Vulnerability Name:

CVE-2022-2509 (CCN-232507)

Assigned:2022-07-29
Published:2022-07-29
Updated:2022-08-19
Summary:A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-415
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-2509

Source: MISC
Type: Third Party Advisory
https://access.redhat.com/security/cve/CVE-2022-2509

Source: CCN
Type: Red Hat Bugzilla - Bug 2108977
(CVE-2022-2509) - CVE-2022-2509 gnutls: Double free during gnutls_pkcs7_verify

Source: XF
Type: UNKNOWN
gnutls-cve20222509-dos(232507)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220812 [SECURITY] [DLA 3070-1] gnutls28 security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-5470992bfc

Source: MISC
Type: Mailing List, Release Notes, Vendor Advisory
https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html

Source: DEBIAN
Type: Third Party Advisory
DSA-5203

Source: CCN
Type: GnuTLS Web site
GnuTLS

Source: CCN
Type: IBM Security Bulletin 6842505 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Expat, SQlite, libxml2, Libksba, zlib and GnuTLS

Source: CCN
Type: IBM Security Bulletin 6848319 (Voice Gateway)
Multiple Vulnerabilities in base image packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6852221 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6853461 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6857803 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967643 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in GnuTLS (CVE-2022-2509)

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7014939 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOps

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gnu:gnutls:*:*:*:*:*:*:*:* (Version < 3.7.7)

  • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 6:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7512
    P
    gnutls-3.7.3-150400.4.35.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20227105
    P
    RHSA-2022:7105: gnutls security update (Moderate)
    2022-10-25
    oval:com.redhat.rhsa:def:20226854
    P
    RHSA-2022:6854: gnutls and nettle security, bug fix, and enhancement update (Moderate)
    2022-10-11
    oval:org.opensuse.security:def:712
    P
    Security update for gnutls (Important)
    2022-08-26
    oval:org.opensuse.security:def:118797
    P
    Security update for gnutls (Important)
    2022-08-24
    oval:org.opensuse.security:def:119659
    P
    Security update for gnutls (Important)
    2022-08-24
    oval:org.opensuse.security:def:118987
    P
    Security update for gnutls (Important)
    2022-08-24
    oval:org.opensuse.security:def:119292
    P
    Security update for gnutls (Important)
    2022-08-24
    oval:org.opensuse.security:def:119474
    P
    Security update for gnutls (Important)
    2022-08-24
    BACK
    gnu gnutls *
    redhat enterprise linux 8.0
    redhat enterprise linux 9.0
    fedoraproject fedora 35
    debian debian linux 10.0
    debian debian linux 11.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm voice gateway 1.0.5
    ibm voice gateway 1.0.6
    ibm voice gateway 1.0.7
    ibm robotic process automation for cloud pak 21.0.1
    ibm robotic process automation for cloud pak 21.0.2
    ibm robotic process automation for cloud pak 21.0.3
    ibm cloud pak for security 1.10.0.0
    ibm robotic process automation for cloud pak 21.0.5
    ibm robotic process automation for cloud pak 21.0.6
    ibm robotic process automation for cloud pak 21.0.4
    ibm robotic process automation for cloud pak 21.0.0