An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1358
Final
1.0
1.0
2021-09-30
Initial
2021-09-30
2021-09-30
openEuler SA Tool V1.0
2021-09-30
edk2 security update
An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.
EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.
Security Fix(es):
A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-38575)
An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
edk2
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1358
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-38575
https://nvd.nist.gov/vuln/detail/CVE-2021-38575
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
edk2-devel-202002-6.oe1.aarch64.rpm
edk2-debugsource-202002-6.oe1.aarch64.rpm
edk2-debuginfo-202002-6.oe1.aarch64.rpm
edk2-debugsource-202002-6.oe1.aarch64.rpm
edk2-devel-202002-6.oe1.aarch64.rpm
edk2-debuginfo-202002-6.oe1.aarch64.rpm
python3-edk2-devel-202002-6.oe1.noarch.rpm
edk2-help-202002-6.oe1.noarch.rpm
edk2-aarch64-202002-6.oe1.noarch.rpm
edk2-ovmf-202002-6.oe1.noarch.rpm
python3-edk2-devel-202002-6.oe1.noarch.rpm
edk2-help-202002-6.oe1.noarch.rpm
edk2-aarch64-202002-6.oe1.noarch.rpm
edk2-ovmf-202002-6.oe1.noarch.rpm
edk2-202002-6.oe1.src.rpm
edk2-202002-6.oe1.src.rpm
edk2-devel-202002-6.oe1.x86_64.rpm
edk2-debugsource-202002-6.oe1.x86_64.rpm
edk2-debuginfo-202002-6.oe1.x86_64.rpm
edk2-debuginfo-202002-6.oe1.x86_64.rpm
edk2-devel-202002-6.oe1.x86_64.rpm
edk2-debugsource-202002-6.oe1.x86_64.rpm
A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
2021-09-30
CVE-2021-38575
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP2
High
8.1
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
edk2 security update
2021-09-30
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1358