{"id":"USN-7060-1","summary":"edk2 vulnerabilities","details":"It was discovered that EDK II did not check the buffer length in XHCI, \nwhich could lead to a stack overflow. A local attacker could potentially\nuse this issue to cause a denial of service. This issue only affected \nUbuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-0161)\n\nLaszlo Ersek discovered that EDK II incorrectly handled recursion. A\nremote attacker could possibly use this issue to cause EDK II to consume\nresources, leading to a denial of service. This issue only affected \nUbuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-28210)\n\nSatoshi Tanda discovered that EDK II incorrectly handled decompressing\ncertain images. A remote attacker could use this issue to cause EDK II to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.\n(CVE-2021-28211)\n\nIt was discovered that EDK II incorrectly decoded certain strings. A remote\nattacker could use this issue to cause EDK II to crash, resulting in a\ndenial of service, or possibly execute arbitrary code. This issue only \naffected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-38575)\n\nIt was discovered that EDK II had integer underflow vulnerability in \nSmmEntryPoint, which could result in a buffer overflow. An attacker\ncould potentially use this issue to cause a denial of service.\n(CVE-2021-38578)\n\nElison Niven discovered that OpenSSL, vendored in EDK II, incorrectly \nhandled the c_rehash script. A local attacker could possibly use this \nissue to execute arbitrary commands when c_rehash is run. This issue \nonly affected Ubuntu 16.04 LTS. (CVE-2022-1292)\n","modified":"2026-04-27T17:47:18.408757518Z","published":"2024-10-10T03:41:37Z","related":["UBUNTU-CVE-2019-0161","UBUNTU-CVE-2021-28210","UBUNTU-CVE-2021-28211","UBUNTU-CVE-2021-38575","UBUNTU-CVE-2021-38578","UBUNTU-CVE-2022-1292"],"upstream":["CVE-2019-0161","CVE-2021-28210","CVE-2021-28211","CVE-2021-38575","CVE-2021-38578","CVE-2022-1292","UBUNTU-CVE-2019-0161","UBUNTU-CVE-2021-28210","UBUNTU-CVE-2021-28211","UBUNTU-CVE-2021-38575","UBUNTU-CVE-2021-38578","UBUNTU-CVE-2022-1292"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7060-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-0161"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-28210"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-28211"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-38575"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-38578"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-1292"}],"affected":[{"package":{"name":"edk2","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/edk2@0~20160408.ffea0a2c-2ubuntu0.2+esm3?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0~20160408.ffea0a2c-2ubuntu0.2+esm3"}]}],"versions":["0~20150106.5c2d456b-2","0~20160104.c2a892d7-1","0~20160408.ffea0a2c-2","0~20160408.ffea0a2c-2ubuntu0.1","0~20160408.ffea0a2c-2ubuntu0.2","0~20160408.ffea0a2c-2ubuntu0.2+esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0~20160408.ffea0a2c-2ubuntu0.2+esm3","binary_name":"ovmf"},{"binary_version":"0~20160408.ffea0a2c-2ubuntu0.2+esm3","binary_name":"qemu-efi"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7060-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-0161"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-28210"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-28211"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38575"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38578"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-1292"}]}}},{"package":{"name":"edk2","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/edk2@0~20180205.c0d9813c-2ubuntu0.3+esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0~20180205.c0d9813c-2ubuntu0.3+esm2"}]}],"versions":["0~20170911.5dfba97c-1","0~20171010.234dbcef-1","0~20171027.76fd5a66-1","0~20171205.a9212288-1","0~20180105.0bc94c74-1","0~20180205.c0d9813c-1","0~20180205.c0d9813c-2","0~20180205.c0d9813c-2ubuntu0.1","0~20180205.c0d9813c-2ubuntu0.2","0~20180205.c0d9813c-2ubuntu0.3","0~20180205.c0d9813c-2ubuntu0.3+esm1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0~20180205.c0d9813c-2ubuntu0.3+esm2","binary_name":"ovmf"},{"binary_version":"0~20180205.c0d9813c-2ubuntu0.3+esm2","binary_name":"qemu-efi"},{"binary_version":"0~20180205.c0d9813c-2ubuntu0.3+esm2","binary_name":"qemu-efi-aarch64"},{"binary_version":"0~20180205.c0d9813c-2ubuntu0.3+esm2","binary_name":"qemu-efi-arm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7060-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-0161"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-28210"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-28211"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38575"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38578"}]}}},{"package":{"name":"edk2","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/edk2@0~20191122.bd85bf54-2ubuntu3.6?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0~20191122.bd85bf54-2ubuntu3.6"}]}],"versions":["0~20190606.20d2e5a1-2ubuntu1","0~20190828.37eef910-3","0~20190828.37eef910-4","0~20191122.bd85bf54-1","0~20191122.bd85bf54-1ubuntu1","0~20191122.bd85bf54-2","0~20191122.bd85bf54-2ubuntu1","0~20191122.bd85bf54-2ubuntu2","0~20191122.bd85bf54-2ubuntu3","0~20191122.bd85bf54-2ubuntu3.1","0~20191122.bd85bf54-2ubuntu3.2","0~20191122.bd85bf54-2ubuntu3.3","0~20191122.bd85bf54-2ubuntu3.4","0~20191122.bd85bf54-2ubuntu3.5"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"0~20191122.bd85bf54-2ubuntu3.6","binary_name":"ovmf"},{"binary_version":"0~20191122.bd85bf54-2ubuntu3.6","binary_name":"qemu-efi"},{"binary_version":"0~20191122.bd85bf54-2ubuntu3.6","binary_name":"qemu-efi-aarch64"},{"binary_version":"0~20191122.bd85bf54-2ubuntu3.6","binary_name":"qemu-efi-arm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7060-1.json","cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38578"}]}}},{"package":{"name":"edk2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/edk2@2022.02-3ubuntu0.22.04.3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2022.02-3ubuntu0.22.04.3"}]}],"versions":["2021.08~rc0-2","2021.08-3","2021.11~rc1-1","2021.11-1","2021.11-2","2022.02~rc1-1","2022.02~rc1-1ubuntu1","2022.02-1","2022.02-2","2022.02-3","2022.02-3ubuntu0.22.04.1","2022.02-3ubuntu0.22.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2022.02-3ubuntu0.22.04.3","binary_name":"ovmf"},{"binary_version":"2022.02-3ubuntu0.22.04.3","binary_name":"ovmf-ia32"},{"binary_version":"2022.02-3ubuntu0.22.04.3","binary_name":"qemu-efi"},{"binary_version":"2022.02-3ubuntu0.22.04.3","binary_name":"qemu-efi-aarch64"},{"binary_version":"2022.02-3ubuntu0.22.04.3","binary_name":"qemu-efi-arm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7060-1.json","cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2021-38578"}]}}}],"schema_version":"1.7.5"}