Linux Vulnerabilities of the Week: October 25, 2021

Linux Vulnerabilities of the Week: October 25, 2021

1. Buffer overflow in Golang (<1.16.9)

Severity: Critical         CVSS Score: 9.8

This is a validation flaw in Golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments.

The highest threat from this vulnerability is to integrity.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-38297

2. A buffer overflow in Ncurses (through v6.2-1)

Severity: Important    CVSS Score: 8.8

This is a heap-based buffer overflow in  _nc_captoinfo in captoinfo.c.

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Syxscore Risk Alert

This vulnerability has a high risk as though it requires user interaction, it can be exposed over any network, with low complexity, and no privileges.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-39537

3. Integer overflow in strongSwan (< 5.9.4 )

Severity: Important   CVSS Score: 7.5

The is a remote integer overflow in the in-memory certificate cache in strongSwan. The overflow happens upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries.

The attempts of code to select a less-often-used cache entry by generating random numbers don’t give results. Remote code execution might be a slight possibility.

The highest threat from this vulnerability is to system availability.

Syxscore Risk Alert

This vulnerability has a major risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-41991

4. OpenJDK vulnerability affecting Red Hat Enterprise Linux 8

Severity: Medium       CVSS Score: 6.8

This is an easily exploitable flaw that allows a low-privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. To be successful, attacks require human interaction from a person other than the attacker.

While the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products and lead to unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data.

The highest threat from this vulnerability is to data confidentiality.

Syxscore Risk Alert

This vulnerability has a moderate risk as though this requires some privileges and user interaction to be exploited, it can be exposed over any network, with a low complexity attack. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope (Jump Point): Changed

CVE Reference(s): CVE-2021-35567

5. Memory disclosure in PostgreSQL

Severity: Medium       CVSS Score: 6.5

This is a flaw in PostgreSQL. Using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory.

The highest threat from this vulnerability is to data confidentiality.

Syxscore Risk Alert

This vulnerability has a moderate risk as although an attacker requires some privileges to exploit it, this can be exposed over any network, with a low complexity attack, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-32028

Join Our October Linux Webcast

Explore the latest Linux updates for October 2021. We discuss the most urgent patches and priorities for the month.