{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"microcode_ctl security update", "category":"general", "title":"Synopsis" }, { "text":"An update for microcode_ctl is now available for openEuler-24.03-LTS.", "category":"general", "title":"Summary" }, { "text":"This is a tool to transform and deploy microcode update for x86 CPUs.\n\nSecurity Fix(es):\n\nProtection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-22655)\n\nInformation exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2023-28746)\n\nNon-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2023-38575)\n\nProtection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.(CVE-2023-39368)\n\nIncorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.(CVE-2023-43490)\n\nHardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733)\n\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745)\n\nSequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103)\n\nImproper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855)", "category":"general", "title":"Description" }, { "text":"An update for microcode_ctl is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"microcode_ctl", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-1732", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" }, { "summary":"CVE-2023-22655", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-22655&packageName=microcode_ctl" }, { "summary":"CVE-2023-28746", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-28746&packageName=microcode_ctl" }, { "summary":"CVE-2023-38575", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-38575&packageName=microcode_ctl" }, { "summary":"CVE-2023-39368", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-39368&packageName=microcode_ctl" }, { "summary":"CVE-2023-43490", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-43490&packageName=microcode_ctl" }, { "summary":"CVE-2023-45733", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-45733&packageName=microcode_ctl" }, { "summary":"CVE-2023-45745", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-45745&packageName=microcode_ctl" }, { "summary":"CVE-2023-46103", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-46103&packageName=microcode_ctl" }, { "summary":"CVE-2023-47855", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-47855&packageName=microcode_ctl" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22655" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28746" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38575" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39368" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43490" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45733" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45745" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46103" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-47855" }, { "summary":"openEuler-SA-2024-1732 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1732.json" } ], "title":"An update for microcode_ctl is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2024-06-14T09:20:15+08:00", "revision_history":[ { "date":"2024-06-14T09:20:15+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:20:15+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:20:15+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:20:15+08:00", "id":"openEuler-SA-2024-1732", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"microcode_ctl-20240531-1.oe2403.src.rpm", "name":"microcode_ctl-20240531-1.oe2403.src.rpm" }, "name":"microcode_ctl-20240531-1.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"microcode_ctl-20240531-1.oe2403.x86_64.rpm", "name":"microcode_ctl-20240531-1.oe2403.x86_64.rpm" }, "name":"microcode_ctl-20240531-1.oe2403.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"microcode_ctl-20240531-1.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "name":"microcode_ctl-20240531-1.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"microcode_ctl-20240531-1.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64", "name":"microcode_ctl-20240531-1.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-22655", "notes":[ { "text":"Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.1, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-22655" }, { "cve":"CVE-2023-28746", "notes":[ { "text":"Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-28746" }, { "cve":"CVE-2023-38575", "notes":[ { "text":"Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-38575" }, { "cve":"CVE-2023-39368", "notes":[ { "text":"Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-39368" }, { "cve":"CVE-2023-43490", "notes":[ { "text":"Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-43490" }, { "cve":"CVE-2023-45733", "notes":[ { "text":"Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":2.8, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2023-45733" }, { "cve":"CVE-2023-45745", "notes":[ { "text":"Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.9, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2023-45745" }, { "cve":"CVE-2023-46103", "notes":[ { "text":"Sequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":4.7, "vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-46103" }, { "cve":"CVE-2023-47855", "notes":[ { "text":"Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ], "details":"microcode_ctl security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1732" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.0, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.src", "openEuler-24.03-LTS:microcode_ctl-20240531-1.oe2403.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-47855" } ] }