OpenHarmony8月安全公告 Security Vulnerabilities in August 2022

3 Aug 2022

      2022年8月安全漏洞

发布于2022.8.2
漏洞编号

相关漏洞

漏洞描述

漏洞影响

受影响的版本

受影响的仓库

修复链接

参考链接

OpenHarmony-SA-2022-0801

NA

电话服务子系统telephony_sms_mms组件DecodeUCS2Data存在DoS漏洞。

攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

本项目组上报

OpenHarmony-SA-2022-0802

NA

电话服务子系统telephony_sms_mms组件DecodeGSMData存在DoS漏洞。

攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

本项目组上报

OpenHarmony-SA-2022-0803

NA

电话服务子系统telephony_sms_mms组件DecodeAddress存在DoS漏洞。

攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

本项目组上报

OpenHarmony-SA-2022-0804

NA

电话服务子系统telephony_sms_mms组件Decode8bitData存在DoS漏洞。

攻击者可在网络内发起攻击，访问非法内存，导致进程崩溃。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

本项目组上报

OpenHarmony-SA-2022-0806

NA

通信子系统分布式软总线组件SendMessage接口存在漏洞，导致权限管控被绕过。

攻击者可在本地发起攻击，绕过权限管控机制，进一步向局域网内设备写入任意数据。

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

communication_dsoftbus

3.0.xhttps://gitee.com/openharmony/communication_dsoftbus/pulls/1668

本项目组上报

以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。
CVE

严重程度

受影响的OpenHarmony版本

修复链接

CVE-2022-1729

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/255
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/299

CVE-2022-29581

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/255
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/299

CVE-2022-20008

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1195

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1516

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-30594

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1012

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/237
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/224

CVE-2022-29824

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/23
3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/21

CVE-2022-1475

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_ffmpeg/pulls/41
3.1.xhttps://gitee.com/openharmony/third_party_ffmpeg/pulls/36

CVE-2022-27406

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_freetype/pulls/17
[3.1.x]not fixed

CVE-2022-27404

严重

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_freetype/pulls/17
[3.1.x]not fixed

CVE-2022-1974

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/302

CVE-2022-1734

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1199

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/333

CVE-2022-1966

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/258
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/332

CVE-2022-1786

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release到OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/258
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/332

CVE-2022-1280

高

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/233

CVE-2022-45868

中

OpenHarmony-v3.0-LTS到OpenHarmony-v3.0.3-LTS

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/233

Security Vulnerabilities in August 2022

published August 2,2022
Vulnerability ID

related Vulnerability

Vulnerability Descripton

Vulnerability Impact

affected versions

affected projects

fix link

reference

OpenHarmony-SA-2022-0801

NA

DecodeUCS2Data in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability.

Network attackers can access illegal memory and crash the process.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0802

NA

DecodeGSMData in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability.

Network attackers can access illegal memory and crash the process.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0803

NA

DecodeAddress in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability.

Network attackers can access illegal memory and crash the process.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0804

NA

Decode8bitData in telephony_sms_mms component of telephony subsystem, has a DoS vulnerability.

Network attackers can access illegal memory and crash the process.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

telephony_sms_mms

3.0.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/404
3.1.xhttps://gitee.com/openharmony/telephony_sms_mms/pulls/355

Reported by OpenHarmony Team

OpenHarmony-SA-2022-0806

NA

SendMessage in dsoftbus in communication subsystem has a permission bypass vulnerability.

Local attackers can bypass the permission check, and write any data into network devices.

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

communication_dsoftbus

3.0.xhttps://gitee.com/openharmony/communication_dsoftbus/pulls/1668

Reported by OpenHarmony Team

The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.
CVE

severity

affected OpenHarmony versions

fix link

CVE-2022-1729

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/255
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/299

CVE-2022-29581

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/255
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/299

CVE-2022-20008

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1195

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1516

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-30594

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/241
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1012

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/237
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/224

CVE-2022-29824

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/23
3.1.xhttps://gitee.com/openharmony/third_party_libxml2/pulls/21

CVE-2022-1475

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_ffmpeg/pulls/41
3.1.xhttps://gitee.com/openharmony/third_party_ffmpeg/pulls/36

CVE-2022-27406

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_freetype/pulls/17
[3.1.x]not fixed

CVE-2022-27404

Critical

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/third_party_freetype/pulls/17
[3.1.x]not fixed

CVE-2022-1974

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/302

CVE-2022-1734

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/214

CVE-2022-1199

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/260
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/333

CVE-2022-1966

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/258
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/332

CVE-2022-1786

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.5-LTS
OpenHarmony-v3.1-Release through OpenHarmony-v3.1.1-Release

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/258
3.1.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/332

CVE-2022-1280

High

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/233

CVE-2022-45868

Medium

OpenHarmony-v3.0-LTS through OpenHarmony-v3.0.3-LTS

3.0.xhttps://gitee.com/openharmony/kernel_linux_5.10/pulls/233

Liuxu (louis)

tags

participants (1)