Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-1280, CVE-2023-0386, CVE-2022-4269, CVE-2022-2873, CVE-2022-4378)

Summary

IBM Spectrum Copy Data Management can be affected by vulnerabilities in Linux Kernel. Vulnerabilities include gaining elevated privileges, obtaining sensitive information, causing the system to crash, and denial of service attack, as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2022-1280
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the drm_lease_held function in drivers/gpu/drm/drm_lease.c. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition or obtain sensitive information.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224213 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H)

CVEID:CVE-2023-0386
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper ownership management in the OverlayFS subsystem. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250929 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-4269
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a flaw in the Traffic Control (TC) subsystem. By using a specially-crafted networking configuration, a local authenticated attacker could exploit this vulnerability to cause a CPU soft lockup (ABBA deadlock), and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241398 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-2873
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory access flaw in the iSMT SMBus host controller driver. By sending a specially-crafted request using I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS), a local authenticated attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234113 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-4378
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in the __do_proc_dointvec function. By executing a specially-crafted program, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242006 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.19.0| 2.2.20.0| Linux| https://www.ibm.com/support/pages/node/6988949

Workarounds and Mitigations

None