logo
DATABASE RESOURCES PRICING ABOUT US

About the security content of Security Update 2022-003 Catalina

Description

# About the security content of Security Update 2022-003 Catalina This document describes the security content of Security Update 2022-003 Catalina. ## About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page. Apple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible. For more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## Security Update 2022-003 Catalina Released March 14, 2022 **AppKit** Available for: macOS Catalina Impact: A malicious application may be able to gain root privileges Description: A logic issue was addressed with improved validation. CVE-2022-22665: Lockheed Martin Red Team Entry added May 25, 2022 **AppleGraphicsControl** Available for: macOS Catalina Impact: An application may be able to gain elevated privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-22631: Wang Yu of cyberserval Entry updated May 25, 2022 **AppleScript** Available for: macOS Catalina Impact: An application may be able to read restricted memory Description: This issue was addressed with improved checks. CVE-2022-22648: Mickey Jin (@patch1t) of Trend Micro Entry updated May 25, 2022 **AppleScript** Available for: macOS Catalina Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2022-22627: Qi Sun and Robert Ai of Trend Micro CVE-2022-22626: Mickey Jin (@patch1t) of Trend Micro **AppleScript** Available for: macOS Catalina Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read was addressed with improved input validation. CVE-2022-22625: Mickey Jin (@patch1t) of Trend Micro **AppleScript** Available for: macOS Catalina Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2022-22597: Qi Sun and Robert Ai of Trend Micro **BOM** Available for: macOS Catalina Impact: A maliciously crafted ZIP archive may bypass Gatekeeper checks Description: This issue was addressed with improved checks. CVE-2022-22616: Ferdous Saljooki (@malwarezoo) and Jaron Bradley (@jbradley89) of Jamf Software, Mickey Jin (@patch1t) **CUPS** Available for: macOS Catalina Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2022-26691: Joshua Mason of Mandiant Entry added May 25, 2022 **Intel Graphics Driver** Available for: macOS Catalina Impact: An application may be able to execute arbitrary code with kernel privileges Description: A type confusion issue was addressed with improved state handling. CVE-2022-22661: an anonymous researcher, Pan ZhenPeng (@Peterpan0927) of Alibaba Security Pandora Lab Entry updated May 25, 2022 **Kernel** Available for: macOS Catalina Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-22613: an anonymous researcher, Alex **Kernel** Available for: macOS Catalina Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-22615: an anonymous researcher CVE-2022-22614: an anonymous researcher **Kernel** Available for: macOS Catalina Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A null pointer dereference was addressed with improved validation. CVE-2022-22638: derrek (@derrekr6) **Login Window** Available for: macOS Catalina Impact: A person with access to a Mac may be able to bypass Login Window Description: This issue was addressed with improved checks. CVE-2022-22647: Yuto Ikeda of Kyushu University Entry updated May 25, 2022 **LoginWindow** Available for: macOS Catalina Impact: A local attacker may be able to view the previous logged in user’s desktop from the fast user switching screen Description: An authentication issue was addressed with improved state management. CVE-2022-22656 **MobileAccessoryUpdater** Available for: macOS Catalina Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2022-22672: Siddharth Aeri (@b1n4r1b01) Entry added May 25, 2022 **PackageKit** Available for: macOS Catalina Impact: A malicious app with root privileges may be able to modify the contents of system files Description: An issue in the handling of symlinks was addressed with improved validation. CVE-2022-26688: Mickey Jin (@patch1t) of Trend Micro Entry added May 25, 2022 **PackageKit** Available for: macOS Catalina Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2022-22617: Mickey Jin (@patch1t) **QuickTime Player** Available for: macOS Catalina Impact: A plug-in may be able to inherit the application's permissions and access user data Description: This issue was addressed with improved checks. CVE-2022-22650: Wojciech Reguła (@_r3ggi) of SecuRing **WebKit** Available for: macOS Catalina Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cookie management issue was addressed with improved state management. CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix Entry added May 25, 2022 **WebKit** Available for: macOS Catalina Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript Description: A validation issue was addressed with improved input sanitization. CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com) Entry added May 25, 2022 **WebKit** Available for: macOS Catalina Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cookie management issue was addressed with improved state management. WebKit Bugzilla: 232748 CVE-2022-22662: Prakash (@1lastBr3ath) of Threat Nix **xar** Available for: macOS Catalina Impact: A local user may be able to write arbitrary files Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks. CVE-2022-22582: Richard Warren of NCC Group ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## Additional recognition **Intel Graphics Driver** We would like to acknowledge Jack Dates of RET2 Systems, Inc., Yinyi Wu (@3ndy1) for their assistance. **syslog** We would like to acknowledge Yonghwi Jin (@jinmo123) of Theori for their assistance. **TCC** We would like to acknowledge Csaba Fitzl (@theevilbit) of Offensive Security for their assistance. Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information. Published Date: May 25, 2022


Affected Software


CPE Name Name Version
macos catalina 10.15.7

Related