Lucene search

K
redhatRedHatRHSA-2023:2932
HistoryMay 16, 2023 - 5:58 a.m.

(RHSA-2023:2932) Important: edk2 security update

2023-05-1605:58:27
access.redhat.com
60
edk2
uefi support
virtual machines
openssl
x.400 address type
timing attack
double free
use-after-free
security update
red hat enterprise linux.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.3%

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.

Security Fix(es):

  • openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

  • openssl: timing attack in RSA Decryption implementation (CVE-2022-4304)

  • openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450)

  • openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

OSVersionArchitecturePackageVersionFilename
RedHat8noarchedk2-ovmf< 20220126gitbb1bba3d77-4.el8edk2-ovmf-20220126gitbb1bba3d77-4.el8.noarch.rpm
RedHat8noarchedk2-aarch64< 20220126gitbb1bba3d77-4.el8edk2-aarch64-20220126gitbb1bba3d77-4.el8.noarch.rpm

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.3%