Sign-up

ID

VAR-202302-1348


CVE

CVE-2022-36369


TITLE

Intel's  qatzip  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-020111

DESCRIPTION

Improper access control in some QATzip software maintained by Intel(R) before version 1.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel's qatzip Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: qatzip security and bug fix update Advisory ID: RHSA-2023:3397-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:3397 Issue date: 2023-05-31 CVE Names: CVE-2022-36369 ===================================================================== 1. Summary: An update for qatzip is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder EUS (v.8.6) - x86_64 Red Hat Enterprise Linux AppStream EUS (v.8.6) - x86_64 3. Description: QATzip is a user space library which builds on top of the Intel QuickAssist Technology user space library, to provide extended accelerated compression and decompression services by offloading the actual compression and decompression request(s) to the Intel Chipset Series. QATzip produces data using the standard gzip* format (RFC1952) with extended headers. The data can be decompressed with a compliant gzip* implementation. QATzip is designed to take full advantage of the performance provided by Intel QuickAssist Technology. Security Fix(es): * qatzip: local privilege escalation (CVE-2022-36369) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Intel QAT Update - QATzip (User Space Changes) (BZ#2178769) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2170784 - CVE-2022-36369 qatzip: local privilege escalation 6. Package List: Red Hat Enterprise Linux AppStream EUS (v.8.6): Source: qatzip-1.1.2-1.el8_6.src.rpm x86_64: qatzip-1.1.2-1.el8_6.x86_64.rpm qatzip-debuginfo-1.1.2-1.el8_6.x86_64.rpm qatzip-debugsource-1.1.2-1.el8_6.x86_64.rpm qatzip-libs-1.1.2-1.el8_6.x86_64.rpm qatzip-libs-debuginfo-1.1.2-1.el8_6.x86_64.rpm Red Hat CodeReady Linux Builder EUS (v.8.6): x86_64: qatzip-debuginfo-1.1.2-1.el8_6.x86_64.rpm qatzip-debugsource-1.1.2-1.el8_6.x86_64.rpm qatzip-devel-1.1.2-1.el8_6.x86_64.rpm qatzip-libs-debuginfo-1.1.2-1.el8_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-36369 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHeVGNzjgjWX9erEAQhiBg/+Kdi4KI3mxbLUlYGGHL4b6t3SaiWQ+0uO glCxzVohlRnJGPk/sqw8lQjWay0qv6A+cHC1hwgJPEXzABywYymH/fJls8NP1eJB vLrRvme4yyt0uebsFlqnydvt9bzK7hIlKc2O0ZNcnUPiXzSpjf2LotT3dkdK4ZpS 5qOd0JjmP3F1tVnVeKFE49jTR8cWj9R0sTEKjbNINCWKIZ3jCY2/UapAPPYZ0CGe VY1rlbT7WxdBvZelroY8fpzm9um3LwMFrwNtnbno3ID0iWNcd/j8OBXpO+zU8akq VJmLJqAhglZiXiVOCCILynq5uibgnvR1SuWLS2/Q+kGR1LhiQ+4pR4z/4MKsP0SB wDBA0vfOICE/At8dL2S/PY/WrsNFj/NW5HJPAs1NVAF5kis4ywR93wn5QeTeh2GM XEGoUMECj+FoHONaFNMw9ZXEImjuz2tTakDQ9TSQDI4of1YhbrVKkEt5WP+1jGUT HcHuni/e3phCwYHfQAKGDeYm1WiEj0RVaQC0kCvXcxGPMBLTZq14EPw2ToBBxDgu Ztfuqscm9GXTaA/AWg03+n1VC8HLCBdj9b0aRDEAJ/pZX5L/VLs2FXpDVvJb5pmg qhZ5NWr6JpdS75+eha1a+EYqtGWY51DyL8dn2EdkqE+pxjs8MaSvQztfDGL+/knI b17/1oNf6T0= =XDe1 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.98

sources: NVD: CVE-2022-36369 // JVNDB: JVNDB-2022-020111 // VULHUB: VHN-432481 // VULMON: CVE-2022-36369 // PACKETSTORM: 171987 // PACKETSTORM: 172675

AFFECTED PRODUCTS

vendor:intelmodel:qatzipscope:ltversion:1.0.9

Trust: 1.0

vendor:インテルmodel:qatzipscope:eqversion:1.0.9

Trust: 0.8

vendor:インテルmodel:qatzipscope:eqversion: -

Trust: 0.8

vendor:インテルmodel:qatzipscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-020111 // NVD: CVE-2022-36369

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-36369
value: HIGH

Trust: 1.0

secure@intel.com: CVE-2022-36369
value: HIGH

Trust: 1.0

NVD: CVE-2022-36369
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202302-1469
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-36369
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2022-36369
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-020111 // CNNVD: CNNVD-202302-1469 // NVD: CVE-2022-36369 // NVD: CVE-2022-36369

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-020111 // NVD: CVE-2022-36369

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202302-1469

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-1469

PATCH

title:Intel QATzip softwar Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=226026

Trust: 0.6

title:Red Hat: url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2022-36369

Trust: 0.1

sources: VULMON: CVE-2022-36369 // CNNVD: CNNVD-202302-1469

EXTERNAL IDS

db:NVDid:CVE-2022-36369

Trust: 3.6

db:JVNid:JVNVU91223897

Trust: 0.8

db:JVNDBid:JVNDB-2022-020111

Trust: 0.8

db:AUSCERTid:ESB-2023.3091

Trust: 0.6

db:CNNVDid:CNNVD-202302-1469

Trust: 0.6

db:VULHUBid:VHN-432481

Trust: 0.1

db:VULMONid:CVE-2022-36369

Trust: 0.1

db:PACKETSTORMid:171987

Trust: 0.1

db:PACKETSTORMid:172675

Trust: 0.1

sources: VULHUB: VHN-432481 // VULMON: CVE-2022-36369 // JVNDB: JVNDB-2022-020111 // PACKETSTORM: 171987 // PACKETSTORM: 172675 // CNNVD: CNNVD-202302-1469 // NVD: CVE-2022-36369

REFERENCES

url:http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00765.html

Trust: 2.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-36369

Trust: 1.0

url:https://access.redhat.com/security/cve/cve-2022-36369

Trust: 0.9

url:https://jvn.jp/vu/jvnvu91223897/

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-36369/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3091

Trust: 0.6

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.2

url:https://access.redhat.com/security/team/key/

Trust: 0.2

url:https://access.redhat.com/articles/11258

Trust: 0.2

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://nvd.nist.gov

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.0_release_notes/index

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:1976

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2023:3397

Trust: 0.1

sources: VULHUB: VHN-432481 // VULMON: CVE-2022-36369 // JVNDB: JVNDB-2022-020111 // PACKETSTORM: 171987 // PACKETSTORM: 172675 // CNNVD: CNNVD-202302-1469 // NVD: CVE-2022-36369

CREDITS

Red Hat

Trust: 0.2

sources: PACKETSTORM: 171987 // PACKETSTORM: 172675

SOURCES

db:VULHUBid:VHN-432481
db:VULMONid:CVE-2022-36369
db:JVNDBid:JVNDB-2022-020111
db:PACKETSTORMid:171987
db:PACKETSTORMid:172675
db:CNNVDid:CNNVD-202302-1469
db:NVDid:CVE-2022-36369

LAST UPDATE DATE

2024-08-14T12:50:40.072000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-432481date:2023-03-07T00:00:00
db:VULMONid:CVE-2022-36369date:2023-02-17T00:00:00
db:JVNDBid:JVNDB-2022-020111date:2023-10-31T06:12:00
db:CNNVDid:CNNVD-202302-1469date:2023-06-01T00:00:00
db:NVDid:CVE-2022-36369date:2023-08-08T14:22:24.967

SOURCES RELEASE DATE

db:VULHUBid:VHN-432481date:2023-02-16T00:00:00
db:VULMONid:CVE-2022-36369date:2023-02-16T00:00:00
db:JVNDBid:JVNDB-2022-020111date:2023-10-31T00:00:00
db:PACKETSTORMid:171987date:2023-04-25T15:50:24
db:PACKETSTORMid:172675date:2023-06-01T14:39:17
db:CNNVDid:CNNVD-202302-1469date:2023-02-16T00:00:00
db:NVDid:CVE-2022-36369date:2023-02-16T21:15:13.280