USN-6638-1

Source
https://ubuntu.com/security/notices/USN-6638-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6638-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-6638-1
Related
Published
2024-02-15T01:36:15.866512Z
Modified
2024-02-15T01:36:15.866512Z
Summary
edk2 vulnerabilities
Details

Marc Beatove discovered buffer overflows exit in EDK2. An attacker on the local network could potentially use this to impact availability or possibly cause remote code execution. (CVE-2022-36763, CVE-2022-36764, CVE-2022-36765)

It was discovered that a buffer overflows exists in EDK2's Network Package An attacker on the local network could potentially use these to impact availability or possibly cause remote code execution. (CVE-2023-45230, CVE-2023-45234, CVE-2023-45235)

It was discovered that an out-of-bounds read exists in EDK2's Network Package An attacker on the local network could potentially use this to impact confidentiality. (CVE-2023-45231)

It was discovered that infinite-loops exists in EDK2's Network Package An attacker on the local network could potentially use these to impact availability. (CVE-2023-45232, CVE-2023-45233)

Mate Kukri discovered that an insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. An attacker could use this to bypass Secure Boot. (CVE-2023-48733)

References

Affected packages

Ubuntu:20.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0~20191122.bd85bf54-2ubuntu3.5

Affected versions

0~20190606.*

0~20190606.20d2e5a1-2ubuntu1

0~20190828.*

0~20190828.37eef910-3
0~20190828.37eef910-4

0~20191122.*

0~20191122.bd85bf54-1
0~20191122.bd85bf54-1ubuntu1
0~20191122.bd85bf54-2
0~20191122.bd85bf54-2ubuntu1
0~20191122.bd85bf54-2ubuntu2
0~20191122.bd85bf54-2ubuntu3
0~20191122.bd85bf54-2ubuntu3.1
0~20191122.bd85bf54-2ubuntu3.2
0~20191122.bd85bf54-2ubuntu3.3
0~20191122.bd85bf54-2ubuntu3.4

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.5",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.5",
            "binary_name": "qemu-efi"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.5",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "0~20191122.bd85bf54-2ubuntu3.5",
            "binary_name": "qemu-efi-arm"
        }
    ]
}

Ubuntu:22.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2022.02-3ubuntu0.22.04.2

Affected versions

2021.*

2021.08~rc0-2
2021.08-3
2021.11~rc1-1
2021.11-1
2021.11-2

2022.*

2022.02~rc1-1
2022.02~rc1-1ubuntu1
2022.02-1
2022.02-2
2022.02-3
2022.02-3ubuntu0.22.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2022.02-3ubuntu0.22.04.2",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.2",
            "binary_name": "ovmf-ia32"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.2",
            "binary_name": "qemu-efi"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.2",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.2",
            "binary_name": "qemu-efi-arm"
        }
    ]
}

Ubuntu:23.10 / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2?arch=src?distro=mantic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2023.05-2ubuntu0.1

Affected versions

2022.*

2022.11-6

2023.*

2023.02-1
2023.02-2
2023.05-1
2023.05-2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "efi-shell-aa64"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "efi-shell-arm"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "efi-shell-ia32"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "efi-shell-x64"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "ovmf-ia32"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "2023.05-2ubuntu0.1",
            "binary_name": "qemu-efi-arm"
        }
    ]
}