CVE-2022-1473 – Resource leakage when decoding certificates and keys
https://notcve.org/view.php?id=CVE-2022-1473
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. • https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=64c85430f95200b6b51fe9475bd5203f7c19daf1 https://security.gentoo.org/glsa/202210-02 https://security.netapp.com/advisory/ntap-20220602-0009 https://www.openssl.org/news/secadv/20220503.txt https://access.redhat.com/security/cve/CVE-2022-1473 https://bugzilla.redhat.com/show_bug.cgi?id=2087913 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-459: Incomplete Cleanup •
CVE-2021-41617 – openssh: privilege escalation when AuthorizedKeysCommand or AuthorizedPrincipalsCommand are configured
https://notcve.org/view.php?id=CVE-2021-41617
sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. sshd en OpenSSH versiones 6.2 hasta 8.x anteriores a 8.8, cuando son usadas determinadas configuraciones no predeterminadas, permite una escalada de privilegios porque los grupos complementarios no son inicializados como se espera. Los programas de ayuda para AuthorizedKeysCommand y AuthorizedPrincipalsCommand pueden ejecutarse con privilegios asociados a la pertenencia a grupos del proceso sshd, si la configuración especifica la ejecución del comando como un usuario diferente A flaw was found in OpenSSH. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privileges, potentially leading to local privilege escalation. • https://bugzilla.suse.com/show_bug.cgi?id=1190975 https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XJIONMHMKZDTMH6BQR5TNLF2WDCGWED https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVI7RWM2JLNMWTOFK6BDUSGNOIPZYPUT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W44V2PFQH5YLRN6ZJTVRKAD7CU6CYYET https://security.netapp.com/advisory/ntap-20211014& • CWE-273: Improper Check for Dropped Privileges •
CVE-2021-40490
https://notcve.org/view.php?id=CVE-2021-40490
A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. Se ha detectado una condición de carrera en la función ext4_write_inline_data_end en el archivo fs/ext4/inline.c en el subsistema ext4 en el kernel de Linux versiones hasta 5.13.13 • https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?id=9e445093e523f3277081314c864f708fd4bd34aa https://lists.debian.org/debian-lts-announce/2021/10/msg00010.html https://lists.debian.org/debian-lts-announce/2021/12/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6VS2DLGT7TK7URKAS2KWJL3S533SGVA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XJGX3DMJT6MRBW2XEF3TWVHYWZW3DG3N https://security.netapp.com/adv • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2021-22555 – Heap Out-Of-Bounds Write in Netfilter IP6T_SO_SET_REPLACE
https://notcve.org/view.php?id=CVE-2021-22555
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space En el archivo net/netfilter/x_tables.c se ha detectado una escritura fuera de límites en la pila que afecta a Linux desde la versión 2.6.19-rc1. Esto permite a un atacante alcanzar privilegios o causar una denegación de servicio (por medio de corrupción de la memoria de la pila) mediante el espacio de nombres de usuario A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. • https://www.exploit-db.com/exploits/50135 https://github.com/xyjl-ly/CVE-2021-22555-Exploit https://github.com/veritas501/CVE-2021-22555-PipeVersion https://github.com/pashayogi/CVE-2021-22555 https://github.com/tukru/CVE-2021-22555 https://github.com/letsr00t/CVE-2021-22555 https://github.com/letsr00t/-2021-LOCALROOT-CVE-2021-22555 https://github.com/daletoniris/CVE-2021-22555-esc-priv http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.h • CWE-787: Out-of-bounds Write •
CVE-2021-25216 – A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
https://notcve.org/view.php?id=CVE-2021-25216
In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. • http://www.openwall.com/lists/oss-security/2021/04/29/1 http://www.openwall.com/lists/oss-security/2021/04/29/2 http://www.openwall.com/lists/oss-security/2021/04/29/3 http://www.openwall.com/lists/oss-security/2021/04/29/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://kb.isc.org/v1/docs/cve-2021-25215 https://lists.debian.org/debian-lts-announce/2021/05/msg00001.html https://security.netapp.com/advisory/ntap-20210521-0006 http • CWE-125: Out-of-bounds Read •