{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"High"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"arm-trusted-firmware security update",
				"category":"general",
				"title":"Synopsis"
			},
			{
				"text":"An update for arm-trusted-firmware is now available for openEuler-24.03-LTS",
				"category":"general",
				"title":"Summary"
			},
			{
				"text":"Trusted Firmware-A is a reference implementation of secure world software for Arm A-Profile architectures (Armv8-A and Armv7-A), including an Exception Level 3 (EL3) Secure Monitor.\n\nSecurity Fix(es):\n\nIncorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\n\n\nWhen checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.(CVE-2024-6287)",
				"category":"general",
				"title":"Description"
			},
			{
				"text":"An update for arm-trusted-firmware is now available for openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.",
				"category":"general",
				"title":"Topic"
			},
			{
				"text":"High",
				"category":"general",
				"title":"Severity"
			},
			{
				"text":"arm-trusted-firmware",
				"category":"general",
				"title":"Affected Component"
			}
		],
		"publisher":{
			"issuing_authority":"openEuler security committee",
			"name":"openEuler",
			"namespace":"https://www.openeuler.org",
			"contact_details":"openeuler-security@openeuler.org",
			"category":"vendor"
		},
		"references":[
			{
				"summary":"openEuler-SA-2024-2544",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2544"
			},
			{
				"summary":"CVE-2024-6287",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6287&packageName=arm-trusted-firmware"
			},
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-6287"
			},
			{
				"summary":"openEuler-SA-2024-2544 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-2544.json"
			}
		],
		"title":"An update for arm-trusted-firmware is now available for openEuler-24.03-LTS",
		"tracking":{
			"initial_release_date":"2024-12-13T21:17:42+08:00",
			"revision_history":[
				{
					"date":"2024-12-13T21:17:42+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2024-12-13T21:17:42+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2024-12-13T21:17:42+08:00",
			"id":"openEuler-SA-2024-2544",
			"version":"1.0.0",
			"status":"final"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"openEuler-24.03-LTS",
									"name":"openEuler-24.03-LTS"
								},
								"name":"openEuler-24.03-LTS",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"arm-trusted-firmware-2.9-4.oe2403.src.rpm",
									"name":"arm-trusted-firmware-2.9-4.oe2403.src.rpm"
								},
								"name":"arm-trusted-firmware-2.9-4.oe2403.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"aarch64",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS"
									},
									"product_id":"arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64.rpm",
									"name":"arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64.rpm"
								},
								"name":"arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"arm-trusted-firmware-2.9-4.oe2403.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:arm-trusted-firmware-2.9-4.oe2403.src",
					"name":"arm-trusted-firmware-2.9-4.oe2403.src as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS",
				"product_reference":"arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS:arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64",
					"name":"arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64 as a component of openEuler-24.03-LTS"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2024-6287",
			"notes":[
				{
					"text":"Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code.\n\n\nWhen checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS:arm-trusted-firmware-2.9-4.oe2403.src",
					"openEuler-24.03-LTS:arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-24.03-LTS:arm-trusted-firmware-2.9-4.oe2403.src",
						"openEuler-24.03-LTS:arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64"
					],
					"details":"arm-trusted-firmware security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2544"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.8,
						"vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-24.03-LTS:arm-trusted-firmware-2.9-4.oe2403.src",
						"openEuler-24.03-LTS:arm-trusted-firmware-armv8-2.9-4.oe2403.aarch64"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2024-6287"
		}
	]
}