Linux Vulnerabilities of the Week: May 17, 2021

Linux Vulnerabilities of the Week: May 17, 2021

1. A Linux kernel (<11.9) use-after-free flaw in drivers/vhost/vdpa.c

Severity: Important    CVSS Score: 7.8

This is a vulnerability in the Linux kernel. An invalid value upon reopening a character device can cause use-after-free memory corruption. The highest threat from this vulnerability is to data confidentiality and system availability.

Syxscore Risk Alert

This vulnerability has a high risk as although this needs access to the same network as the device, it can be exposed with a low complexity attack, which needs low privileges, and no user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-29266

2. Single-file application privilege escalation in DotNet affecting Red Hat Enterprise Linux 8

Severity: Important    CVSS Score: 7.3

Using this flaw in DotNet, an attacker can gain elevated privileges through a .NET Core single-file application running with elevated permissions.

The highest threat to this vulnerability is to confidentiality, and system availability.

Syxscore Risk Alert

This vulnerability has a high risk as although this needs access to the same network as the device and requires user interaction, it can be exposed with a low complexity attack with low privileges.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-31204

3. Oracle Java SE Libraries flaw

Severity: Medium       CVSS Score: 5.9

This flaw allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition, which will lead to unauthorized creation, deletion, or modification of access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data.

Syxscore Risk Alert

This vulnerability has a moderate risk as, though it requires a high complexity attack to be exposed and user interaction,  it still can be exposed over any network, with no privileges

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-2161

4. MySQL Server vulnerability

Severity: Medium       CVSS Score: 4.9

Using this easily exploitable vulnerability, an attacker with high privileges and network access via multiple protocols can compromise MySQL Server and cause a hang or frequently repeatable crash (complete DOS) of it.

The highest threat to this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a moderate risk as although an attack requires high privileges, the flaw can be exposed over any network by a low complexity attack without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-2146

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Recent Posts

Topics

Related Posts

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

April 17, 2024
In the News: Why 92% of Security Professionals Worry About Generative AI

In the News: Why 92% of Security Professionals Worry About Generative AI

April 16, 2024
In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

March 29, 2024
In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

March 27, 2024