Rewterz Threat Advisory – Multiple Apache ShenYu and Karaf Vulnerabilities
January 27, 2022Rewterz Threat Advisory – Multiple Oracle Zero-Day Vulnerabilities
January 27, 2022Rewterz Threat Advisory – Multiple Apache ShenYu and Karaf Vulnerabilities
January 27, 2022Rewterz Threat Advisory – Multiple Oracle Zero-Day Vulnerabilities
January 27, 2022Severity
High
Analysis Summary
CVE-2022-22590
Apple watchOS could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the WebKit component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVE-2022-22594
Apple watchOS could allow a remote attacker to obtain sensitive information, caused by a cross-origin issue in the IndexDB API in the WebKit component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
CVE-2022-22593
Apple watchOS is vulnerable to a buffer overflow, caused by improper bounds checking by the Kernel component. By using a specially crafted application, an attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with kernel privileges.
CVE-2022-22592
Apple watchOS could allow a remote attacker to bypass security restrictions, caused by a logic issue in the WebKit component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to prevent Content Security Policy from being enforced.
CVE-2022-22589
Apple watchOS could allow a remote attacker to execute arbitrary code on the system, caused by a validation issue in the WebKit component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVE-2022-22585
Apple watchOS could allow a local attacker to obtain sensitive information, caused by an issue within the path validation logic for symlinks in the iCloud component. By using a specially-crafted application, an attacker could exploit this vulnerability to access a user’s files.
CVE-2022-22579
Apple tvOS could allow a remote attacker to execute arbitrary code on the system, caused by an information disclosure issue in the Model I/O component. By persuading a victim to open a specially crafted STL file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVE-2022-22587
Apple iOS and iPadOS could allow a local attacker to gain elevated privileges on the system, caused by a memory corruption issue in the IOMobileFrameBuffer component. By using a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.
CVE-2022-22591
Apple macOS Monterey could allow a local attacker to gain elevated privileges on the system, caused by a memory corruption issue in the Intel Graphics Driver component. By using a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.
CVE-2022-22586
Apple macOS Monterey could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds write issue in the AMD Kernel component. By using a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code with kernel privileges.
CVE-2022-22583
Apple macOS Monterey could allow a local attacker to obtain sensitive information, caused by a permissions issue in the PackageKit component. By using a specially-crafted application, an attacker could exploit this vulnerability to access restricted files.
CVE-2021-30972
Apple macOS Catalina could allow a local attacker to bypass security restrictions, caused by an issue in the TCC component. By using a specially-crafted application, an attacker could exploit this vulnerability to bypass certain Privacy preferences.
Impact
- Code Execution
- Information Disclosure
- Buffer Overflow
- Privilege Escalation
Affected Vendors
- Apple
- Apple iOS
- Apple iPadOS
Affected Products
- Apple watchOS 8.3
- Apple Safari 15.2
- Apple tvOS 15.1
- Apple tvOS 15.2
- Apple iPadOS 15.2
- Apple iOS 15.2
- Apple macOS Monterey 12.1
- Apple macOS Catalina
- Apple macOS Big Sur 11.6.2
Remediation
Refer to Apple security advisory for patch, upgrade, or suggested workaround information.
CVE-2022-22590
CVE-2022-22594
CVE-2022-22593
CVE-2022-22592
CVE-2022-22589
CVE-2022-22585
CVE-2022-22579
CVE-2022-22587
CVE-2022-22591
CVE-2022-22586
CVE-2022-22583
CVE-2021-30972