{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"pesign security update", "category":"general", "title":"Synopsis" }, { "text":"An update for pesign is now available for openEuler-22.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.\n\nSecurity Fix(es):\n\nA flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.(CVE-2022-3560)", "category":"general", "title":"Description" }, { "text":"An update for pesign is now available for openEuler-22.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"pesign", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2023-1159", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1159" }, { "summary":"CVE-2022-3560", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-3560&packageName=pesign" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3560" }, { "summary":"openEuler-SA-2023-1159 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2023/csaf-openeuler-sa-2023-1159.json" } ], "title":"An update for pesign is now available for openEuler-22.03-LTS-SP1", "tracking":{ "initial_release_date":"2023-03-17T14:16:27+08:00", "revision_history":[ { "date":"2023-03-17T14:16:27+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T14:16:27+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T14:16:27+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T14:16:27+08:00", "id":"openEuler-SA-2023-1159", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"openEuler-22.03-LTS-SP1", "name":"openEuler-22.03-LTS-SP1" }, "name":"openEuler-22.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-debugsource-115-4.oe2203sp1.aarch64.rpm", "name":"pesign-debugsource-115-4.oe2203sp1.aarch64.rpm" }, "name":"pesign-debugsource-115-4.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-help-115-4.oe2203sp1.aarch64.rpm", "name":"pesign-help-115-4.oe2203sp1.aarch64.rpm" }, "name":"pesign-help-115-4.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-115-4.oe2203sp1.aarch64.rpm", "name":"pesign-115-4.oe2203sp1.aarch64.rpm" }, "name":"pesign-115-4.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-debuginfo-115-4.oe2203sp1.aarch64.rpm", "name":"pesign-debuginfo-115-4.oe2203sp1.aarch64.rpm" }, "name":"pesign-debuginfo-115-4.oe2203sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-115-4.oe2203sp1.src.rpm", "name":"pesign-115-4.oe2203sp1.src.rpm" }, "name":"pesign-115-4.oe2203sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-debuginfo-115-4.oe2203sp1.x86_64.rpm", "name":"pesign-debuginfo-115-4.oe2203sp1.x86_64.rpm" }, "name":"pesign-debuginfo-115-4.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-debugsource-115-4.oe2203sp1.x86_64.rpm", "name":"pesign-debugsource-115-4.oe2203sp1.x86_64.rpm" }, "name":"pesign-debugsource-115-4.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-115-4.oe2203sp1.x86_64.rpm", "name":"pesign-115-4.oe2203sp1.x86_64.rpm" }, "name":"pesign-115-4.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"pesign-help-115-4.oe2203sp1.x86_64.rpm", "name":"pesign-help-115-4.oe2203sp1.x86_64.rpm" }, "name":"pesign-help-115-4.oe2203sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-debugsource-115-4.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.aarch64", "name":"pesign-debugsource-115-4.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-help-115-4.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.aarch64", "name":"pesign-help-115-4.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-115-4.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.aarch64", "name":"pesign-115-4.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-debuginfo-115-4.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.aarch64", "name":"pesign-debuginfo-115-4.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-115-4.oe2203sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.src", "name":"pesign-115-4.oe2203sp1.src as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-debuginfo-115-4.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.x86_64", "name":"pesign-debuginfo-115-4.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-debugsource-115-4.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.x86_64", "name":"pesign-debugsource-115-4.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-115-4.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.x86_64", "name":"pesign-115-4.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"pesign-help-115-4.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.x86_64", "name":"pesign-help-115-4.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-3560", "notes":[ { "text":"A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the pesign group. However, the script doesn t check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.src", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.src", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.x86_64" ], "details":"pesign security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1159" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.src", "openEuler-22.03-LTS-SP1:pesign-debuginfo-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-debugsource-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-115-4.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:pesign-help-115-4.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2022-3560" } ] }