- Security-bulletin - lists.openatom.io

OpenHarmony2022年9月安全漏洞 OpenHarmony Security Vulnerabilities in September 2022
by OpenHarmony-CNA 06 Sep '22

06 Sep '22

2022年9月安全漏洞发布于2022.9.6 最后更新于2022.9.6 漏洞编号相关漏洞漏洞描述漏洞影响 CVSS3.1基础得分受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0901 CVE-2022-36423 cJSON库的错误配置，导致递归解析时存在栈溢出漏洞。攻击者可在局域网络内发起攻击，对网络内设备发起DoS攻击，导致进程崩溃。 7.4 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v1.1.0-LTS到OpenHarmony-v1.1.5-LTS third_party_cJSON 3.1.x 3.1.x 3.0.x 3.0.x 1.1.x 1.1.x 本项目组上报 OpenHarmony-SA-2022-0902 CVE-2022-38081 安全子系统tokensync系统服务存在对调用者的权限校验绕过漏洞。攻击者可在局域网络内发起攻击，绕过分布式调用权限管控。利用此漏洞需要额外的一个获取system权限的漏洞。 6.2 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.2-Release security_access_token 3.1.x 本项目组上报 OpenHarmony-SA-2022-0903 CVE-2022-38701 通信子系统分布式软总线模块ipc接口存在堆内存泄露漏洞。攻击者可在局域网络内发起攻击，绕过分布式调用权限管控。 6.2 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS communication_dsoftbus 3.1.x 3.0.x 本项目组上报 OpenHarmony-SA-2022-0904 CVE-2022-38064 windowmanager的系统服务存在对调用者的权限校验绕过漏洞。攻击者可在本地发起攻击，绕过权限管控机制，获取设备敏感信息。 6.2 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.2-Release windowmanager 3.1.x 本项目组上报 OpenHarmony-SA-2022-0905 CVE-2022-38700 多媒体子系统相机服务存在对调用者的权限校验绕过漏洞。攻击者可在局域网内发起攻击，绕过权限管控机制，访问相机服务。 8.8 OpenHarmony-v3.1-Release multimedia_camera_standard 3.1.x 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-34918 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-33981 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-33743 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33742 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33741 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33740 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-32981 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32296 低 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32250 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-29582 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-27666 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x CVE-2022-26365 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-2380 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-2318 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-2153 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21499 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21166 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21125 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21123 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20154 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20153 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20141 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-20132 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20009 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x CVE-2022-1998 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1975 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1972 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1852 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1836 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1789 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1652 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1508 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1205 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1204 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1198 中 OpenHarmony-v3.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.1.x 3.0.x CVE-2022-0644 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-45868 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x CVE-2021-4135 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2021-33061 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2021-28713 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-28712 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-28711 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-26401 中 OpenHarmony-v3.1-Release 3.1.x CVE-2022-37434 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v1.1.1-LTS到OpenHarmony-v1.1.5-LTS 3.1.x 3.0.x 1.1.x CVE-2022-1587 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-1586 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2097 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2068 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30789 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30788 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30787 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30786 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30785 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30784 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30783 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2021-46790 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32215 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32213 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32212 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2097 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2021-46822 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2122 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1925 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1924 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1923 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1922 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1921 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1920 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-34835 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-30767 严重 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-30552 高 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32208 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32207 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32206 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32205 中 OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x Security Vulnerabilities in September 2022 published September 6,2022 updated September 6,2022 Vulnerability ID related Vulnerability Vulnerability Description Vulnerability Impact CVSS3.1 Base Score affected versions affected projects fix link reference OpenHarmony-SA-2022-0901 CVE-2022-36423 Incorrect configuration of the cJSON library lead a Stack overflow vulnerability during recursive parsing. LAN attackers can lead a DoS attack to all network devices. 7.4 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v1.1.0-LTS through OpenHarmony-v1.1.5-LTS third_party_cJSON 3.1.x 3.1.x 3.0.x 3.0.x 1.1.x 1.1.x Reported by OpenHarmony Team OpenHarmony-SA-2022-0902 CVE-2022-38081 Tokensync in security subsystem has a permission bypass vulnerability. LAN attackers can bypass the distributed permission control.To take advantage of this weakness, attackers need another vulnerability to obtain system. 6.2 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release security_access_token 3.1.x Reported by OpenHarmony Team OpenHarmony-SA-2022-0903 CVE-2022-38701 IPC in communication subsystem has a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information. 6.2 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS communication_dsoftbus 3.1.x 3.0.x Reported by OpenHarmony Team OpenHarmony-SA-2022-0904 CVE-2022-38064 windowmanager in window subsystem has a permission bypass vulnerability. Local attackers can bypass permission control and get sensitive information. 6.2 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release windowmanager 3.1.x Reported by OpenHarmony Team OpenHarmony-SA-2022-0905 CVE-2022-38700 multimedia subsystem has a permission bypass vulnerability. LAN attackers can bypass permission control and get control of camera service. 8.8 OpenHarmony-v3.1-Release multimedia_camera_standard 3.1.x Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-34918 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-33981 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-33743 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33742 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33741 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-33740 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-32981 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32296 Low OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32250 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-29582 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-27666 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x CVE-2022-26365 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-2380 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-2318 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-2153 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21499 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21166 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21125 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-21123 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20154 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20153 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20141 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-20132 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-20009 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x CVE-2022-1998 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1975 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1972 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1852 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1836 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1789 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1652 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2022-1508 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1205 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1204 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1198 Medium OpenHarmony-v3.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.1.x 3.0.x CVE-2022-0644 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-45868 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x CVE-2021-4135 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2021-33061 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2021-28713 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-28712 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-28711 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.0.x CVE-2021-26401 Medium OpenHarmony-v3.1-Release 3.1.x CVE-2022-37434 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v1.1.1-LTS through OpenHarmony-v1.1.5-LTS 3.1.x 3.0.x 1.1.x CVE-2022-1587 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-1586 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2097 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2068 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30789 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30788 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30787 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30786 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30785 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30784 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-30783 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2021-46790 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32215 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32213 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-32212 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2097 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2021-46822 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.1.x CVE-2022-2122 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1925 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1924 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1923 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1922 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1921 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-1920 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-34835 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-30767 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-30552 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32208 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32207 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32206 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x CVE-2022-32205 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x 3.0.x

1 0

OpenHarmony8月安全公告 Security Vulnerabilities in August 2022
by Liuxu (louis) 03 Aug '22

03 Aug '22

2022年8月安全漏洞发布于2022.8.2 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0801 NA 电话服务子系统telephony_sms_mms组件DecodeUCS2Data存在DoS漏洞。攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> 本项目组上报 OpenHarmony-SA-2022-0802 NA 电话服务子系统telephony_sms_mms组件DecodeGSMData存在DoS漏洞。攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> 本项目组上报 OpenHarmony-SA-2022-0803 NA 电话服务子系统telephony_sms_mms组件DecodeAddress存在DoS漏洞。攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> 本项目组上报 OpenHarmony-SA-2022-0804 NA 电话服务子系统telephony_sms_mms组件Decode8bitData存在DoS漏洞。攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> 本项目组上报 OpenHarmony-SA-2022-0806 NA 通信子系统分布式软总线组件SendMessage接口存在漏洞，导致权限管控被绕过。攻击者可在本地发起攻击，绕过权限管控机制，进一步向局域网内设备写入任意数据。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/1668> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-1729 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/255> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/299> CVE-2022-29581 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/255> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/299> CVE-2022-20008 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1195 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1516 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-30594 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1012 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/237> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/224> CVE-2022-29824 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/23> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/21> CVE-2022-1475 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_ffmpeg/pulls/41> 3.1.x<https://gitee.com/openharmony/third_party_ffmpeg/pulls/36> CVE-2022-27406 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/third_party_freetype/pulls/17> [3.1.x]not fixed CVE-2022-27404 严重 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/third_party_freetype/pulls/17> [3.1.x]not fixed CVE-2022-1974 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/302> CVE-2022-1734 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1199 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/333> CVE-2022-1966 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/258> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/332> CVE-2022-1786 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/258> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/332> CVE-2022-1280 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/233> CVE-2022-45868 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/233> Security Vulnerabilities in August 2022 published August 2,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0801 NA DecodeUCS2Data in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability. Network attackers can access illegal memory and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> Reported by OpenHarmony Team OpenHarmony-SA-2022-0802 NA DecodeGSMData in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability. Network attackers can access illegal memory and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> Reported by OpenHarmony Team OpenHarmony-SA-2022-0803 NA DecodeAddress in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability. Network attackers can access illegal memory and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> Reported by OpenHarmony Team OpenHarmony-SA-2022-0804 NA Decode8bitData in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability. Network attackers can access illegal memory and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release telephony_sms_mms 3.0.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/404> 3.1.x<https://gitee.com/openharmony/telephony_sms_mms/pulls/355> Reported by OpenHarmony Team OpenHarmony-SA-2022-0806 NA SendMessage in dsoftbus in communication subsystem has a permission bypass vulnerability. Local attackers can bypass the permission check, and write any data into network devices. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/1668> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-1729 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/255> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/299> CVE-2022-29581 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/255> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/299> CVE-2022-20008 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1195 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1516 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-30594 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/241> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1012 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/237> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/224> CVE-2022-29824 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/23> 3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/21> CVE-2022-1475 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_ffmpeg/pulls/41> 3.1.x<https://gitee.com/openharmony/third_party_ffmpeg/pulls/36> CVE-2022-27406 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/third_party_freetype/pulls/17> [3.1.x]not fixed CVE-2022-27404 Critical OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/third_party_freetype/pulls/17> [3.1.x]not fixed CVE-2022-1974 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/302> CVE-2022-1734 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-1199 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/260> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/333> CVE-2022-1966 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/258> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/332> CVE-2022-1786 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/258> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/332> CVE-2022-1280 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/233> CVE-2022-45868 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/233>

1 0

OpenHarmony7月安全公告 Security Vulnerabilities in July 2022
by Liuxu (louis) 05 Jul '22

05 Jul '22

2022年7月安全漏洞发布于2022.7.5 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0701 NA 通信子系统蓝牙组件存在DoS漏洞，造成进程崩溃。攻击者可在本地发起攻击，进入超大循环，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS communication_bluetooth 3.0.x<https://gitee.com/openharmony/communication_bluetooth/pulls/179> 本项目组上报 OpenHarmony-SA-2022-0702 NA 升级子系统升级包安装组件存在空指针引用，造成进程崩溃。攻击者可在本地发起攻击，传入空指针，导致进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS update_updater 3.0.x<https://gitee.com/openharmony/update_updater/pulls/101> 本项目组上报 OpenHarmony-SA-2022-0703 NA 通信子系统软总线存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成权限绕过，可获取系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/142> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-1292 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_openssl/pulls/48> 3.1.x<https://gitee.com/openharmony/third_party_openssl/pulls/49> CVE-2022-27781 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release OpenHarmony-v1.1.0-Release到OpenHarmony-v1.1.4-LTS 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/63> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/61> 1.1.x<https://gitee.com/openharmony/third_party_curl/pulls/60> CVE-2022-27782 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release OpenHarmony-v1.1.0-Release到OpenHarmony-v1.1.4-LTS 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/63> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/61> 1.1.x<https://gitee.com/openharmony/third_party_curl/pulls/60> CVE-2022-0168 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/218> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0330 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/218> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0001 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/202> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0002 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/202> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-23960 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/201> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0322 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/201> CVE-2021-32078 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-38205 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-38166 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-42739 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2022-0854 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/194> CVE-2022-23037 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23039 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23040 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23038 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23041 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23042 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23036 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-0998 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2021-4203 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-39633 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-46283 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-4149 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-4204 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2021-3640 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3669 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3759 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3752 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-27820 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-43976 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-43975 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4001 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4002 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4037 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-12363 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-12364 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-39685 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4083 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45095 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-44733 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45469 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4197 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45480 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4155 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4202 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> Security Vulnerabilities in July 2022 published July 5,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0701 NA The bluetooth in communication subsystem has a DoS vulnerability. Local attackers can trigger a large loop and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS communication_bluetooth 3.0.x<https://gitee.com/openharmony/communication_bluetooth/pulls/179> Reported by OpenHarmony Team OpenHarmony-SA-2022-0702 NA The updater in update subsystem has a null pointer reference vulnerability. Local attackers can input a nullptr and crash the process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS update_updater 3.0.x<https://gitee.com/openharmony/update_updater/pulls/101> Reported by OpenHarmony Team OpenHarmony-SA-2022-0703 NA The dsoftbus in communication subsystem has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS communication_dsoftbus 3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/142> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-1292 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/third_party_openssl/pulls/48> 3.1.x<https://gitee.com/openharmony/third_party_openssl/pulls/49> CVE-2022-27781 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.4-LTS 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/63> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/61> 1.1.x<https://gitee.com/openharmony/third_party_curl/pulls/60> CVE-2022-27782 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release OpenHarmony-v1.1.0-Release through OpenHarmony-v1.1.4-LTS 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/63> 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/61> 1.1.x<https://gitee.com/openharmony/third_party_curl/pulls/60> CVE-2022-0168 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/218> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0330 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/218> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0001 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/202> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0002 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/202> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-23960 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/201> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2022-0322 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/201> CVE-2021-32078 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-38205 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-38166 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2021-42739 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/198> CVE-2022-0854 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/194> CVE-2022-23037 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23039 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23040 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23038 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23041 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23042 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-23036 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/190> CVE-2022-0998 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS OpenHarmony-v3.1-Release 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/214> CVE-2021-4203 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-39633 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-46283 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-4149 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-4204 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2021-3640 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3669 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3759 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-3752 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-27820 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-43976 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-43975 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4001 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4002 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4037 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-12363 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2020-12364 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-39685 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4083 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45095 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-44733 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45469 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4197 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-45480 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4155 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144> CVE-2021-4202 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/144>

1 0

OpenHarmony6月安全公告 Security Vulnerabilities in June 2022
by Liuxu (louis) 06 Jun '22

06 Jun '22

2022年6月安全漏洞发布于2022.6.6 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0601 NA 事件通知子系统反序列化对象时会绕过认证机制。攻击者可在本地发起攻击，造成权限绕过，导致服务端进程崩溃。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release notification_ces_standard 链接<https://gitee.com/openharmony/notification_common_event_service/pulls/269> 本项目组上报 OpenHarmony-SA-2022-0602 NA 事件通知子系统存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS notification_ces_standard 链接<https://gitee.com/openharmony/notification_common_event_service/pulls/245> 本项目组上报 OpenHarmony-SA-2022-0603 NA 升级服务组件存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS update_updateservice 链接<https://gitee.com/openharmony/update_updateservice/pulls/115> 本项目组上报 OpenHarmony-SA-2022-0604 NA 多媒体子系统存在校验绕过漏洞，可发起SA中继攻击。攻击者可在本地发起攻击，造成校验绕过，获取系统控制权。 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS multimedia_media_standard 链接<https://gitee.com/openharmony/multimedia_media_standard/pulls/567> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-25313 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25314 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25315 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25235 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25236 严重 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-23308 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_libxml2/pulls/11> CVE-2022-25375 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-25258 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-0435 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24959 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-44879 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24958 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-45402 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-4160 中 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/29> CVE-2022-0778 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2022-0886 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/143> CVE-2022-1055 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0995 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39698 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0494 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1048 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1016 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39686 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0500 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2022-28390 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28389 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28388 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28893 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-1353 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28356 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2019-16089 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4156 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_libsnd/pulls/10> CVE-2022-22576 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27775 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27776 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27774 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release 链接<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2021-3520 严重 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_lz4/pulls/2> CVE-2021-44732 严重 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_mbedtls/pulls/31> CVE-2021-36690 高 OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS 链接<https://gitee.com/openharmony/third_party_sqlite/pulls/4> CVE-2021-3732 低 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-22570 高 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_protobuf/pulls/26> CVE-2021-22569 中 OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS 链接<https://gitee.com/openharmony/third_party_protobuf/pulls/27> Security Vulnerabilities in June 2022 published June 6,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0601 NA The notification subsystem in OpenHarmony has an authentication bypass vulnerability when deserialize an object. Local attackers can bypass authenication and crash the server process. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release notification_ces_standard Link<https://gitee.com/openharmony/notification_common_event_service/pulls/269> Reported by OpenHarmony Team OpenHarmony-SA-2022-0602 NA The notification subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS notification_ces_standard Link<https://gitee.com/openharmony/notification_common_event_service/pulls/245> Reported by OpenHarmony Team OpenHarmony-SA-2022-0603 NA The updateservice in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS update_updateservice Link<https://gitee.com/openharmony/update_updateservice/pulls/115> Reported by OpenHarmony Team OpenHarmony-SA-2022-0604 NA The multimedia subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack". Local attackers can bypass authentication and get system control. OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS multimedia_media_standard Link<https://gitee.com/openharmony/multimedia_media_standard/pulls/567> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-25313 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25314 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25315 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25235 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-25236 Critical OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_expat/pulls/10> CVE-2022-23308 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_libxml2/pulls/11> CVE-2022-25375 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-25258 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-0435 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24959 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-44879 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2022-24958 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-45402 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/146> CVE-2021-4160 Medium OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/29> CVE-2022-0778 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2022-0886 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/143> CVE-2022-1055 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0995 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39698 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0494 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1048 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-1016 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2021-39686 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/175> CVE-2022-0500 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/163> CVE-2022-28390 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28389 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28388 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28893 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-1353 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-29156 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2022-28356 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/181> CVE-2019-16089 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/152> CVE-2021-4156 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_libsnd/pulls/10> CVE-2022-22576 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27775 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27776 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2022-27774 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release Link<https://gitee.com/openharmony/third_party_curl/pulls/52> CVE-2021-3520 Critical OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_lz4/pulls/2> CVE-2021-44732 Critical OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_mbedtls/pulls/31> CVE-2021-36690 High OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS Link<https://gitee.com/openharmony/third_party_sqlite/pulls/4> CVE-2021-3732 Low OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/180> CVE-2021-22570 High OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_protobuf/pulls/26> CVE-2021-22569 Medium OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS Link<https://gitee.com/openharmony/third_party_protobuf/pulls/27>

1 0

OpenHarmony5月安全公告 Security Vulnerabilities in May 2022
by Liuxu (louis) 07 May '22

07 May '22

2022年5月安全漏洞发布于2022.5.6 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0501 NA 软总线子系统存在堆溢出漏洞。攻击者可在本地发起攻击，造成内存访问越界，可获取系统控制权。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1198> 本项目组上报 OpenHarmony-SA-2022-0502 NA 软总线子系统在接收TCP消息时存在堆溢出漏洞。攻击者可在局域网内发起攻击，进行远程代码执行，获得系统控制权。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1113> 本项目组上报 OpenHarmony-SA-2022-0503 NA 软总线处理设备同步消息时存在越界访问漏洞。攻击者可在局域网内发起攻击，可造成内存访问越界，造成DoS攻击。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1369> 本项目组上报 OpenHarmony-SA-2022-0504 NA Lock类包含的一个指针成员存在重复释放问题。攻击者可在本地发起攻击，可获取系统控制权。 OpenHarmony-3.0-LTS global_resmgr_standard 链接<https://gitee.com/openharmony/global_resmgr_standard/pulls/136> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-0778 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2018-25032 高 OpenHarmony-1.0-LTS OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/third_party_zlib/pulls/31> 链接<https://gitee.com/openharmony/third_party_zlib/pulls/30> CVE-2021-28714 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a9…> CVE-2021-28715 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe…> CVE-2022-23222 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908…> CVE-2022-0185 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558d…> CVE-2021-22600 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39…> CVE-2022-22942 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc78…> CVE-2022-0492 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b…> CVE-2022-24448 低 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e3…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac…> CVE-2022-0516 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d…> CVE-2022-0617 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c6…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb…> CVE-2022-0847 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b2158…> CVE-2022-26490 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/141> CVE-2022-25636 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/62e62125967779009361…> CVE-2022-26966 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b…> CVE-2022-1011 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3be…> CVE-2022-27223 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe3…> Security Vulnerabilities in May 2022 published May 6,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0501 NA The softbus subsystem in OpenHarmony has a heap overflow vulnerability. Local attackers can overwrite the memory and get system control. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1198> Reported by OpenHarmony Team OpenHarmony-SA-2022-0502 NA The softbus subsystem in OpenHarmony has a heap overflow vulnerability when receive a tcp message. LAN attackers can lead to remote code execution(RCE) and get system control. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1113> Reported by OpenHarmony Team OpenHarmony-SA-2022-0503 NA The softbus subsystem in OpenHarmony has an out-of-bounds access vulnerability when handle a synchronized message from another device. Local attackers can elevate permissions to SYSTEM. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1369> Reported by OpenHarmony Team OpenHarmony-SA-2022-0504 NA The calss Lock in OpenHarmony has a double free vulnerability. Local attackers can elevate permissions to SYSTEM. OpenHarmony-3.0-LTS global_resmgr_standard Link<https://gitee.com/openharmony/global_resmgr_standard/pulls/136> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-0778 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2018-25032 High OpenHarmony-1.0-LTS OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/third_party_zlib/pulls/31> Link<https://gitee.com/openharmony/third_party_zlib/pulls/30> CVE-2021-28714 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a9…> CVE-2021-28715 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe…> CVE-2022-23222 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908…> CVE-2022-0185 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558d…> CVE-2021-22600 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39…> CVE-2022-22942 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc78…> CVE-2022-0492 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b…> CVE-2022-24448 Low OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e3…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac…> CVE-2022-0516 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d…> CVE-2022-0617 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c6…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb…> CVE-2022-0847 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b2158…> CVE-2022-26490 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/141> CVE-2022-25636 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/62e62125967779009361…> CVE-2022-26966 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b…> CVE-2022-1011 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3be…> CVE-2022-27223 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe3…>

1 0