
Linux Vulnerabilities of the Week: February 8, 2022
See this week's top Linux issues and keep your IT environment protected from the latest February 2022 Linux vulnerabilities.
1. SQL injection in Log4j 1.x when the application is configured to use JDBCAppender
Severity: Critical        CVSS Score: 9.8
This is a flaw in the Java logging library Apache Log4j in version 1.x, which makes JDBCAppender in Log4j 1.x vulnerable to SQL injection in untrusted data. A remote attacker can use this vulnerability to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Syxscore Risk Alert
This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2022-23305
2. A heap-based buffer overflow vulnerability in AIDE (<0.17.4) affecting Red Hat Enterprise Linux 6, 7 and 8
Severity: Important   CVSS Score: 7.8
AIDE allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), crash the program, and possibly execute arbitrary code, because of a heap-based buffer overflow.
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Syxscore Risk Alert
This vulnerability has a major risk as although this requires access to the same network as the device to be exploited, this can be exposed with a low complexity attack, low privileges and without user interaction.
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-45417
CVE Reference(s): CVE-2021-44790
3. An uncontrolled resource consumption flaw in Go (< 1.16.12)
Severity: Important   CVSS Score: 7.5
This is a flaw in Golang’s net/http library in the canonicalHeader() function. It allows an attacker who submits specially crafted requests to applications linked with net/http’s http2 functionality to cause excessive resource consumption that could lead to a denial of service or otherwise impact system performance and resources.
The highest threat from this vulnerability is to system availability.
Syxscore Risk Alert
This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-44716
4. Libreswan (4.2 through 4.5) flaw
Severity: Important   CVSS Score: 7.5
This is a flaw in Libreswan that remote attackers could exploit to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.
The highest threat from this vulnerability is to system availability.
Syxscore Risk Alert
This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2022-23094
5. Incorrect IdentityHashMap size checks during deserialization in Open JDK
Severity: Medium      CVSS Score: 5.3
This is an easily exploitable flaw in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries) that allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DoS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
The highest threat from this vulnerability is to system availability.
Syxscore Risk Alert
This vulnerability has a moderate risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2022-21294
Schedule Your Syxsense Demo
Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.