OpenHarmony6月安全公告 Security Vulnerabilities in June 2022

6 Jun 2022

      2022年6月安全漏洞

发布于2022.6.6
漏洞编号

相关漏洞

漏洞描述

漏洞影响

受影响的版本

受影响的仓库

修复链接

参考链接

OpenHarmony-SA-2022-0601

NA

事件通知子系统反序列化对象时会绕过认证机制。

攻击者可在本地发起攻击，造成权限绕过，导致服务端进程崩溃。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

notification_ces_standard

链接https://gitee.com/openharmony/notification_common_event_service/pulls/269

本项目组上报

OpenHarmony-SA-2022-0602

NA

事件通知子系统存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

notification_ces_standard

链接https://gitee.com/openharmony/notification_common_event_service/pulls/245

本项目组上报

OpenHarmony-SA-2022-0603

NA

升级服务组件存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地发起攻击，造成校验绕过，获得系统控制权。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

update_updateservice

链接https://gitee.com/openharmony/update_updateservice/pulls/115

本项目组上报

OpenHarmony-SA-2022-0604

NA

多媒体子系统存在校验绕过漏洞，可发起SA中继攻击。

攻击者可在本地发起攻击，造成校验绕过，获取系统控制权。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

multimedia_media_standard

链接https://gitee.com/openharmony/multimedia_media_standard/pulls/567

本项目组上报

以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。
CVE

严重程度

受影响的OpenHarmony版本

修复链接

CVE-2022-25313

中

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25314

高

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25315

中

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25235

高

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25236

严重

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-23308

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS

链接https://gitee.com/openharmony/third_party_libxml2/pulls/11

CVE-2022-25375

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-25258

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-0435

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-24959

低

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-44879

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-24958

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-45402

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-4160

中

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_openssl/pulls/29

CVE-2022-0778

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/third_party_openssl/pulls/34

CVE-2022-0886

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/143

CVE-2022-1055

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0995

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2021-39698

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0494

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-1048

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-1016

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2021-39686

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0500

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/163

CVE-2022-28390

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28389

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28388

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28893

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-1353

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-29156

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-29156

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28356

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2019-16089

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/152

CVE-2021-4156

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/third_party_libsnd/pulls/10

CVE-2022-22576

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27775

低

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27776

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27774

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS和OpenHarmony-v3.1-Release

链接https://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2021-3520

严重

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS

链接https://gitee.com/openharmony/third_party_lz4/pulls/2

CVE-2021-44732

严重

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_mbedtls/pulls/31

CVE-2021-36690

高

OpenHarmony-v3.0-LTS和OpenHarmony-v3.0.1-LTS

链接https://gitee.com/openharmony/third_party_sqlite/pulls/4

CVE-2021-3732

低

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

链接https://gitee.com/openharmony/kernel_linux_5.10/pulls/180

CVE-2021-22570

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS

链接https://gitee.com/openharmony/third_party_protobuf/pulls/26

CVE-2021-22569

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.2-LTS

链接https://gitee.com/openharmony/third_party_protobuf/pulls/27

Security Vulnerabilities in June 2022

published June 6,2022
Vulnerability ID

related Vulnerability

Vulnerability Descripton

Vulnerability Impact

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2022-0601

NA

The notification subsystem in OpenHarmony has an authentication bypass vulnerability when deserialize an object.

Local attackers can bypass authenication and crash the server process.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

notification_ces_standard

Linkhttps://gitee.com/openharmony/notification_common_event_service/pulls/269

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0602

NA

The notification subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and get system control.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

notification_ces_standard

Linkhttps://gitee.com/openharmony/notification_common_event_service/pulls/245

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0603

NA

The updateservice in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and get system control.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

update_updateservice

Linkhttps://gitee.com/openharmony/update_updateservice/pulls/115

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0604

NA

The multimedia subsystem in OpenHarmony has an authentication bypass vulnerability which allows an "SA relay attack".

Local attackers can bypass authentication and get system control.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

multimedia_media_standard

Linkhttps://gitee.com/openharmony/multimedia_media_standard/pulls/567

Reported by OpenHarmony Team

The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.
CVE

severity

affected OpenHarmony versions

fix link

CVE-2022-25313

Medium

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25314

High

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25315

Medium

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25235

High

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-25236

Critical

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_expat/pulls/10

CVE-2022-23308

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS

Linkhttps://gitee.com/openharmony/third_party_libxml2/pulls/11

CVE-2022-25375

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-25258

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-0435

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-24959

Low

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-44879

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2022-24958

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-45402

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/146

CVE-2021-4160

Medium

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_openssl/pulls/29

CVE-2022-0778

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/third_party_openssl/pulls/34

CVE-2022-0886

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/143

CVE-2022-1055

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0995

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2021-39698

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0494

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-1048

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-1016

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2021-39686

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/175

CVE-2022-0500

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/163

CVE-2022-28390

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28389

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28388

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28893

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-1353

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-29156

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2022-28356

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/181

CVE-2019-16089

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/152

CVE-2021-4156

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/third_party_libsnd/pulls/10

CVE-2022-22576

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27775

Low

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27776

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2022-27774

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS and OpenHarmony-v3.1-Release

Linkhttps://gitee.com/openharmony/third_party_curl/pulls/52

CVE-2021-3520

Critical

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS

Linkhttps://gitee.com/openharmony/third_party_lz4/pulls/2

CVE-2021-44732

Critical

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_mbedtls/pulls/31

CVE-2021-36690

High

OpenHarmony-v3.0-LTS and OpenHarmony-v3.0.1-LTS

Linkhttps://gitee.com/openharmony/third_party_sqlite/pulls/4

CVE-2021-3732

Low

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

Linkhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/180

CVE-2021-22570

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS

Linkhttps://gitee.com/openharmony/third_party_protobuf/pulls/26

CVE-2021-22569

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.2-LTS

Linkhttps://gitee.com/openharmony/third_party_protobuf/pulls/27

Liuxu (louis)

tags

participants (1)