Bug 2118714 (CVE-2022-31676) - CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual machine
Summary: CVE-2022-31676 open-vm-tools: local root privilege escalation in the virtual ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31676
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2119281 2119282 2119283 2119284 2119285 2119286 2119310 2119311 2120976
Blocks: 2118716
TreeView+ depends on / blocked
 
Reported: 2022-08-16 14:05 UTC by Marian Rehak
Modified: 2023-04-26 22:07 UTC (History)
31 users (show)

Fixed In Version: open-vm-tools 12.1.0
Clone Of:
Environment:
Last Closed: 2022-09-29 10:29:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6354 0 None None None 2022-09-06 14:36:04 UTC
Red Hat Product Errata RHSA-2022:6355 0 None None None 2022-09-06 14:38:34 UTC
Red Hat Product Errata RHSA-2022:6356 0 None None None 2022-09-06 15:18:27 UTC
Red Hat Product Errata RHSA-2022:6357 0 None None None 2022-09-06 14:46:22 UTC
Red Hat Product Errata RHSA-2022:6358 0 None None None 2022-09-06 14:38:51 UTC
Red Hat Product Errata RHSA-2022:6381 0 None None None 2022-09-07 13:32:12 UTC

Description Marian Rehak 2022-08-16 14:05:08 UTC 
A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine.
Comment 1 juneau 2022-08-16 17:06:47 UTC 
marking OSD affected/fix for _presence_ of code, although these services do not _use_ said code
Comment 10 Marian Rehak 2022-08-24 08:31:56 UTC 
Created open-vm-tools tracking bugs for this issue:

Affects: fedora-all [bug 2120976]
Comment 22 errata-xmlrpc 2022-09-06 14:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6354 https://access.redhat.com/errata/RHSA-2022:6354
Comment 23 errata-xmlrpc 2022-09-06 14:38:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6355 https://access.redhat.com/errata/RHSA-2022:6355
Comment 24 errata-xmlrpc 2022-09-06 14:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6358 https://access.redhat.com/errata/RHSA-2022:6358
Comment 25 errata-xmlrpc 2022-09-06 14:46:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6357 https://access.redhat.com/errata/RHSA-2022:6357
Comment 26 errata-xmlrpc 2022-09-06 15:18:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6356 https://access.redhat.com/errata/RHSA-2022:6356
Comment 27 Angelo Alvarez 2022-09-07 03:56:34 UTC 
Is there an ETA for the updated open-vm-tools RPM for RHEL 7?
Comment 29 Yaju Cao 2022-09-07 13:03:05 UTC 
Hi, RHEL7.9's engineering work for the fix is ready, production team is delivering the fix, I think it will be published soon, thanks for your patience!
Comment 31 errata-xmlrpc 2022-09-07 13:32:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6381 https://access.redhat.com/errata/RHSA-2022:6381
Comment 32 Eduardo Otubo 2022-09-29 10:29:16 UTC 
All the BZs related to this bug are already all closed with their erratas (2119281 2119282 2119283 2119284 2119285 2119286 2119310 2119311 2120976)

Nothing else to do on this BZ.
If this is not correct, please reopen it.
Note You need to log in before you can comment on or make changes to this bug.