CVE-2022-23219 — CRITICAL (9.8)

Q: How severe is CVE-2022-23219?

CVE-2022-23219 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-23219?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Security Edge Protection Proxy.

Vulnerability Description

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gnu	Glibc	< 2.31
Oracle	Communications Cloud Native Core Binding Support Function	22.1.3
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	22.1.0
Oracle	Communications Cloud Native Core Network Repository Function	22.1.2
Oracle	Communications Cloud Native Core Security Edge Protection Proxy	22.1.1
Oracle	Communications Cloud Native Core Unified Data Repository	22.2.0
Oracle	Enterprise Operations Monitor	4.3
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-120

References

https://lists.debian.org/debian-lts-announce/2022/10/msg00021.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202208-24Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=22542ExploitIssue TrackingThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00021.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202208-24Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=22542ExploitIssue TrackingThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-23219?

CVE-2022-23219 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may ...

How severe is CVE-2022-23219?

CVE-2022-23219 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-23219?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Glibc, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Communications Cloud Native Core Network Repository Function, Oracle Communications Cloud Native Core Security Edge Protection Proxy.