CVE-2022-21505 — MEDIUM (6.7)

Vulnerability Description

In the linux kernel, if IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity, Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Oracle	Linux	7

Related Weaknesses (CWE)

CWE-346

References

https://git.kernel.org/linus/543ce63b664e2c2f9533d089a4664b559c3e6b5bBroken Link
https://linux.oracle.com/cve/CVE-2022-21505.htmlVendor Advisory

FAQ

What is CVE-2022-21505?

CVE-2022-21505 is a vulnerability with a CVSS score of 6.7 (MEDIUM). In the linux kernel, if IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setti...

How severe is CVE-2022-21505?

CVE-2022-21505 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21505?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Linux.