tuned-2.24.0-2.el9_5.ML.1

エラータID: AXSA:2024-9446:06

リリース日: 
2024/12/20 Friday - 13:59
題名: 
tuned-2.24.0-2.el9_5.ML.1
影響のあるチャネル: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- Tuned の instance_create() D-Bus 関数には、権限の認証
なしで利用できてしまう問題があるため、ローカルの攻撃者
により、script_pre または script_post オプションを含むよう
に細工した D-Bus 関数の呼び出しを介して、特権昇格を可能
とする脆弱性が存在します。(CVE-2024-52336)

- Tuned には、API の引数のサニタイズ処理に問題があるため、
ローカルの攻撃者により、API 引数への細工された文字列の
指定を介して、ログメッセージの改竄を可能とする脆弱性が
存在します。(CVE-2024-52337)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2024-52336
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
CVE-2024-52337
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. tuned-2.24.0-2.el9_5.ML.1.src.rpm
    MD5: c5e14a625634c5077a2e7875d94e8da3
    SHA-256: 10894c59ed9264dadc69b6a07569d038d82f251fc49aedd2cad66067187bee2c
    Size: 297.46 kB

Asianux Server 9 for x86_64
  1. tuned-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: db89c34c447a80604845e2cd4bcf2512
    SHA-256: e18a7788b065432e802b47715566af4561088345e2a986e79180f7ce45585b7d
    Size: 430.31 kB
  2. tuned-gtk-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: 449e7b536cd39c16f93cad69f396e9f2
    SHA-256: bbde6e68cae930135c09f9f42bc8c643f3fa5f6a3aa31c015df9c136c6586cdd
    Size: 45.55 kB
  3. tuned-ppd-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: b741a1c9686f285c1cc839eab94fa232
    SHA-256: 2bd7f56dfc99c35a29245971f5a54b9ef2a99bccd51561819107d4dccbd5d937
    Size: 16.26 kB
  4. tuned-profiles-atomic-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: af8365d9e4d79ba42c894846b0012e7a
    SHA-256: 76a48845a8c8f2cbc96d554a06fba4d900fa5184a5c966a3037104cd03cc9279
    Size: 14.06 kB
  5. tuned-profiles-cpu-partitioning-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: 7cebf557403d121cbe5eb3e18c6913c6
    SHA-256: a1b7d82ac44984255f39e4f3dfafc319fc754e42a3dd2f2db7c865361dcff7fa
    Size: 18.06 kB
  6. tuned-profiles-mssql-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: c20d46a9b438cfbc8d4b88220197944c
    SHA-256: b30cb33a4f355566cef8099ea5742cbaab8aa9a02251d4cc0a0ad0fa7cabb5d1
    Size: 13.78 kB
  7. tuned-profiles-oracle-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: ea81f9531ab769087487d9e99d6a3ce2
    SHA-256: 00e44aeec9de7ff1abc3ec7d065bc8cfa082262f6f5c90073063e16237f7667c
    Size: 13.85 kB
  8. tuned-profiles-postgresql-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: 7f225d5749f32c1ab092a4f957f99b0e
    SHA-256: 1a60ce31c4e39bfddaf5cb78e9f5417553ac93adbf09a47615c6a5fe7f70a0b7
    Size: 14.60 kB
  9. tuned-profiles-spectrumscale-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: 19845352acf488bb85c8ce3370909b93
    SHA-256: f2be5c3a58a4b829f480a0cd90d354d331f7b1dee9f1af18b34a6b84d2041f3f
    Size: 13.91 kB
  10. tuned-utils-2.24.0-2.el9_5.ML.1.noarch.rpm
    MD5: 5a3de5a87540b3625ed2958486b195e0
    SHA-256: 203a320ec8344c15bf960d11af5bf6c95cf8b52261449b3467a434406dd545c9
    Size: 23.44 kB