Lucene search

K
redhatRedHatRHSA-2023:2487
HistoryMay 09, 2023 - 5:12 a.m.

(RHSA-2023:2487) Moderate: fwupd security and bug fix update

2023-05-0905:12:08
access.redhat.com
25
fwupd
security fix
bug fix
password
redfish.conf
cve-2022-3287
shim
secure boot bypass
cve-2022-34301
cve-2022-34302
cve-2022-34303
device firmware
red hat enterprise linux

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

34.5%

The fwupd packages provide a service that allows session software to update device firmware.

Security Fix(es):

  • fwupd: world readable password in /etc/fwupd/redfish.conf (CVE-2022-3287)

  • shim: 3rd party shim allow secure boot bypass (CVE-2022-34301)

  • shim: 3rd party shim allow secure boot bypass (CVE-2022-34302)

  • shim: 3rd party shim allow secure boot bypass (CVE-2022-34303)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

34.5%