Dell has issued patches for two critical bugs in its vProxy software, as part of a wide-ranging fix for its upstream Linux operating system.
vProxy is a virtual appliance designed to protect and recover VMware virtual machines.
Since it runs on a bundled version of Linux, it inherits vulnerabilities from the upstream operating system and its utilities, and in this update, Dell announces patches for 25 of them.
Two of these, CVE-2022-29155 and CVE-2022-1586, are rated critical.
CVE-2022-29155 is an SQL injection vulnerability in OpenLDAP v2.x.
The vulnerability “exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.”
CVE-2022-1586 is an out-of-bounds read vulnerability.
It’s a “unicode property matching issue in JIT-compiled regular expressions”, within the PCRE2 library.
Another two of the bugs are rated high severity: CVE-2022-1304 and CVE-2022-1271.
The ext2, ext3 and ext4 file system utility e2fsprogs is subject to CVE-2022-1304, a segmentation fault that could offer arbitrary code execution.
CVE-2022-1271 is a bug in zgrep, a GNU utility that allows string searchers on compressed files.
“When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file,” the zgrep advisory stated.
“This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.”
The Dell updated includes patches for 16 kernel firmware bugs of lower impact, along with fixes for curl, Jenkins, and libxml2.
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
