[Security-bulletin] OpenHarmony 2023年01月安全公告 Security Vulnerabilities in January 2023

4 Jan 2023

      2023年01月安全漏洞

发布于2022.01.03
最后更新于2022.01.03
漏洞编号

相关漏洞

漏洞描述

漏洞影响

CVSS3.1基础得分

受影响的版本

受影响的仓库

修复链接

参考链接

OpenHarmony-SA-2023-0101

CVE-2023-0035

通信子系统软总线部件softbus_client_stub存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。

6.5

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS

communication_dsoftbus

3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/2140>

本项目组上报

OpenHarmony-SA-2023-0102

CVE-2023-0036

杂散子系统输入法部件platform_callback_stub存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。

6.5

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS

inputmethod_imf

3.0.x<https://gitee.com/openharmony/inputmethod_imf/pulls/228>

本项目组上报

以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。
CVE

严重程度

受影响的OpenHarmony版本

修复链接

CVE-2021-3782

严重

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.0.x<https://gitee.com/openharmony/third_party_wayland_standard/pulls/22>

CVE-2022-3046

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3041

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3040

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3039

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3038

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3057

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3195

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3054

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3075

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3373

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3370

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3311

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3316

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3315

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3304

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-43680

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_expat/pulls/23>
3.0.x<https://gitee.com/openharmony/third_party_expat/pulls/22>

CVE-2022-32221

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-42916

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-42915

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-44638

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_pixman/pulls/11>
3.0.x<https://gitee.com/openharmony/third_party_pixman/pulls/12>

CVE-2022-40284

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_ntfs-3g/pulls/33>

CVE-2022-40303

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31>
3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32>

CVE-2022-40304

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31>
3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32>

CVE-2022-37454

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/35>

CVE-2022-42919

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/36>

CVE-2022-45061

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/37>

CVE-2020-10735

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/26>

CVE-2022-3169

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/553>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/561>

CVE-2022-42895

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545>

CVE-2022-42896

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545>

CVE-2022-41858

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/569>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/570>

CVE-2022-45934

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587>

CVE-2022-4139

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/567>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/568>

CVE-2022-20566

低

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/582>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/583>

CVE-2022-4378

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587>

Security Vulnerabilities in January 2023

published January 3,2023
updated January 3,2023
Vulnerability ID

related Vulnerability

Vulnerability Description

Vulnerability Impact

CVSS3.1 Base Score

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2023-0101

CVE-2023-0035

softbus_client_stub in communication subsystem has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and attack other SAs with high privilege.

6.5

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS

communication_dsoftbus

3.0.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/2140>

Reported by OpenHarmony Team

OpenHarmony-SA-2023-0102

CVE-2023-0036

platform_callback_stub in misc subsystem has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and attack other SAs with high privilege.

6.5

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS

inputmethod_imf

3.0.x<https://gitee.com/openharmony/inputmethod_imf/pulls/228>

Reported by OpenHarmony Team

The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.
CVE

severity

affected OpenHarmony versions

fix link

CVE-2021-3782

Critical

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.0.x<https://gitee.com/openharmony/third_party_wayland_standard/pulls/22>

CVE-2022-3046

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3041

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3040

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3039

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3038

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3057

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3195

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3054

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3075

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/349>

CVE-2022-3373

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3370

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3311

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3316

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3315

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-3304

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/web_webview/pulls/464>

CVE-2022-43680

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_expat/pulls/23>
3.0.x<https://gitee.com/openharmony/third_party_expat/pulls/22>

CVE-2022-32221

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-42916

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-42915

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/91>
3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/90>

CVE-2022-44638

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_pixman/pulls/11>
3.0.x<https://gitee.com/openharmony/third_party_pixman/pulls/12>

CVE-2022-40284

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_ntfs-3g/pulls/33>

CVE-2022-40303

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31>
3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32>

CVE-2022-40304

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/third_party_libxml2/pulls/31>
3.0.x<https://gitee.com/openharmony/third_party_libxml2/pulls/32>

CVE-2022-37454

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/35>

CVE-2022-42919

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/36>

CVE-2022-45061

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/37>

CVE-2020-10735

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.x<https://gitee.com/openharmony/third_party_python/pulls/26>

CVE-2022-3169

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/553>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/561>

CVE-2022-42895

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545>

CVE-2022-42896

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/544>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/545>

CVE-2022-41858

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/569>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/570>

CVE-2022-45934

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587>

CVE-2022-4139

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/567>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/568>

CVE-2022-20566

Low

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/582>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/583>

CVE-2022-4378

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/586>
3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/587>

[Security-bulletin] OpenHarmony 2023年01月安全公告 Security Vulnerabilities in January 2023

Liuxu (louis)