CVE-2022-40641 Ansys SpaceClaim 2022 R1 is vulnerable to remote attackers executing arbitrary code.

Red Hat patches this vulnerability in Red Hat 5.5 by issuing the following advisory: Red Hat has patched this issue in 5.5. At the time of advisory patching, Red Hat provided the following mitigations: Red Hat recommends reviewing any third-party vendor content that is being used in production. Red Hat also recommends performing application audits to identify and correct any unvalidated inputs that could lead to this type of issue. End users can protect themselves from this issue by reviewing application and system permissions, and by restricting access to applications and systems to only those that are needed.

CVE-2022 -40641

This vulnerability affects Red Hat Linux systems that are running the GRS server. The vulnerability is caused by a flaw in the way the GRS server processes requests for GRS user names and group names. When an attacker sends a crafted packet to the GRS server, it can cause the system to crash or perform an out-of-bounds write of data outside of its allocated buffer space.
The vulnerability was discovered as part of Red Hat's commitment to responsible disclosure.

Vulnerability overview

The vulnerability is a buffer overflow in the unserialize function. If exploited, an attacker could execute arbitrary code with root privileges on the system.

Potential Impact

The vulnerability could allow local user access to the application or system, which could lead to the exposure of sensitive information.

Information disclosure issue

CVE-2022-40641 is an information disclosure issue in Red Hat. It allows attackers to read arbitrary files on the system by exploiting a flaw in the way that liby2util handles certain ioctl cases.

This vulnerability affects systems running Red Hat Enterprise Linux 5.5, which have been updated to errata RHSA-2017:2560 and RHSA-2017:2562.

3.3.x Untrusted File Upload s

The 3.3.x Untrusted File Uploads flaw is an escalation of privilege vulnerability in the Red Hat KVM virtualization product that allows remote attackers to take ownership of arbitrary files within the system.

Timeline

Published on: 09/15/2022 16:15:00 UTC
Last modified on: 09/19/2022 18:23:00 UTC

References

• https://www.zerodayinitiative.com/advisories/ZDI-22-1197/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40641