CentOS 7 update for kernel

Published: 2023-01-30

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2017-5715 CVE-2021-26401 CVE-2022-2964
CWE-ID	CWE-200 CWE-787
Exploitation vector	Local
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software Subscribe	CentOS Operating systems & Components / Operating system
Vendor	CentOS Project

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU9883

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-5715

CWE-ID: CWE-200 - Information exposure

Exploit availability: Yes

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in Intel CPU hardware due to improper implementation of the speculative execution of instructions. A local attacker can utilize branch target injection, execute arbitrary code, perform a side-channel attack and read sensitive memory information.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7

CPE2.3

cpe:2.3:o:centos_project:centos:7:*:*:*:*:*:*:*

External links

http://lists.centos.org/pipermail/centos-announce/2023-January/086370.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU61566

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-26401

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application within LFENCE/JMP. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7

CPE2.3

cpe:2.3:o:centos_project:centos:7:*:*:*:*:*:*:*

External links

http://lists.centos.org/pipermail/centos-announce/2023-January/086370.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Out-of-bounds write

EUVDB-ID: #VU67811

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-2964

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices driver in Linux kernel. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Mitigation

Update the affected packages.

Vulnerable software versions

CentOS: 7

CPE2.3

cpe:2.3:o:centos_project:centos:7:*:*:*:*:*:*:*

External links

http://lists.centos.org/pipermail/centos-announce/2023-January/086370.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?