2024

2023

2022

List overview
Download

Security-bulletin January 2023

security@openharmony.io

1 participants
1 discussions

Start a nNew thread

OpenHarmony 2023年01月安全公告 Security Vulnerabilities in January 2023

by Liuxu (louis)

2023年01月安全漏洞发布于2022.01.03 最后更新于2022.01.03 漏洞编号相关漏洞漏洞描述漏洞影响 CVSS3.1基础得分受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2023-0101 CVE-2023-0035 通信子系统软总线部件softbus_client_stub存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。 6.5 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/2140> 本项目组上报 OpenHarmony-SA-2023-0102 CVE-2023-0036 杂散子系统输入法部件platform_callback_stub存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。 6.5 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS inputmethod_imf 3.0.x<https://gitee.com/openharmony/inputmethod_imf/pulls/228> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2021-3782 严重 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS 3.0.x<https://gitee.com/openharmony/third_party_wayland_standard/pulls/22> CVE-2022-3046 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3041 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3040 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3039 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3038 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3057 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3195 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3054 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3075 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3373 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3370 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3311 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3316 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3315 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3304 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-43680 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_expat/pulls/23> 3.0.x<https://gitee.com/openharmony/third_party_expat/pulls/22> CVE-2022-32221 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-42916 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-42915 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-44638 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_pixman/pulls/11> 3.0.x<https://gitee.com/openharmony/third_party_pixman/pulls/12> CVE-2022-40284 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_ntfs-3g/pulls/33> CVE-2022-40303 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32> CVE-2022-40304 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32> CVE-2022-37454 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/35> CVE-2022-42919 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/36> CVE-2022-45061 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/37> CVE-2020-10735 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/26> CVE-2022-3169 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/553> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/561> CVE-2022-42895 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545> CVE-2022-42896 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545> CVE-2022-41858 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/569> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/570> CVE-2022-45934 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587> CVE-2022-4139 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/567> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/568> CVE-2022-20566 低 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/582> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/583> CVE-2022-4378 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587> Security Vulnerabilities in January 2023 published January 3,2023 updated January 3,2023 Vulnerability ID related Vulnerability Vulnerability Description Vulnerability Impact CVSS3.1 Base Score affected versions affected projects fix link reference OpenHarmony-SA-2023-0101 CVE-2023-0035 softbus_client_stub in communication subsystem has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and attack other SAs with high privilege. 6.5 OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/2140> Reported by OpenHarmony Team OpenHarmony-SA-2023-0102 CVE-2023-0036 platform_callback_stub in misc subsystem has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and attack other SAs with high privilege. 6.5 OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS inputmethod_imf 3.0.x<https://gitee.com/openharmony/inputmethod_imf/pulls/228> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2021-3782 Critical OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.0.x<https://gitee.com/openharmony/third_party_wayland_standard/pulls/22> CVE-2022-3046 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3041 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3040 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3039 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3038 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3057 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3195 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3054 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3075 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/349> CVE-2022-3373 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3370 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3311 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3316 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3315 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-3304 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/464> CVE-2022-43680 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_expat/pulls/23> 3.0.x<https://gitee.com/openharmony/third_party_expat/pulls/22> CVE-2022-32221 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-42916 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-42915 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90> CVE-2022-44638 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_pixman/pulls/11> 3.0.x<https://gitee.com/openharmony/third_party_pixman/pulls/12> CVE-2022-40284 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_ntfs-3g/pulls/33> CVE-2022-40303 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32> CVE-2022-40304 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31> 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32> CVE-2022-37454 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/35> CVE-2022-42919 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/36> CVE-2022-45061 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/37> CVE-2020-10735 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/26> CVE-2022-3169 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/553> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/561> CVE-2022-42895 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545> CVE-2022-42896 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545> CVE-2022-41858 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/569> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/570> CVE-2022-45934 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587> CVE-2022-4139 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/567> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/568> CVE-2022-20566 Low OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/582> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/583> CVE-2022-4378 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587>

1 year, 3 months

1
0
0 0