CVE-2022-23219

Published on: 01/14/2022 12:00:00 AM UTC

Last Modified on: 11/08/2022 01:32:00 PM UTC

CVE-2022-23219

Source: Mitre Source: NIST CVE.ORG Print: PDF PDF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Debian Linux from Debian contain the following vulnerability:

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

  • CVE-2022-23219 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector 		Attack
Complexity		 Privileges
Required		 User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector		 Access
Complexity		 Authentication
NETWORK LOW NONE
Confidentiality
Impact		 Integrity
Impact		 Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
22542 – buffer overflow in sunrpc clnt_create sourceware.org
text/html
 URL Logo MISC sourceware.org/bugzilla/show_bug.cgi?id=22542
GNU C Library: Multiple Vulnerabilities (GLSA 202208-24) — Gentoo security security.gentoo.org
text/html
 URL Logo GENTOO GLSA-202208-24
[SECURITY] [DLA 3152-1] glibc security update lists.debian.org
text/html
 URL Logo MLIST [debian-lts-announce] 20221017 [SECURITY] [DLA 3152-1] glibc security update
Oracle Critical Patch Update Advisory - July 2022 www.oracle.com
text/html
 URL Logo MISC www.oracle.com/security-alerts/cpujul2022.html
By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

  • 159715 Oracle Enterprise Linux Security Update for glibc (ELSA-2022-0896)
  • 159720 Oracle Enterprise Linux Security Update for glibc (ELSA-2022-9234)
  • 159791 Oracle Enterprise Linux Security Update for glibc (ELSA-2022-9358)
  • 159851 Oracle Enterprise Linux Security Update for glibc (ELSA-2022-9421)
  • 179233 Debian Security Update for glibc (CVE-2022-23219)
  • 181138 Debian Security Update for glibc (DLA 3152-1)
  • 198685 Ubuntu Security Notification for GNU C Library Vulnerabilities (USN-5310-1)
  • 240148 Red Hat Update for glibc (RHSA-2022:0896)
  • 282318 Fedora Security Update for glibc (FEDORA-2022-918e18c52c)
  • 353204 Amazon Linux Security Advisory for glibc : ALAS-2022-1576
  • 353208 Amazon Linux Security Advisory for glibc : ALAS2-2022-1767
  • 354363 Amazon Linux Security Advisory for glibc : ALAS2022-2022-197
  • 354409 Amazon Linux Security Advisory for glibc : ALAS2022-2022-130
  • 355144 Amazon Linux Security Advisory for glibc : ALAS2023-2023-060
  • 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
  • 671454 EulerOS Security Update for glibc (EulerOS-SA-2022-1448)
  • 671461 EulerOS Security Update for glibc (EulerOS-SA-2022-1427)
  • 671490 EulerOS Security Update for glibc (EulerOS-SA-2022-1485)
  • 671506 EulerOS Security Update for glibc (EulerOS-SA-2022-1504)
  • 671617 EulerOS Security Update for glibc (EulerOS-SA-2022-1565)
  • 672219 EulerOS Security Update for glibc (EulerOS-SA-2022-2608)
  • 672237 EulerOS Security Update for compat-glibc (EulerOS-SA-2022-2603)
  • 710605 Gentoo Linux GNU C Library Multiple Vulnerabilities (GLSA 202208-24)
  • 751690 OpenSUSE Security Update for glibc (openSUSE-SU-2022:0330-1)
  • 751712 SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2022:0441-1)
  • 751867 SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2022:0832-1)
  • 751910 SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2022:0909-1)
  • 751983 SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2022:0330-1)
  • 753208 SUSE Enterprise Linux Security Update for glibc (SUSE-SU-2022:14923-1)
  • 900523 Common Base Linux Mariner (CBL-Mariner) Security Update for glibc (7491)
  • 901131 Common Base Linux Mariner (CBL-Mariner) Security Update for glibc (7533-1)
  • 940469 AlmaLinux Security Update for glibc (ALSA-2022:0896)
  • 960854 Rocky Linux Security Update for glibc (RLSA-2022:0896)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System		DebianDebian Linux10.0AllAllAll
ApplicationGnuGlibcAllAllAllAll
ApplicationOracleCommunications Cloud Native Core Binding Support Function22.1.3AllAllAll
ApplicationOracleCommunications Cloud Native Core Network Function Cloud Native Environment22.1.0AllAllAll
ApplicationOracleCommunications Cloud Native Core Network Repository Function22.1.2AllAllAll
ApplicationOracleCommunications Cloud Native Core Network Repository Function22.2.0AllAllAll
ApplicationOracleCommunications Cloud Native Core Security Edge Protection Proxy22.1.1AllAllAll
ApplicationOracleCommunications Cloud Native Core Unified Data Repository22.2.0AllAllAll
ApplicationOracleEnterprise Operations Monitor4.3AllAllAll
ApplicationOracleEnterprise Operations Monitor4.4AllAllAll
ApplicationOracleEnterprise Operations Monitor5.0AllAllAll
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:enterprise_operations_monitor:4.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:oracle:enterprise_operations_monitor:5.0:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2022-23219 : The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library aka g… twitter.com/i/web/status/1… 2022-01-14 07:06:33
Twitter Icon @Robo_Alerts Potentially Critical CVE Detected! CVE-2022-23219 Description: The deprecated compatibility function clnt_create in… twitter.com/i/web/status/1… 2022-01-14 07:56:13
Twitter Icon @SecRiskRptSME RT: CVE-2022-23219 The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (ak… twitter.com/i/web/status/1… 2022-01-14 08:33:41
Reddit Logo Icon /r/netcve CVE-2022-23219 2022-01-14 07:38:29
Reddit Logo Icon /r/devsecops What to do with vulnerabilities from official upstream images? 2022-02-28 19:44:23
Reddit Logo Icon /r/Hacking_Tutorials Responsible Disclosure /phpinfo.php 2022-04-19 17:40:31
Reddit Logo Icon /r/HowToHack Responsible Disclosure /phpinfo.php 2022-04-19 17:38:26
Reddit Logo Icon /r/hacking Responsible Disclosure info.php 2022-04-19 17:36:32
Reddit Logo Icon /r/synology DSM Version: 7.1.1-42951 (Release Candidate) 2022-08-10 06:07:14
Reddit Logo Icon /r/synology Has anyone seen the release notes for the latest DSM 7.1.1 Release Candidate. Fixes a scary amount of CVEs. 2022-08-16 14:26:29
Reddit Logo Icon /r/synology DSM 7.1.1-42962 released! 2022-09-05 11:39:36
Reddit Logo Icon /r/googlecloudupdates May 02, 2023 GCP release notes 2023-05-03 01:00:28
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report