Security-bulletin

Thread Start a new thread

security@openharmony.io

31 discussions

OpenHarmony5月安全公告 Security Vulnerabilities in May 2022
by Liuxu (louis) 07 May '22

07 May '22

2022年5月安全漏洞发布于2022.5.6 漏洞编号相关漏洞漏洞描述漏洞影响受影响的版本受影响的仓库修复链接参考链接 OpenHarmony-SA-2022-0501 NA 软总线子系统存在堆溢出漏洞。攻击者可在本地发起攻击，造成内存访问越界，可获取系统控制权。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1198> 本项目组上报 OpenHarmony-SA-2022-0502 NA 软总线子系统在接收TCP消息时存在堆溢出漏洞。攻击者可在局域网内发起攻击，进行远程代码执行，获得系统控制权。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1113> 本项目组上报 OpenHarmony-SA-2022-0503 NA 软总线处理设备同步消息时存在越界访问漏洞。攻击者可在局域网内发起攻击，可造成内存访问越界，造成DoS攻击。 OpenHarmony-3.0-LTS communication_dsoftbus 链接<https://gitee.com/openharmony/communication_dsoftbus/pulls/1369> 本项目组上报 OpenHarmony-SA-2022-0504 NA Lock类包含的一个指针成员存在重复释放问题。攻击者可在本地发起攻击，可获取系统控制权。 OpenHarmony-3.0-LTS global_resmgr_standard 链接<https://gitee.com/openharmony/global_resmgr_standard/pulls/136> 本项目组上报以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。 CVE 严重程度受影响的OpenHarmony版本修复链接 CVE-2022-0778 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2018-25032 高 OpenHarmony-1.0-LTS OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/third_party_zlib/pulls/31> 链接<https://gitee.com/openharmony/third_party_zlib/pulls/30> CVE-2021-28714 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a9…> CVE-2021-28715 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe…> CVE-2022-23222 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908…> CVE-2022-0185 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558d…> CVE-2021-22600 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39…> CVE-2022-22942 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc78…> CVE-2022-0492 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b…> CVE-2022-24448 低 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e3…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac…> CVE-2022-0516 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d…> CVE-2022-0617 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c6…> 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb…> CVE-2022-0847 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b2158…> CVE-2022-26490 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/pulls/141> CVE-2022-25636 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/62e62125967779009361…> CVE-2022-26966 中 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b…> CVE-2022-1011 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3be…> CVE-2022-27223 高 OpenHarmony-3.0-LTS 链接<https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe3…> Security Vulnerabilities in May 2022 published May 6,2022 Vulnerability ID related Vulnerability Vulnerability Descripton Vulnerability Impact affected versions affected projects fix link reference OpenHarmony-SA-2022-0501 NA The softbus subsystem in OpenHarmony has a heap overflow vulnerability. Local attackers can overwrite the memory and get system control. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1198> Reported by OpenHarmony Team OpenHarmony-SA-2022-0502 NA The softbus subsystem in OpenHarmony has a heap overflow vulnerability when receive a tcp message. LAN attackers can lead to remote code execution(RCE) and get system control. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1113> Reported by OpenHarmony Team OpenHarmony-SA-2022-0503 NA The softbus subsystem in OpenHarmony has an out-of-bounds access vulnerability when handle a synchronized message from another device. Local attackers can elevate permissions to SYSTEM. OpenHarmony-3.0-LTS communication_dsoftbus Link<https://gitee.com/openharmony/communication_dsoftbus/pulls/1369> Reported by OpenHarmony Team OpenHarmony-SA-2022-0504 NA The calss Lock in OpenHarmony has a double free vulnerability. Local attackers can elevate permissions to SYSTEM. OpenHarmony-3.0-LTS global_resmgr_standard Link<https://gitee.com/openharmony/global_resmgr_standard/pulls/136> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-0778 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/third_party_openssl/pulls/34> CVE-2018-25032 High OpenHarmony-1.0-LTS OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/third_party_zlib/pulls/31> Link<https://gitee.com/openharmony/third_party_zlib/pulls/30> CVE-2021-28714 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a9…> CVE-2021-28715 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe…> CVE-2022-23222 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908…> CVE-2022-0185 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558d…> CVE-2021-22600 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39…> CVE-2022-22942 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc78…> CVE-2022-0492 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b…> CVE-2022-24448 Low OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e3…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac…> CVE-2022-0516 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d…> CVE-2022-0617 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c6…> Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb…> CVE-2022-0847 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b2158…> CVE-2022-26490 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/pulls/141> CVE-2022-25636 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/62e62125967779009361…> CVE-2022-26966 Medium OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b…> CVE-2022-1011 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3be…> CVE-2022-27223 High OpenHarmony-3.0-LTS Link<https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe3…>

1 0