CVE-2022-47630

2023-01-1616:15:10

Debian Security Bug Tracker

security-tracker.debian.org

trusted firmware-a

x.509 parser

out-of-bounds read

vulnerability

boot certificates

microarchitectural state

unix

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

50.0%

JSON

Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.

OSVersionArchitecturePackageVersionFilename
Debian12allarm-trusted-firmware<= 2.8.0+dfsg-1arm-trusted-firmware_2.8.0+dfsg-1_all.deb
Debian11allarm-trusted-firmware<= 2.4+dfsg-2arm-trusted-firmware_2.4+dfsg-2_all.deb
Debian999allarm-trusted-firmware< 2.9.0+dfsg-3arm-trusted-firmware_2.9.0+dfsg-3_all.deb
Debian13allarm-trusted-firmware< 2.9.0+dfsg-3arm-trusted-firmware_2.9.0+dfsg-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	arm-trusted-firmware	<= 2.8.0+dfsg-1	arm-trusted-firmware_2.8.0+dfsg-1_all.deb
Debian	11	all	arm-trusted-firmware	<= 2.4+dfsg-2	arm-trusted-firmware_2.4+dfsg-2_all.deb
Debian	999	all	arm-trusted-firmware	< 2.9.0+dfsg-3	arm-trusted-firmware_2.9.0+dfsg-3_all.deb
Debian	13	all	arm-trusted-firmware	< 2.9.0+dfsg-3	arm-trusted-firmware_2.9.0+dfsg-3_all.deb