Security-bulletin June 2022

security@openharmony.io

1 participants
1 discussions

OpenHarmony6月安全公告 Security Vulnerabilities in June 2022

by Liuxu (louis)

2022年6月安全漏洞发布于2022.6.6 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0601 NA 事件通知子系统反序列化对象时会绕过认证机制。攻击者可在本地发起攻击，造成权限绕过，导致服务端进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release notification_ces_standard 链接<https://gitee.com/openharmony/notification_common_event_service/pulls/269> 本项目组上报 OpenHarmony-SA-2022-0602 NA 事件通知子系统存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS notification_ces_standard 链接<https://gitee.com/openharmony/notification_common_event_service/pulls/245> 本项目组上报 OpenHarmony-SA-2022-0603 NA 升级服务组件存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS update_updateservice 链接<https://gitee.com/openharmony/update_updateservice/pulls/115> 本项目组上报 OpenHarmony-SA-2022-0604 NA 多媒体子系统存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获取系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS multimedia_media_standard 链接<https://gitee.com/openharmony/multimedia_media_standard/pulls/567> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-25313 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25314 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25315 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25235 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25236 严重 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-23308 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_libxml2/pulls/11> CVE-2022-25375 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-25258 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-0435 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24959 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-44879 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24958 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-45402 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-4160 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/29> CVE-2022-0778 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2022-0886 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/143> CVE-2022-1055 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0995 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39698 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0494 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1048 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1016 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39686 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0500 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2022-28390 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28389 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28388 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28893 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-1353 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28356 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2019-16089 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4156 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_libsnd/pulls/10> CVE-2022-22576 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27775 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27776 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27774 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2021-3520 严重 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_lz4/pulls/2> CVE-2021-44732 严重 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_mbedtls/pulls/31> CVE-2021-36690 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_sqlite/pulls/4> CVE-2021-3732 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-22570 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_protobuf/pulls/26> CVE-2021-22569 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_protobuf/pulls/27> Security Vulnerabilities in June 2022 published June 6,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0601 NA The notification subsystem in OpenHarmony has an authentication bypass vulnerability when deserialize an object. Local attackers can bypass authenication and crash the server process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release notification_ces_standard Link<https://gitee.com/openharmony/notification_common_event_service/pulls/269> Reported by OpenHarmony Team OpenHarmony-SA-2022-0602 NA The notification subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS notification_ces_standard Link<https://gitee.com/openharmony/notification_common_event_service/pulls/245> Reported by OpenHarmony Team OpenHarmony-SA-2022-0603 NA The updateservice in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS update_updateservice Link<https://gitee.com/openharmony/update_updateservice/pulls/115> Reported by OpenHarmony Team OpenHarmony-SA-2022-0604 NA The multimedia subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS multimedia_media_standard Link<https://gitee.com/openharmony/multimedia_media_standard/pulls/567> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-25313 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25314 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25315 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25235 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25236 Critical OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-23308 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_libxml2/pulls/11> CVE-2022-25375 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-25258 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-0435 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24959 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-44879 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24958 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-45402 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-4160 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/29> CVE-2022-0778 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2022-0886 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/143> CVE-2022-1055 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0995 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39698 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0494 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1048 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1016 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39686 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0500 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2022-28390 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28389 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28388 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28893 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-1353 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28356 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2019-16089 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4156 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_libsnd/pulls/10> CVE-2022-22576 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27775 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27776 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27774 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2021-3520 Critical OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_lz4/pulls/2> CVE-2021-44732 Critical OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_mbedtls/pulls/31> CVE-2021-36690 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_sqlite/pulls/4> CVE-2021-3732 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-22570 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_protobuf/pulls/26> CVE-2021-22569 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_protobuf/pulls/27>

1 year, 10 months

2024

2023

2022

Security-bulletin June 2022