Linux Vulnerabilities of the Week: May 3, 2021
1. Unsafe deserialization in XStream
Severity: Critical CVSS Score: 9.8
This is a flaw in XStream which allows a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.
The highest threat from this vulnerability is to data confidentiality and system availability.
Syxscore Risk Alert
This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-21347
2. WebKitGTK (<2.30.6) logic issue affecting Red Hat Enterprise Linux 8
Severity: Critical CVSS Score: 9.8
This is a logic issue in WebKitGTK and WPE WebKit that allows a remote attacker to execute arbitrary code.
The highest threat from this vulnerability is to data confidentiality and system availability.
Syxscore Risk Alert
This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-1870
3. Memory corruption issue in WebKitGTK and WPE WebKit (<32.0)
Severity: Important CVSS Score: 8.8
This is a memory corruption issue in WebKitGTK and WPE WebKit which may lead to arbitrary code execution in case of processing maliciously crafted web content.
The highest threat from this vulnerability is to data confidentiality and system availability.
Syxscore Risk Alert
This vulnerability has a high risk. Although the cyberattack requires user interaction, it can be exposed over any network, with low complexity and no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-1844
4. Firefox (< 85) Vulnerability
Severity: Important CVSS Score: 7.4
As a result of this vulnerability, an internal network’s hosts and services running on the user’s local machine can be exposed by further techniques built on the slipstream research combined with a malicious webpage
Syxscore Risk Alert
This vulnerability has a high risk as though it requires user interaction, it can be exposed over any network by an attack of low complexity, with no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Changed
CVE Reference(s): CVE-2021-23961
5. WebKitGTK and WPE WebKit (<2.30.6.) port redirection issue
Severity: Medium CVSS Score: 6.5
This is a port redirection issue in WebKitGTK and WPE WebKit that allows a malicious website to access restricted ports on arbitrary servers.
The highest threat from this vulnerability is to data integrity.
Syxscore Risk Alert
This vulnerability has a moderate risk. Although it requires user interaction, it can be exposed over any network an attack of low complexity, with no privileges.
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope (Jump Point): Unchanged
CVE Reference(s): CVE-2021-1799
Try Linux Patching with Syxsense
Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.
