OpenHarmony 2023年01月安全公告 Security Vulnerabilities in January 2023

4 Jan 2023

      2023年01月安全漏洞

发布于2022.01.03
最后更新于2022.01.03
漏洞编号

相关漏洞

漏洞描述

漏洞影响

CVSS3.1基础得分

受影响的版本

受影响的仓库

修复链接

参考链接

OpenHarmony-SA-2023-0101

CVE-2023-0035

通信子系统软总线部件softbus_client_stub存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。

6.5

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS

communication_dsoftbus

3.0.xhttps://gitee.com/openharmony/communication_dsoftbus/pulls/2140

本项目组上报

OpenHarmony-SA-2023-0102

CVE-2023-0036

杂散子系统输入法部件platform_callback_stub存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地内发起攻击，造成校验绕过，可进一步提权攻击其他SA。

6.5

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS

inputmethod_imf

3.0.xhttps://gitee.com/openharmony/inputmethod_imf/pulls/228

本项目组上报

以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。
CVE

严重程度

受影响的OpenHarmony版本

修复链接

CVE-2021-3782

严重

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.0.xhttps://gitee.com/openharmony/third_party_wayland_standard/pulls/22

CVE-2022-3046

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3041

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3040

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3039

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3038

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3057

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3195

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3054

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3075

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3373

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3370

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3311

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3316

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3315

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3304

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-43680

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_expat/pulls/23
3.0.xhttps://gitee.com/openharmony/third_party_expat/pulls/22

CVE-2022-32221

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-42916

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-42915

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-44638

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_pixman/pulls/11
3.0.xhttps://gitee.com/openharmony/third_party_pixman/pulls/12

CVE-2022-40284

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_ntfs-3g/pulls/33

CVE-2022-40303

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/31
3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/32

CVE-2022-40304

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/31
3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/32

CVE-2022-37454

严重

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/35

CVE-2022-42919

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/36

CVE-2022-45061

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/37

CVE-2020-10735

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/26

CVE-2022-3169

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/553
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/561

CVE-2022-42895

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/544
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/545

CVE-2022-42896

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/544
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/545

CVE-2022-41858

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/569
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/570

CVE-2022-45934

中

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/586
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/587

CVE-2022-4139

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/567
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/568

CVE-2022-20566

低

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/582
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/583

CVE-2022-4378

高

OpenHarmony-v3.1-Release到OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/586
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/587

Security Vulnerabilities in January 2023

published January 3,2023
updated January 3,2023
Vulnerability ID

related Vulnerability

Vulnerability Description

Vulnerability Impact

CVSS3.1 Base Score

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2023-0101

CVE-2023-0035

softbus_client_stub in communication subsystem has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and attack other SAs with high privilege.

6.5

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS

communication_dsoftbus

3.0.xhttps://gitee.com/openharmony/communication_dsoftbus/pulls/2140

Reported by OpenHarmony Team

OpenHarmony-SA-2023-0102

CVE-2023-0036

platform_callback_stub in misc subsystem has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and attack other SAs with high privilege.

6.5

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS

inputmethod_imf

3.0.xhttps://gitee.com/openharmony/inputmethod_imf/pulls/228

Reported by OpenHarmony Team

The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.
CVE

severity

affected OpenHarmony versions

fix link

CVE-2021-3782

Critical

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.0.xhttps://gitee.com/openharmony/third_party_wayland_standard/pulls/22

CVE-2022-3046

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3041

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3040

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3039

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3038

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3057

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3195

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3054

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3075

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/349

CVE-2022-3373

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3370

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3311

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3316

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3315

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-3304

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/web_webview/pulls/464

CVE-2022-43680

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_expat/pulls/23
3.0.xhttps://gitee.com/openharmony/third_party_expat/pulls/22

CVE-2022-32221

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-42916

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-42915

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.6-LTS

3.1.xhttps://gitee.com/openharmony/third_party_curl/pulls/91
3.0.xhttps://gitee.com/openharmony/third_party_curl/pulls/90

CVE-2022-44638

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_pixman/pulls/11
3.0.xhttps://gitee.com/openharmony/third_party_pixman/pulls/12

CVE-2022-40284

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_ntfs-3g/pulls/33

CVE-2022-40303

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/31
3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/32

CVE-2022-40304

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/31
3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/32

CVE-2022-37454

Critical

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/35

CVE-2022-42919

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/36

CVE-2022-45061

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/37

CVE-2020-10735

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.3-Release

3.1.xhttps://gitee.com/openharmony/third_party_python/pulls/26

CVE-2022-3169

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/553
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/561

CVE-2022-42895

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/544
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/545

CVE-2022-42896

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/544
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/545

CVE-2022-41858

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/569
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/570

CVE-2022-45934

Medium

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/586
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/587

CVE-2022-4139

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/567
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/568

CVE-2022-20566

Low

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/582
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/583

CVE-2022-4378

High

OpenHarmony-v3.1-Release through OpenHarmony-v3.1.4-Release
OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.7-LTS

3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/586
3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/587

Liuxu (louis)

tags

participants (1)