Top Linux Vulnerabilities for August 2021

Top Linux Vulnerabilities for August 2021

1. Apache httpd mod_session heap overflow affecting Red Hat Enterprise Linux 8

Severity: Critical CVSS Score: 9.8  In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow. The highest threat from this vulnerability is to system availability.   Syxscore Risk Alert  This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction. 

  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: None 
  • User Interaction: None 
  • Scope (Jump Point): Unchanged 

CVE Reference(s): CVE-2021-26691 

2. A use-after-free in Libxml2 (< 2.9.11)

Severity: Important CVSS Score: 8.8  There’s a flaw in libxml2. An attacker can submit a crafted file to be processed by an application linked with libxml2 to trigger a use-after-free. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.   Syxscore Risk Alert  This vulnerability has a major risk as although it requires user interaction, it can be exposed over any network, with a low complexity attack, and without privileges. 

  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: None 
  • User Interaction: Required 
  • Scope (Jump Point): Unchanged 

CVE Reference(s): CVE-2021-3518   

3. A missing length check of forwarded messages in Linux PTP

Severity: Important CVSS Score: 8.8  This is a flaw in the PTP4l program of the Linux PTP package.   A remote attacker that can connect to the `ptp4l` service, can use a missing length check when forwarding a PTP message between ports to cause an information leak, crash, or execute remote code.   The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.  Syxscore Risk Alert  This vulnerability has a high risk as this can be exposed over any network, with a low complexity attack, low privileges, and without user interaction. 

  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: Low 
  • User Interaction: None 
  • Scope (Jump Point): Unchanged 

CVE Reference(s): CVE-2021-3570

4. Out-of-bounds write in ANGLE in Google Chrome (< 91.0.4472.101)

 Severity: Important CVSS Score: 8.8  This is a flaw in ANGLE. Exploiting this vulnerability, a remote attacker can potentially perform out-of-bounds memory access via a crafted HTML page.  The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.   Syxscore Risk Alert  This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges. 

  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: None 
  • User Interaction: Required 
  • Scope (Jump Point): Unchanged 

CVE Reference(s): CVE-2021-30547   

5. A heap buffer overflow in libsndfile 1.0.30 affecting Red Hat Enterprise Linux 7 and 8

Severity: Important CVSS Score: 8.8  This is a heap buffer overflow in libsndfile, exploiting which an attacker can execute arbitrary code via a crafted WAV file.   The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.  Syxscore Risk Alert  This vulnerability has a major risk as though it requires user interaction to be exploited, this can be exposed over any network, with a low complexity attack and no privileges. 

  • Attack Vector: Network 
  • Attack Complexity: Low 
  • Privileges Required: None 
  • User Interaction: Required 
  • Scope (Jump Point): Unchanged 

CVE Reference(s): CVE-2021-3246 

Try Linux Patching with Syxsense

Syxsense makes endpoint management and security easy. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.