Security Advisory

1) Input validation error

Severity: Medium

CVSSv3:
4.2 [CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID:
CVE-2020-10722

CWE-ID:
CWE-20 – Improper Input Validation

Exploit availability:
No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in check log functionality. A remote attacker can pass specially crafted input to the application, trigger mmap offset and perform a denial of service (DoS) attack.

Mitigation

Update dpdk package to one of the following versions: 16.11.11-1+deb9u2, 18.11.6-1~deb10u2.

Vulnerable software versions

dpdk (Debian package):
16.04-1, 16.07-1, 16.07-2, 16.07-3, 16.07.2-1~git1, 16.07~rc1-1, 16.07~rc3-1, 16.07~rc4-1, 16.07~rc5-1, 16.11-1, 16.11-1~bpo8+1, 16.11.1-2, 16.11.2-1, 16.11.2-2, 16.11.2-3, 16.11.2-4, 16.11.2-4~bpo9+1, 16.11.3-1, 16.11.3-1~bpo9+1, 16.11.4-1, 16.11.4-1+deb9u1, 16.11.4-1+deb9u1, 16.11.4-1~bpo9+1, 16.11.6-1+deb9u1, 16.11.6-1+deb9u1, 16.11.8-1+deb9u1, 16.11.8-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u2, 16.11.9-1+deb9u2, 16.11.11, 16.11.11-1+deb9u1, 16.11.11-1+deb9u1, 17.05-1, 17.05.1-1, 17.05.1-2, 17.05.1-3, 17.05.1-4, 17.08-1, 17.08-2, 17.08-3, 17.08-4, 17.11-1, 17.11-2, 17.11-3, 17.11-4, 17.11-5, 17.11.1-1, 17.11.1-2, 17.11.1-3, 17.11.1-4, 17.11.1-5, 17.11.1-6, 17.11.1-6~bpo9+1, 17.11.2-1, 17.11.2-1~bpo9+1, 17.11.3-1, 17.11.3-2, 17.11.3-3, 17.11.4-1, 17.11.4-1~bpo9+1, 18.02-1, 18.02-2, 18.02.1-1, 18.05-1, 18.08-1, 18.08-2, 18.08-3, 18.11, 18.11-1, 18.11-2, 18.11-3, 18.11-4, 18.11-4~bpo9+1, 18.11-5, 18.11-6, 18.11-6~bpo9+1, 18.11.1-1, 18.11.1-2, 18.11.1-3, 18.11.2-1, 18.11.2-2, 18.11.2-2+deb10u1, 18.11.2-2+deb10u2, 18.11.2-3, 18.11.2-4, 18.11.3-1, 18.11.4-1, 18.11.5, 18.11.5-1, 18.11.5-1~deb10u1, 18.11.6, 18.11.6-1, 18.11.6-1~deb10u1, 19.11-1, 19.11-2, 19.11-3, 19.11-4, 19.11.1, 19.11.1-1, 19.11.1-2, 19.11.1-2~bpo10+1

CPE

External links

https://www.debian.org/security/2020/dsa-4688

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

Severity: Medium

CVSSv3:
5.5 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID:
CVE-2020-10723

CWE-ID:
CWE-20 – Improper Input Validation

Exploit availability:
No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of translated addresses. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update dpdk package to one of the following versions: 16.11.11-1+deb9u2, 18.11.6-1~deb10u2.

Vulnerable software versions

dpdk (Debian package):
16.04-1, 16.07-1, 16.07-2, 16.07-3, 16.07.2-1~git1, 16.07~rc1-1, 16.07~rc3-1, 16.07~rc4-1, 16.07~rc5-1, 16.11-1, 16.11-1~bpo8+1, 16.11.1-2, 16.11.2-1, 16.11.2-2, 16.11.2-3, 16.11.2-4, 16.11.2-4~bpo9+1, 16.11.3-1, 16.11.3-1~bpo9+1, 16.11.4-1, 16.11.4-1+deb9u1, 16.11.4-1+deb9u1, 16.11.4-1~bpo9+1, 16.11.6-1+deb9u1, 16.11.6-1+deb9u1, 16.11.8-1+deb9u1, 16.11.8-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u2, 16.11.9-1+deb9u2, 16.11.11, 16.11.11-1+deb9u1, 16.11.11-1+deb9u1, 17.05-1, 17.05.1-1, 17.05.1-2, 17.05.1-3, 17.05.1-4, 17.08-1, 17.08-2, 17.08-3, 17.08-4, 17.11-1, 17.11-2, 17.11-3, 17.11-4, 17.11-5, 17.11.1-1, 17.11.1-2, 17.11.1-3, 17.11.1-4, 17.11.1-5, 17.11.1-6, 17.11.1-6~bpo9+1, 17.11.2-1, 17.11.2-1~bpo9+1, 17.11.3-1, 17.11.3-2, 17.11.3-3, 17.11.4-1, 17.11.4-1~bpo9+1, 18.02-1, 18.02-2, 18.02.1-1, 18.05-1, 18.08-1, 18.08-2, 18.08-3, 18.11, 18.11-1, 18.11-2, 18.11-3, 18.11-4, 18.11-4~bpo9+1, 18.11-5, 18.11-6, 18.11-6~bpo9+1, 18.11.1-1, 18.11.1-2, 18.11.1-3, 18.11.2-1, 18.11.2-2, 18.11.2-2+deb10u1, 18.11.2-2+deb10u2, 18.11.2-3, 18.11.2-4, 18.11.3-1, 18.11.4-1, 18.11.5, 18.11.5-1, 18.11.5-1~deb10u1, 18.11.6, 18.11.6-1, 18.11.6-1~deb10u1, 19.11-1, 19.11-2, 19.11-3, 19.11-4, 19.11.1, 19.11.1-1, 19.11.1-2, 19.11.1-2~bpo10+1

CPE

External links

https://www.debian.org/security/2020/dsa-4688

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cryptographic issues

Severity: Medium

CVSSv3:
4 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID:
CVE-2020-10724

CWE-ID:
CWE-310 – Cryptographic Issues

Exploit availability:
No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect validation of keys lengths. A remote attacker can bypass certain security restrictions.

Mitigation

Update dpdk package to one of the following versions: 16.11.11-1+deb9u2, 18.11.6-1~deb10u2.

Vulnerable software versions

dpdk (Debian package):
16.04-1, 16.07-1, 16.07-2, 16.07-3, 16.07.2-1~git1, 16.07~rc1-1, 16.07~rc3-1, 16.07~rc4-1, 16.07~rc5-1, 16.11-1, 16.11-1~bpo8+1, 16.11.1-2, 16.11.2-1, 16.11.2-2, 16.11.2-3, 16.11.2-4, 16.11.2-4~bpo9+1, 16.11.3-1, 16.11.3-1~bpo9+1, 16.11.4-1, 16.11.4-1+deb9u1, 16.11.4-1+deb9u1, 16.11.4-1~bpo9+1, 16.11.6-1+deb9u1, 16.11.6-1+deb9u1, 16.11.8-1+deb9u1, 16.11.8-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u1, 16.11.9-1+deb9u2, 16.11.9-1+deb9u2, 16.11.11, 16.11.11-1+deb9u1, 16.11.11-1+deb9u1, 17.05-1, 17.05.1-1, 17.05.1-2, 17.05.1-3, 17.05.1-4, 17.08-1, 17.08-2, 17.08-3, 17.08-4, 17.11-1, 17.11-2, 17.11-3, 17.11-4, 17.11-5, 17.11.1-1, 17.11.1-2, 17.11.1-3, 17.11.1-4, 17.11.1-5, 17.11.1-6, 17.11.1-6~bpo9+1, 17.11.2-1, 17.11.2-1~bpo9+1, 17.11.3-1, 17.11.3-2, 17.11.3-3, 17.11.4-1, 17.11.4-1~bpo9+1, 18.02-1, 18.02-2, 18.02.1-1, 18.05-1, 18.08-1, 18.08-2, 18.08-3, 18.11, 18.11-1, 18.11-2, 18.11-3, 18.11-4, 18.11-4~bpo9+1, 18.11-5, 18.11-6, 18.11-6~bpo9+1, 18.11.1-1, 18.11.1-2, 18.11.1-3, 18.11.2-1, 18.11.2-2, 18.11.2-2+deb10u1, 18.11.2-2+deb10u2, 18.11.2-3, 18.11.2-4, 18.11.3-1, 18.11.4-1, 18.11.5, 18.11.5-1, 18.11.5-1~deb10u1, 18.11.6, 18.11.6-1, 18.11.6-1~deb10u1, 19.11-1, 19.11-2, 19.11-3, 19.11-4, 19.11.1, 19.11.1-1, 19.11.1-2, 19.11.1-2~bpo10+1

CPE

External links

https://www.debian.org/security/2020/dsa-4688

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.





Source link

You must be logged in to post a comment.