CVE-2022-21499

2022-06-0920:15:28

oracle

www.cve.org

kgdb

kdb

kernel memory

lockdown

debugger

serial port

cvss 3.1

confidentiality

integrity

availability

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

Percentile

15.6%

JSON

KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CNA Affected

[
  {
    "product": "Oracle Linux",
    "vendor": "Oracle Corporation",
    "versions": [
      {
        "status": "affected",
        "version": "Oracle Linux: 6"
      },
      {
        "status": "affected",
        "version": "Oracle Linux: 7"
      },
      {
        "status": "affected",
        "version": "Oracle Linux: 8"
      }
    ]
  },
  {
    "product": "Oracle VM",
    "vendor": "Oracle Corporation",
    "versions": [
      {
        "status": "affected",
        "version": "Oracle VM: 3"
      }
    ]
  }
]