SB2025010714 - Multiple vulnerabilities in Dell APEX Cloud Platform for Red Hat OpenShift
Published: January 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-21781)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation in UEFI firmware. A local privileged user can gain access to sensitive information or perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2024-21829)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient input validation in UEFI firmware error handler. A local privileged user can execute arbitrary code with elevated privileges.
3) Race condition (CVE-ID: CVE-2024-23599)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in Seamless Firmware Updates for some Intel reference platforms. A local user can exploit the race and perform a denial of service (DoS) attack.
4) Observable discrepancy (CVE-ID: CVE-2024-23984)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to observable discrepancy in Running Average Power Limit (RAPL) interface. A local privileged user can gain access to potentially sensitive information.
5) State Issues (CVE-ID: CVE-2024-24968)
CWE-ID: CWE-371 - State Issues
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to improper finite state machines (FSMs) in hardware logic. A local privileged user can perform a denial of service (DoS) attack.
6) Insufficient Control Flow Management (CVE-ID: CVE-2024-25565)
CWE-ID: CWE-691 - Insufficient Control Flow Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient control flow management. A local attacker can perform a denial of service (DoS) attack.
7) Improper finite state machines in hardware logic (CVE-ID: CVE-2024-21853)
CWE-ID: CWE-1245 - Improper Finite State Machines (FSMs) in Hardware Logic
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in hardware logic. A local unprivileged user can perform a denial of service (DoS) attack.
8) Resource exhaustion (CVE-ID: CVE-2023-52340)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when processing very large ICMPv6 packets. A remote attacker can send a flood of IPv6 ICMP6 PTB messages, cause the high lock contention and increased CPU usage, leading to a denial of service.
Successful vulnerability exploitation requires a attacker to be on the local network or have a high bandwidth connection.
9) Input validation error (CVE-ID: CVE-2024-42154)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the sizeof() function in net/ipv4/tcp_metrics.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01071.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01085.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2257979
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=af6d10345ca76670c1b7c37799f0d5576ccef277
- https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9
- https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c
- https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98
- https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6
- https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3
- https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99
- https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321
- https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff
- https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.318
- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.222
- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.163
- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.280
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.98
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.10
- https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.39