CVE-2022-23218 dlsym() copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a svcunix() crash.

This has been fixed in version 2.35. svcunix_create was changed to check the size of its path argument.

The svc_getdents in the nfsd module of the GNU C Library (aka glibc) through 2.34 does not check the return value of the fgetpos function, which may result in information leak or possibly arbitrary code execution.

In the NFSv4 protocol, the nfs4_lock_file function does not validate the length of the path argument. This may result in a denial of service or information leak.

The glibc component named uid_timer in version 2.28 and later permits the use of the timerfd_settime system call on files with the sticky bit set, which may result in information disclosure or privilege escalation.

The glibc component named getaddrinfo in version 2.28 and later permits the use of the AF_UNSPEC address family with the AF_INET6 protocol, which may result in information disclosure or privilege escalation.

In the Open Exceptions Handling mechanism of the Linux kernel, the load_elf_binary function does not validate the length of the program name argument, which may result in information disclosure or privilege escalation. (CVE-2017-7407) Red Hat would like to thank Hanno B\u00e4rsting of Dawrt for reporting CVE-2017-7407.

Check the version of the software you are using

If you are using a known vulnerable version of the software, update your system and software as soon as possible. For more information, see Red Hat Knowledgebase article: https://access.redhat.com/articles/3032615

References: https://access.redhat.com/security/cve/CVE-2022-23218

https://access.redhat.com/security/cve/CVE-2017-7407
https://access.redhat.com/security/cve/CVE-2017-7407

Amazon Linux versions affected

Amazon Linux 2.0, Amazon Linux 2.0 GA, Amazon Linux 2.0
1.1, Amazon Linux 2.0 GA-1
1.2, Amazon Linux 2.0 GA-2
2.0, Amazon Linux 2.0 - Security
2.2, Amazon Linux 3
3

Product updates

This update fixes the following issues:
- The glibc component named getaddrinfo in version 2.28 and later permits the use of the AF_UNSPEC address family with the AF_INET6 protocol, which may result in information disclosure or privilege escalation. (CVE-2017-7407)
- The nfsd module of the GNU C Library (aka glibc) through 2.34 does not check the return value of the fgetpos function, which may result in information leak or possibly arbitrary code execution.
- In the NFSv4 protocol, the nfs4_lock_file function does not validate the length of the path argument. This may result in a denial of service or information leak.
- The glibc component named uid_timer in version 2.28 and later permits the use of the timerfd_settime system call on files with the sticky bit set, which may result in information disclosure or privilege escalation.
- The glibc component named getaddrinfo in version 2.28 and later permits the use of the AF_UNSPEC address family with the AF_INET6 protocol, which may result in information disclosure or privilege escalation.

Timeline

Published on: 01/14/2022 07:15:00 UTC
Last modified on: 08/19/2022 10:01:00 UTC

References

• https://sourceware.org/bugzilla/show_bug.cgi?id=28768
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://security.gentoo.org/glsa/202208-24
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23218