Lucene search

K
archlinuxArchLinuxASA-202107-4
HistoryJul 01, 2021 - 12:00 a.m.

[ASA-202107-4] opera: arbitrary code execution

2021-07-0100:00:00
security.archlinux.org
154
opera
arbitrary code execution
upgrade
vulnerability
cve-2021-30554
cve-2021-30555
cve-2021-30556
cve-2021-30557
chromium
web page
remote attacker
webgl
sharing component
webaudio
tabgroups
security issue
google
exploit
arch linux
unix

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%

Arch Linux Security Advisory ASA-202107-4

Severity: High
Date : 2021-07-01
CVE-ID : CVE-2021-30554 CVE-2021-30555 CVE-2021-30556 CVE-2021-30557
Package : opera
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2083

Summary

The package opera before version 77.0.4054.146-1 is vulnerable to
arbitrary code execution.

Resolution

Upgrade to 77.0.4054.146-1.

pacman -Syu “opera>=77.0.4054.146-1”

The problems have been fixed upstream in version 77.0.4054.146.

Workaround

None.

Description

  • CVE-2021-30554 (arbitrary code execution)

A use after free security issue has been found in the WebGL component
of the Chromium browser engine before version 91.0.4472.114. Google is
aware that an exploit for CVE-2021-30554 exists in the wild.

  • CVE-2021-30555 (arbitrary code execution)

A use after free security issue has been found in the Sharing component
of the Chromium browser engine before version 91.0.4472.114.

  • CVE-2021-30556 (arbitrary code execution)

A use after free security issue has been found in the WebAudio
component of the Chromium browser engine before version 91.0.4472.114.

  • CVE-2021-30557 (arbitrary code execution)

A use after free security issue has been found in the TabGroups
component of the Chromium browser engine before version 91.0.4472.114.

Impact

A remote attacker could execute arbitrary code through a crafted web
page. Google is aware that an exploit for one of the security issues
exists in the wild.

References

https://blogs.opera.com/desktop/changelog-for-77/
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
https://crbug.com/1219857
https://crbug.com/1215029
https://crbug.com/1212599
https://crbug.com/1202102
https://security.archlinux.org/CVE-2021-30554
https://security.archlinux.org/CVE-2021-30555
https://security.archlinux.org/CVE-2021-30556
https://security.archlinux.org/CVE-2021-30557

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyopera< 77.0.4054.146-1UNKNOWN

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%