Linux Vulnerabilities of the Week: August 9, 2021

Linux Vulnerabilities of the Week: August 9, 2021

1. Command injection vulnerability in RDoc 3.11 affecting Red Hat Enterprise Linux 8

Severity: Critical         CVSS Score: 9.8

This is an operating system command injection in RDoc.

A remote unprivileged attacker can use the RDoc command to generate documentation for a malicious Ruby source code, and this can result in arbitrary commands execution with the privileges of the user running RDoc.

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-31799

2. A use-after-free vulnerability in WebKitGTK 2.30.4

Severity: Important    CVSS Score: 8.8

Due to this flaw, if a remote attacker tricks a local user into visiting a specially crafted malicious webpage, it can result in a potential data leak and further memory corruption.

The highest threat from this vulnerability is to data confidentiality and integrity.

Syxscore Risk Alert

This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack, and without privileges.

  • Attack Vector:             Network
  • Attack Complexity:     Low
  • Privileges Required:    None
  • User Interaction:         Required
  • Scope (Jump Point):    Unchanged

CVE Reference(s): CVE-2021-21775

3. A heap out-of-bounds write in net/netfilter/x_tables.c affecting Red Hat Enterprise Linux 7 and 8

Severity: Important   CVSS Score: 7.8

This is a flaw in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32-bit processes on 64-bit systems.

Exploiting this flaw, a local user can gain privileges or cause a DoS through username space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Syxscore Risk Alert

This vulnerability has a high risk as though it needs access to the same network as the device, and requires some privileges to be exploited, it can be exposed with a low complexity attack and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-22555

4. An out-of-bounds memory write flaw in the Linux kernel’s joystick devices subsystem

Severity: Important    CVSS Score: 7.8

Exploiting this flaw, a local user can crash the system or escalate their privileges on the system.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a high risk as though it needs access to the same network as the device, and requires some privileges to be exploited, it can be exposed with a low complexity attack and without user interaction.

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-3612

5. An infinite loop in apache-commons-compress affecting Red Hat Enterprise Linux 7 and 8

Severity: Important    CVSS Score: 7.5

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This flaw allows the mounting of a denial-of-service attack against services that use Compress’ SevenZ package.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-35515

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

Recent Posts

Topics

Related Posts

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

April 17, 2024
In the News: Why 92% of Security Professionals Worry About Generative AI

In the News: Why 92% of Security Professionals Worry About Generative AI

April 16, 2024
In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

In the News: Let’s Celebrate World Backup Day 2024 – Hear From Industry Experts

March 29, 2024
In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

In the News: Navigating the new landscape: Understanding and implementing NIST CSF 2.0

March 27, 2024