Pexip security bulletins

The following security bulletins are published by Pexip for issues affecting Pexip Infinity and the Pexip Connect apps.

Please contact your Pexip authorized support representative for more information about these issues. This list covers issues addressed in v28.0 and later. For issues addressed in v27.x or earlier, see our documentation for previous releases.

More information specific for each of the vulnerabilities can be found via the NIST National Vulnerability Database: http://nvd.nist.gov/.

Pexip Infinity

Each bulletin addresses a number of vulnerabilities in the operating system software used by Pexip Infinity. The bulletins include an assessment of the issues, the impact to the Pexip Infinity platform, and resolution details.

Bulletin Description Risk Updated Impacted versions Addressed in version
CVE-2022-21712 The RedirectAgent and BrowserLikeRedirectAgent HTTP client implementations in the Twisted event-driven networking engine expose cookies and authorization headers when following cross-origin redirects. High October 2022 17.0-29.x 30.0
CVE-2022-31676 open-vm-tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. High October 2022 21.0-29.x 30.0
CVE-2022-1043 A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges. High October 2022 27.0-29.x 30.0
CVE-2021-30560 Use after free in xsltApplyTemplates prior to libxslt 1.1.35 allows attackers to potentially exploit heap corruption via crafted XML data. High October 2022 All before 30 30.0
CVE-2019-5815 Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. High October 2022 All before 30 30.0
CVE-2022-42959 Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service. High October 2022 All before 30 30.0
CVE-2022-42730 Insufficient input validation allows a malicious attacker to trigger a software abort resulting in a denial of service. High October 2022 27.0-29.x 30.0
CVE-2022-41872 Unauthenticated denial of service. High October 2022 All before 30 30.0
CVE-2022-40618 Insufficient input validation in the in-call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service. High October 2022 27.0-29.1 29.3 and 30.0
Multiple Resolved minor issues: CVE-2021-3800, CVE-2021-22924, CVE-2021-20223, CVE-2021-45868, CVE-2022-0494, CVE-2022-0854, CVE-2022-1016, CVE-2022-20153, CVE-2022-2078, CVE-2022-21499, CVE-2022-21716, CVE-2022-24801, CVE-2022-24805, CVE-2022-24806, CVE-2022-24807, CVE-2022-24808, CVE-2022-24809, CVE-2022-24810, CVE-2022-25309, CVE-2022-25310, CVE-2022-27404, CVE-27405, CVE-27406, CVE-2022-27776, CVE-2022-27782, CVE-2022-28356, CVE-2022-28614, CVE-2022-32206, CVE-2022-32208, CVE-2022-34265, CVE-2020-35525, CVE-2020-35527, CVE-2022-34903, CVE-2022-37434, CVE-2022-40674   October 2022   30.0
CVE-2021-0707 In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel. High July 2022 All before 29 29.0
CVE-2021-39698 In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel. High July 2022 All before 29 29.0
CVE-2022-1011 A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. High July 2022 All before 29 29.0
CVE-2022-1729 A use-after-free flaw was found in the Linux kernel's performance events subsystem allowing a local user to crash the system. High July 2022 13-28.x 29.0
CVE-2022-1786 A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system. High July 2022 26-28.x 29.0
CVE-2022-27666 A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. High July 2022 21-28.x 29.0
CVE-2022-29581 Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. High July 2022 21-28.x 29.0
CVE-2022-29582 In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently. High July 2022 26-28.x 29.0
CVE-2022-30594 The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. High July 2022 13-28.x 29.0
CVE-2018-25032 zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. High July 2022 All before 29 29.0
CVE-2022-36434 Insufficient input validation in the Pexip Client API implementation allows an unauthenticated remote attacker to trigger a software abort leading to a denial of service. High July 2022 28.x 29.0
CVE-2022-34490 Insufficient input validation in the RTP implementation allows a malicious attacker to trigger a software abort resulting in a denial of service. High July 2022 9.0 - 28.2 29.0
CVE-2022-32956 Improper access control in the Infinity Management API allows a malicious attacker to escalate privileges when certificate based authentication is enabled. High July 2022 5.5 - 28.2 29.0
Multiple

Resolved minor issues: CVE-2021-45452, CVE-2021-45868, CVE-2022-0494, CVE-2022-0850, CVE-2022-0854, CVE-2022-1012, CVE-2022-1016, CVE-2022-1055, CVE-2022-1271, CVE-2022-1353, CVE-2022-1664, CVE-2022-1972, CVE-2022-1998, CVE-2022-2068, CVE-2022-2078, CVE-2022-20153, CVE-2022-21499, CVE-2022-28614, CVE-2022-29824, CVE-2022-31813, CVE-2022-32250, CVE-2022-1292

  July 2022   29.0
CVE-2022-32263 Insufficient input validation in the G.719 codec implementation allows a malicious attacker to trigger a software abort resulting in a denial of service. High June 2022 13.0 - 28.0 28.1
CVE-2022-29286 Resource mismanagement in the registrar allows an unauthenticated remote attacker to cause the system to consume excess resources and eventually terminate, resulting in a denial of service. High April 2022 27.0, 27.1, 27.2, 27.3 28.0
CVE-2022-27936 Insufficient input validation in the H.323 protocol implementation allows an unauthenticated remote attacker to trigger a software abort resulting in a denial of service. High April 2022 1 - 27.3 28.0
CVE-2022-25315 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. Critical April 2022 1 - 27.3 28.0
CVE-2022-25314 In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. High April 2022 1 - 27.3 28.0
CVE-2022-25236 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. Critical April 2022 1 - 27.3 28.0
CVE-2022-25235 xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. Critical April 2022 1 - 27.3 28.0
CVE-2022-23990 Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. Critical April 2022 1 - 27.3 28.0
CVE-2022-23852 Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. Critical April 2022 1 - 27.3 28.0
CVE-2022-23308 valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. High April 2022 1 - 27.3 28.0
CVE-2022-22827 storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. High April 2022 1 - 27.3 28.0
CVE-2022-22826 nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. High April 2022 1 - 27.3 28.0
CVE-2022-22825 lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. High April 2022 1 - 27.3 28.0
CVE-2022-22824 defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Critical April 2022 1 - 27.3 28.0
CVE-2022-22823 build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Critical April 2022 1 - 27.3 28.0
CVE-2022-22822 addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. Critical April 2022 1 - 27.3 28.0
CVE-2022-0847 A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. High April 2022 1 - 27.3 28.0
CVE-2022-0492 A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. High April 2022 1 - 27.3 28.0
CVE-2021-46143 In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. High April 2022 1 - 27.3 28.0
CVE-2021-45960 In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). High April 2022 1 - 27.3 28.0
CVE-2021-45485 In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses. High April 2022 1 - 27.3 28.0
CVE-2021-22600 A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 High April 2022 1 - 27.3 28.0
CVE-2021-4154 A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system. High April 2022 1 - 27.3 28.0
CVE-2021-4083 A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4. High April 2022 1 - 27.3 28.0
CVE-2018-25032 zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. High April 2022 1 - 27.3 28.0
Multiple Resolved minor issues: CVE-2019-15165, CVE-2019-20807, CVE-2021-3770, CVE-2021-3778, CVE-2021-3796, CVE-2021-3997, CVE-2021-4001, CVE-2021-4203, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-41817, CVE-2021-41819, CVE-2021-45402, CVE-2021-45486, CVE-2022-0286, CVE-2022-0617, CVE-2022-0644, CVE-2022-22816, CVE-2022-25313, CVE-2022-25636   April 2022   28.0

CVE-2022-21712: The RedirectAgent and BrowserLikeRedirectAgent HTTP client implementations in the Twisted event-driven networking engine expose cookies and authorization headers when following cross-origin redirects

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 17-29.x

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Mitigation: This functionality is only used when interfacing with trusted third party services, none of which currently use cross-origin redirects, therefore no exploit path currently exists.

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-31676: open-vm-tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 21-29.x

CVSS3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-1043: A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 27-29.x

CVSS3.1 base score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2021-30560: Use after free in xsltApplyTemplates prior to libxslt 1.1.35 allows attackers to potentially exploit heap corruption via crafted XML data

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: all before v30

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: Infinity versions before 27 do not expose this component to untrusted input and are thus not directly impacted by this issue (although it is still present in the versions of the component contained in pre-27 Infinity releases). Infinity versions from 27 up to 30 do process untrusted input using the affected component as part of the SIngle Sign-On functionality. Administrators should ensure that only trusted Identity Providers are configured.

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2019-5815: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: all before v30

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: No exploit paths exist in Infinity versions before 27 as this component is not exposed to untrusted input. Exploits in Infinity versions 27 through 29 require a malicious Identity Provider to be used for the Single Sign-On participant authentication functionality.

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-42959: Insufficient input validation in the signalling implementation(s) allows a malicious attacker to trigger a software abort resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 1-29.x

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-42730: Insufficient input validation allows a malicious attacker to trigger a software abort resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 27.0-29.x

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Configure a global maximum call bandwidth (via Platform > Global settings > Service configuration)

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-41872: Unauthenticated denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: all before v30

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 30.0

CVE-2022-40618: Insufficient input validation in the in-call setup implementation allows an unauthenticated remote attacker to cause a software abort leading to a temporary loss of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 27.0 - 29.1.

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 29.3 or Pexip Infinity 30.0

CVE-2021-0707: In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-155756045References: Upstream kernel

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 29

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2021-39698: In aio_poll_complete_work of aio.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-185125206References: Upstream kernel

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 29

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-1011: A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 29

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-1729: A use-after-free flaw was found in the Linux kernel's performance events subsystem allowing a local user to crash the system.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 13-28.x

CVSS 3.1 base score: 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-1786: A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 26-28.x

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-27666: A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 21-28.x

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-29581: Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 21-28.x

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-29582: In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 26-28.x

CVSS 3.1 base score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-30594: The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 13-28.x

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 29

CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 29

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: This issue is most reliably triggered by use of static Huffman coding (Z_FIXED), which is not used by Pexip Infinity, but can also occur when using dynamic Huffman coding (Z_DEFAULT_STRATEGY) with a memLevel of 1. All use of zlib compression within Pexip Infinity uses dynamic Huffman coding (Z_DEFAULT_STRATEGY) with a memLevel of at least 8.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-36434: Insufficient input validation in the Pexip Client API implementation allows an unauthenticated remote attacker to trigger a software abort leading to a denial of service.

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 28.x

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Disable support for Pexip Infinity Connect clients and Client API in Pexip Infinity Global Settings.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-34490: Insufficient input validation in the RTP implementation allows a malicious attacker to trigger a software abort resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 9.0 - 28.1

CVSS3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-32956: Improper access control in the Infinity Management API allows a malicious attacker to escalate privileges when certificate based authentication is enabled

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 5.5 - 28.1

CVSS 3.1 base score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Mitigation: Disable certificate based authentication.

Resolution: Upgrade to Pexip Infinity 29

CVE-2022-32263: Insufficient input validation in the G.719 codec implementation allows a malicious attacker to trigger a software abort resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 13.0 - 28.0

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Disable the G.719 codec implementation in the Codecs section of Platform > Global Settings).

Resolution: Upgrade to Pexip Infinity 28.1

CVE-2022-29286: Resource mismanagement in the registrar allows an unauthenticated remote attacker to cause the system to consume excess resources and eventually terminate, resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: 27.0, 27.1, 27.2, 27.3

CVSS 3.1 base score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Mitigation: Where possible, disable the registrar (Services > Registrar).

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-27936: Insufficient input validation in the H.323 protocol implementation allows an unauthenticated remote attacker to trigger a software abort resulting in a denial of service

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: Where possible, disable the H.323 protocol implementation (Platform > Global Settings > Connectivity).

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-25315: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-25314: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-25236: xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-25235: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-23990: Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-23852: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-23308: valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22827: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22826: nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22825: lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22824: defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22823: build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-22822: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow

Impact to Pexip Infinity: Critical

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-0847: A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 28

CVE-2022-0492: A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-46143: In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-45960: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-45485: In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-22600: A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-4154: A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 28

CVE-2021-4083: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call close() and fget() simultaneously and can potentially trigger a race condition. This flaw allows a local user to crash the system or escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.16-rc4

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Mitigation: Exploitation requires an attacker to be able to run arbitrary code on the system by either achieving remote code execution via some other vulnerability or having administrative access to the operating system.

Resolution: Upgrade to Pexip Infinity 28

CVE-2018-25032: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches

Impact to Pexip Infinity: High

Affected versions of Pexip Infinity: All before 28

CVSS 3.1 base score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity 28

Connect app

Each bulletin addresses a number of vulnerabilities in the software used by the Connect apps. The bulletins include an assessment of the issues, the impact on the Connect app, and resolution details.

Bulletin Description Risk Updated Addressed in version
CVE-2021-29655 Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code. High June 2021 1.8.0
CVE-2021-29656 Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution. High June 2021 1.8.0

CVE-2021-29655: Missing authenticity checks in application provisioning allow an attacker to cause the application to run untrusted code.

Impact to Connect app: High

Affected versions of Connect app: All before 1.8.0

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Connect app 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)

CVE-2021-29656: Missing checks in certificate allow list matching allow a remote attacker to compromise a TLS connection, extracting data and potentially causing remote code execution.

Impact to Connect app: High

Affected versions of Connect app: All before 1.8.0

CVSS3.1 base score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Mitigation: None

Resolution: Upgrade to Pexip Infinity Connect 1.8.0

Credit: This issue was responsibly disclosed by The UK's National Cyber Security Centre (NCSC)