Lucene search

K
ibmIBM7A31AC3AD76478BCDFF5EAFDE198D822A87AF40F80D6BE332BB307F284077425
HistoryJan 17, 2023 - 4:48 p.m.

Security Bulletin: Vulnerabilities in Linux Kernel and Golang Go might affect IBM Spectrum Copy Data Management

2023-01-1716:48:39
www.ibm.com
29

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.4%

Summary

Vulnerabilities in Linux Kernel and Golang Go might affect IBM Spectrum Copy Data Management. Vulnerabilities include denial of service, elevation of privileges, obtaining sensitive information, bypassing security restrictions, buffer overflow, and execution of arbitrary code on system.

Vulnerability Details

CVEID:CVE-2021-3640
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the sco_send_frame function. By using a specially-crafted payload, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206144 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-2938
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the implementation of Pressure Stall Information. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234236 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-29581
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper update of reference count in net/sched. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226762 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-28893
**DESCRIPTION:**Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the inet_put_port function in the SUNRPC subsystem. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223864 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-41716
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by improper checking for invalid environment variable values in syscall.StartProcess and os/exec.Cmd. By using a specially-crafted environment variable value, an attacker could exploit this vulnerability to set a value for a different environment variable.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2022-36946
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an error in the nfqnl_mangle in net/netfilter/nfnetlink_queue.c. By sending a specially-crafted request where the attacker truncates the packet below the header size, a remote attacker could exploit this vulnerability to cause a kernel panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232324 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-1055
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free exists in tc_new_tfilter. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222851 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2022-2586
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free flaw in the nf_tables cross-table reference. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233084 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-1184
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw in the dx_insert_block() function in in fs/ext4/namei.c. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234729 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-36558
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a race condition in VT_RESIZEX. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231892 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-28390
**DESCRIPTION:**Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a double-free flaw in ems_usb_start_xmit in drivers/net/can/usb/ems_usb.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223319 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-1016
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a use-after-free flaw in net/netfilter/nf_tables_core.c:nft_do_chain. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain kernel information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222846 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-0854
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by memory leak flaw in the DMA subsystem. By sending a specially-crafted request using the DMA_FROM_DEVICE function, an attacker could exploit this vulnerability to read random memory from the kernel space, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222424 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-2078
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a buffer overflow in the nft_set_desc_concat_parse() function. By sending a specially-crafted HTTP request, a local authenticated attacker could exploit this vulnerability to cause a denial of service and possibly execute arbitrary code on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230147 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-2639
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an integer coercion error in the openvswitch kernel module. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause the system to crash.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235135 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Copy Data Management 2.2.0.0-2.2.18.0

Remediation/Fixes

IBM Spectrum Copy Data Management****Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0-2.2.18.0| 2.2.18.1| Linux| <https://www.ibm.com/support/pages/node/6833906&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm spectrum copy data managementeq2.2

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.4%