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21351

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote authenticated user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

241) Improper input validation

EUVDB-ID: #VU59770

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21352

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the InnoDB component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

242) Improper input validation

EUVDB-ID: #VU59738

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21358

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

243) Improper input validation

EUVDB-ID: #VU59780

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21362

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

244) Improper input validation

EUVDB-ID: #VU59771

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21367

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Compiling component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

245) Improper input validation

EUVDB-ID: #VU59791

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21368

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Server: Components Services component in MySQL Server. A remote privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

246) Improper input validation

EUVDB-ID: #VU59787

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21370

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

247) Improper input validation

EUVDB-ID: #VU59808

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21372

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform service disruption.

The vulnerability exists due to improper input validation within the Server: Security: Encryption component in MySQL Server. A remote privileged user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

248) Improper input validation

EUVDB-ID: #VU59781

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21374

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Information Schema component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

249) Improper input validation

EUVDB-ID: #VU59773

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21378

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to damange or delete data.

The vulnerability exists due to improper input validation within the Server: Optimizer component in MySQL Server. A remote privileged user can exploit this vulnerability to damange or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

250) Improper input validation

EUVDB-ID: #VU59779

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21379

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote privileged user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Server: Group Replication Plugin component in MySQL Server. A remote privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

251) Improper input validation

EUVDB-ID: #VU68439

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21618

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

252) Improper input validation

EUVDB-ID: #VU68442

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21619

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

253) Improper input validation

EUVDB-ID: #VU68441

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21624

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JNDI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

254) Improper input validation

EUVDB-ID: #VU68438

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21626

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

255) Improper input validation

EUVDB-ID: #VU68437

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21628

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

256) Information disclosure

EUVDB-ID: #VU64402

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21673

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can pass a specially crafted query to the data source with an API token and Forward OAuth Identity feature enabled to gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

257) Path traversal

EUVDB-ID: #VU59689

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21682

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when flatpak-builder applies "finish-args" last in the build. A remote authenticated attacker can send a specially crafted HTTP request and create arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

258) Input validation error

EUVDB-ID: #VU61599

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21698

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

259) Cross-site scripting

EUVDB-ID: #VU64397

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21702

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Grafana. A remote attacker can trick the victim to visit a specially crafted link, execute arbitrary HTML code, and perform a Cross-site scripting (XSS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

260) Cross-site request forgery

EUVDB-ID: #VU64399

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21703

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Linux: All versions

Fixed software versions

CPE2.3 External links

http://www.oracle.com/security-alerts/linuxbulletinoct2022.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

261) Authorization bypass through user-controlled key

EUVDB-ID: #VU64394

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21713

CWE-ID: