CVE-2022-21505

Advisory lineage Upstream: 0 Downstream: 15

Downstream

DEBIAN-CVE-2022-21505 MGASA-2022-0278 MGASA-2022-0279 RHSA-2023:2148 RHSA-2023:2458 SUSE-SU-2022:2722-1

Analyzed

Published: 24 Dec 2024, 18:48

Last modified:27 Dec 2024, 16:52

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.7 MEDIUM

v3.1 (cve.org)

EPSS Score

0.07% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

24 Dec 2024, 18:48

Published

Vulnerability first disclosed

27 Dec 2024, 16:52

Last Modified

Vulnerability information updated

Description

In the linux kernel, if IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity, Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS Metrics

v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

CWE-346•Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

Affected Systems

oracle corporation•oracle linux
Oracle Linux: 7 | Oracle Linux: 8 | Oracle Linux: 9
oracle•linux
7 | 8 | 9