[Security-bulletin] 2024年4月安全公告

2 Apr 2024


      发布于2024.04.02
CVE漏洞描述漏洞影响严重程度受影响的版本受影响的仓库修复链接
CVE-2024-21834Arkui类型混淆漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkui_ace_engine3.2.x
CVE-2024-22177Audio权限管理不当漏洞本地攻击者通过本漏洞造成app crash低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_audio_framework3.2.x
CVE-2024-22098AVSession释放后使用漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasemultimedia_av_session3.2.x
CVE-2024-22180Camera释放后使用漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasemultimedia_camera_framework3.2.x 4.0.x
CVE-2024-29074Telephony入参检测不完善漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasetelephony_cellular_call3.2.x 3.2.x
CVE-2024-22092包管理权限管理不当漏洞远程攻击者通过本漏洞绕过管控安装应用, 但需要本地用户的交互高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasebundlemanager_bundle_framework3.2.x
CVE-2024-24581方舟eTS运行时越界写漏洞本地攻击者通过本漏洞可在任意应用中执行代码中危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasearkcompiler_ets_runtime3.2.x 4.0.x
CVE-2024-28226文件系统入参检测不完善漏洞远程攻击者通过本漏洞造成DOS高危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Releasekernel_linux_5.103.2.x 4.0.x
CVE-2024-28951方舟eTS运行时释放后使用漏洞本地攻击者通过本漏洞可在预装应用中执行代码中危OpenHarmony-v4.0-Releasearkcompiler_ets_runtime4.0.x
CVE-2024-29086方舟eTS运行时栈溢出漏洞本地攻击者通过本漏洞造成DOS低危OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Releasearkcompiler_ets_runtime3.2.x


以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本
CVE严重程度CVSS 3.1 得分受影响的仓库受影响的OpenHarmony版本修复链接
CVE-2024-0641中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2022-48619中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-39197中危4.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-0584中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-46343中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-23851中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-23850中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-23849中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-0639中危5.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-0775高危7.1kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-51043高危7.0kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-52340高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-46838高危7.5kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2022-2503中危6.7kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2014-0069高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-1086高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2015-5157高危8.4kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2021-46958高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-25062高危7.5third_party_libxml2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-24806致命9.8third_party_libuvOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-22195中危6.1third_party_jinja2OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-0814中危6.5third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2024-0810中危4.3third_party_chromiumOpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x
CVE-2023-6040高危7.8kernel_linux_5.10OpenHarmony-v3.2-Release到OpenHarmony-v3.2.4-Release OpenHarmony-v4.0-Release4.0.x 3.2.x

请在合入当月及之前全部已公开安全补丁之后，参考如下各维护版本的安全补丁标签更新方法，更新安全补丁标签至04月。


对应维护版本安全补丁修改方式参考链接
3.2.xhttps://gitee.com/openharmony/startup_init/pulls/2633
4.0.xhttps://gitee.com/openharmony/startup_init/pulls/2632

[Security-bulletin] 2024年4月安全公告

王晨