CVE-2022-39377 — Classic Buffer Overflow in Project Sysstat

CWE-120 — Classic Buffer Overflow CWE-131 — Incorrect Calculation of Buffer Size CWE-190 — Integer Overflow or Wraparound CWE-400 — Uncontrolled Resource Consumption15 documents7 sources

Severity

7.8HIGHNVD

EPSS

1.2%

top 21.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sysstat Project Sysstat Debian Sysstat Debian Linux +6 more

Timeline

PublishedNov 8

Latest updateJun 7

Description

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/sysstat< sysstat 12.6.1-1 (bookworm)+1

▶NVDsysstat_project/sysstat9.1.6 — 12.6.1+1

▶Debiansysstat_project/sysstat< 12.5.2-2+deb11u1+5

▶Ubuntusysstat_project/sysstat< 12.2.0-2ubuntu0.3+4

▶msrcmsrc/cm1_sysstat_12.3.3-2_on_cbl_mariner_1.0

Also affects: Debian Linux 10.0, Fedora 35, 36, 37, 38

🔴Vulnerability Details

OSV

sysstat vulnerabilities↗2023-06-07

▶

GHSA

GHSA-57g7-qvg2-m23f: sysstat through 12↗2023-05-18

▶

OSV

CVE-2023-33204: sysstat through 12↗2023-05-18

▶

OSV

CVE-2022-39377: sysstat is a set of system performance tools for the Linux operating system↗2022-11-08

▶

📋Vendor Advisories

Ubuntu

Sysstat vulnerabilities↗2023-06-07

▶

Red Hat

sysstat: check_overflow() function can work incorrectly that lead to an overflow↗2023-05-18

▶

Microsoft

sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.↗2023-05-09

▶

Debian

CVE-2023-33204: sysstat - sysstat through 12.7.2 allows a multiplication integer overflow in check_overflo...↗2023

▶

Ubuntu

Sysstat vulnerability↗2022-11-29

▶