CVE-2022-21499

CWE-787Out-of-bounds WriteCWE-26725 documents8 sources
Severity
6.7MEDIUM
EPSS
0.2%
top 60.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Oracle Corporation Oracle LinuxOracle Corporation Oracle VMDebian Debian Linux+1 more
Timeline
PublishedJun 9
Latest updateAug 24

Description

KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages30 packages

Debianlinux< 5.10.120-1+3
Ubuntulinux< 4.15.0-184.194+3
Ubuntulinux-aws< 4.15.0-1133.143+3
Ubuntulinux-kvm< 4.15.0-1119.123+2
Ubuntulinux-gcp< 5.15.0-1008.12+1

Also affects: Debian Linux 11.0

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

12
OSV
linux vulnerabilities2022-06-16
GHSA
GHSA-rcmc-qxj3-63p4: KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown2022-06-10
CVEList
CVE-2022-21499: KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown2022-06-09
OSV
CVE-2022-21499: KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown2022-06-09
OSV
linux-oem-5.14 vulnerabilities2022-06-08

📋Vendor Advisories

12
Ubuntu
Kernel Live Patch Security Notice2022-08-24
Ubuntu
Linux kernel vulnerabilities2022-06-16
Ubuntu
Linux kernel vulnerabilities2022-06-08
Ubuntu
Linux kernel vulnerabilities2022-06-08
Ubuntu
Linux kernel vulnerabilities2022-06-08