Red Hat Enterprise Linux 7 update for pcs

Published: 2022-11-02

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-11358 CVE-2022-30123
CWE-ID	CWE-400 CWE-78
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software Subscribe	Red Hat Enterprise Linux Resilient Storage for x86_64 Operating systems & Components / Operating system pcs (Red Hat package) Operating systems & Components / Operating system package or component
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Prototype pollution

EUVDB-ID: #VU18092

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-11358

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to prototype pollution. A remote attacker can trick the extend function can into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux Resilient Storage for x86_64: 7

pcs (Red Hat package): before 0.9.169-3.el7_9.3

CPE2.3

cpe:2.3:o:red_hat:red_hat_enterprise_linux_resilient_storage_for_x86_64:7:*:*:*:*:*:*:*

External links

http://access.redhat.com/errata/RHSA-2022:7343

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) OS Command Injection

EUVDB-ID: #VU64863

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-30123

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No