edk2-20231122-6.el9_4.2

エラータID: AXSA:2024-8600:07

Release date: 
Friday, July 26, 2024 - 18:14
Subject: 
edk2-20231122-6.el9_4.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.

Security Fix(es):

* EDK2: integer overflow in CreateHob() could lead to HOB OOB R/W (CVE-2022-36765)
* edk2: Predictable TCP Initial Sequence Numbers (CVE-2023-45236)
* edk2: Use of a Weak PseudoRandom Number Generator (CVE-2023-45237)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-36765
EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
CVE-2023-45236
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45237
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Solution: 

Update packages.

CVEs: 
CVE-2022-36765
EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
CVE-2023-45236
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45237
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
Additional Info: 

N/A

Download: 

SRPMS
  1. edk2-20231122-6.el9_4.2.src.rpm
    MD5: 5aaedab8618c020971a2bf6ec852b193
    SHA-256: feb0738293d933edd81d2bcbe10e2a09e22d72422c31b53bc6b88587f58ac5ca
    Size: 37.23 MB

Asianux Server 9 for x86_64
  1. edk2-ovmf-20231122-6.el9_4.2.noarch.rpm
    MD5: 2ab3703d5fe264e4b8c68e86aa2f376d
    SHA-256: 1d2494d23942f69425daa949807314df14ee840924a69e2a6e8c69c1d9a3e8b9
    Size: 6.20 MB
  2. edk2-tools-20231122-6.el9_4.2.x86_64.rpm
    MD5: c840a53c527752c870be8f8a5a61af81
    SHA-256: 2f00388d80c6a03314ed871838d2457d07ece6d61d7779604f7921c00153333b
    Size: 424.41 kB
  3. edk2-tools-doc-20231122-6.el9_4.2.noarch.rpm
    MD5: d3e41b1d4043d4749c983dac16607f2d
    SHA-256: 19bf7d7c755e83276b5a15cba2d76c794df6976523c3d043e955cb927c2cff2c
    Size: 95.00 kB