Security Vulnerabilities in October 2022 published October 11,2022 updated October 11,2022 Vulnerability ID related Vulnerability Vulnerability Description Vulnerability Impact CVSS3.1 Base Score affected versions affected projects fix link reference OpenHarmony-SA-2022-1001 CVE-2022-42488 Startup subsystem missed permission validation in param service. Local attackers can install an malicious application on the device to elevate its privileges to the root user, disable security features, or cause DoS by disabling particular services. 8.4 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release startup_init_lite 3.1.x<https://gitee.com/openharmony/startup_init_lite/pulls/1104> 3.1.x<https://gitee.com/openharmony/startup_init_lite/pulls/1074> Reported by OpenHarmony Team OpenHarmony-SA-2022-1002 CVE-2022-42464 Kernel memory pool override in /dev/mmz_userdev device driver If the processes with system UID run on the device, local attackers would be able to mmap memory pools used by kernel and override them which could be used to gain kernel code execution on the device, gain root privileges, or cause device reboot. 6.7 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS device_board_hisilicon device_hisilicon_hi3516dv300 3.0.x<https://gitee.com/openharmony/device_board_hisilicon/pulls/135> 3.1.x<https://gitee.com/openharmony/device_hisilicon_hi3516dv300/pulls/87> Reported by OpenHarmony Team OpenHarmony-SA-2022-1003 CVE-2022-41686 Out-of-bound memory read and write in /dev/mmz_userdev device driver. If the processes with system user UID run on the device, local attackers would be able to write out-of-bound memory which could lead to unspecified memory corruption. 5.1 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS device_board_hisilicon device_hisilicon_hispark_taurus 3.1.x<https://gitee.com/openharmony/device_soc_hisilicon/pulls/287> 3.0.x<https://gitee.com/openharmony/device_hisilicon_hispark_taurus/pulls/127> Reported by OpenHarmony Team OpenHarmony-SA-2022-1004 CVE-2022-42463 Softbus_server in communication subsystem has an authentication bypass vulnerability in a callback handler function. Attackers can launch attacks on distributed networks by sending Bluetooth rfcomm packets to any remote device and executing arbitrary commands. 8.3 OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release communication_dsoftbus 3.1.x<https://gitee.com/openharmony/communication_dsoftbus/pulls/2348> Reported by OpenHarmony Team The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties. CVE severity affected OpenHarmony versions fix link CVE-2022-27405 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS OpenHarmony-v1.1.0-release through OpenHarmony-v1.1.5-LTS 3.1.x<https://gitee.com/openharmony/third_party_freetype/pulls/32> 3.0.x<https://gitee.com/openharmony/third_party_freetype/pulls/31> 1.1.x<https://gitee.com/openharmony/third_party_freetype/pulls/30> CVE-2022-2959 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/428> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/436> CVE-2022-2991 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/428> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/436> CVE-2022-2938 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/430> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/434> CVE-2022-2586 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/427> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-2588 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/426> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-2585 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/426> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-2503 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/431> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/435> CVE-2022-20369 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/426> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-20368 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/426> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-2639 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/392> CVE-2022-36123 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/426> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/402> CVE-2022-36946 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/392> CVE-2022-36879 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/369> CVE-2022-2327 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/392> CVE-2022-21505 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/368> CVE-2021-33655 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/423> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/392> CVE-2021-33656 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/437> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/369> CVE-2022-2861 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2860 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2613 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2612 Low OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2610 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2607 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2606 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2624 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2623 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2620 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2619 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2617 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2616 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2615 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-2614 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/web_webview/pulls/274> CVE-2022-35737 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS 3.1.x<https://gitee.com/openharmony/third_party_sqlite/pulls/38> 3.0.x<https://gitee.com/openharmony/third_party_sqlite/pulls/37> CVE-2022-2415 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_chromium/pulls/35> CVE-2022-1919 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_chromium/pulls/35> CVE-2022-35252 Low OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS OpenHarmony-v1.1.0-release through OpenHarmony-v1.1.5-LTS 3.1.x<https://gitee.com/openharmony/third_party_curl/pulls/83> 3.0.x<https://gitee.com/openharmony/third_party_curl/pulls/85> 1.1.x<https://gitee.com/openharmony/third_party_curl/pulls/86> CVE-2022-3028 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/440> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/442> CVE-2022-2977 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/440> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/442> CVE-2022-2964 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/440> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/442> CVE-2022-39188 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/450> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/477> CVE-2022-3078 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/450> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/477> CVE-2022-2905 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/450> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/477> CVE-2022-39842 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/450> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/477> CVE-2022-3061 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/443> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/444> CVE-2021-29921 Critical OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/19> CVE-2022-0391 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/23> CVE-2021-3737 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/20> CVE-2021-4189 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/21> CVE-2021-3733 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/22> CVE-2021-28861 High OpenHarmony-v3.1-Release through OpenHarmony-v3.1.2-Release 3.1.x<https://gitee.com/openharmony/third_party_python/pulls/24> CVE-2022-40307 Medium OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS 3.1.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/463> 3.0.x<https://gitee.com/openharmony/kernel_linux_5.10/pulls/464>