Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39767: Android 12L Security Release Notes  |  Android Open Source Project

In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-201308542

CVE
#vulnerability#android#google#dos#rce

Published February 22, 2022

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device’s security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 12L vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Framework

CVE

References

Type

Severity

CVE-2021-39749

A-205996115

EoP

High

CVE-2021-39743

A-201534884

EoP

Moderate

CVE-2021-39746

A-194696395

EoP

Moderate

CVE-2021-39750

A-206474016

EoP

Moderate

CVE-2021-39752

A-202756848

EoP

Moderate

CVE-2021-39758

A-205130886

EoP

Moderate

CVE-2022-20002

A-198657657

EoP

Moderate

CVE-2021-39744

A-192369136

ID

Moderate

CVE-2021-39745

A-206127671

ID

Moderate

CVE-2021-39747

A-208268457

ID

Moderate

CVE-2021-39748

A-203777141

ID

Moderate

CVE-2021-39751

A-172838801

ID

Moderate

CVE-2021-39753

A-200035185

ID

Moderate

CVE-2021-39755

A-204995407

ID

Moderate

CVE-2021-39756

A-184354287

ID

Moderate

CVE-2021-39757

A-176094662

ID

Moderate

CVE-2021-39754

A-207133709

ID

Moderate

Media Framework

CVE

References

Type

Severity

CVE-2021-39759

A-180200830

EoP

Moderate

CVE-2021-39760

A-194110526

ID

Moderate

CVE-2021-39761

A-179783181

ID

Moderate

CVE-2021-39762

A-210625816

ID

Moderate

Platform

CVE

References

Type

Severity

CVE-2021-39741

A-173567719

EoP

Moderate

CVE-2021-39763

A-199176115

EoP

Moderate

CVE-2021-39764

A-170642995

EoP

Moderate

CVE-2021-39767

A-201308542

EoP

Moderate

CVE-2021-39768

A-202017876

EoP

Moderate

CVE-2021-39771

A-198661951

EoP

Moderate

CVE-2021-25393

A-180518134

ID

Moderate

CVE-2021-39739

A-184525194

ID

Moderate

CVE-2021-39740

A-209965112

ID

Moderate

CVE-2021-39742

A-186405602

ID

Moderate

CVE-2021-39765

A-201535427

ID

Moderate

CVE-2021-39766

A-198296421

ID

Moderate

CVE-2021-39769

A-193663287

ID

Moderate

CVE-2021-39770

A-193033501

ID

Moderate

System

CVE

References

Type

Severity

CVE-2021-39776

A-192614125

EoP

High

CVE-2021-39787

A-202506934

EoP

High

CVE-2021-39772

A-181962322

EoP

Moderate

CVE-2021-39780

A-204992293

EoP

Moderate

CVE-2021-39781

A-195311502

EoP

Moderate

CVE-2021-39782

A-202760015

EoP

Moderate

CVE-2021-39783

A-197960597

EoP

Moderate

CVE-2021-39784

A-200163477

EoP

Moderate

CVE-2021-39786

A-192551247

EoP

Moderate

CVE-2021-39789

A-203880906

EoP

Moderate

CVE-2021-39790

A-186405146

EoP

Moderate

CVE-2021-39773

A-191276656

ID

Moderate

CVE-2021-39775

A-206465854

ID

Moderate

CVE-2021-39777

A-194743207

ID

Moderate

CVE-2021-39778

A-196406138

ID

Moderate

CVE-2021-39779

A-190400974

ID

Moderate

CVE-2021-39788

A-191768014

ID

Moderate

CVE-2021-39791

A-194112606

ID

Moderate

CVE-2021-39774

A-205989472

DoS

Moderate

Additional Vulnerability details

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. These issues are not required for SPL compliance.

Android TV

CVE

References

Type

Severity

CVE-2021-1000

A-185190688

EoP

Moderate

CVE-2021-1033

A-185247656

EoP

Moderate

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device’s security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix

Reference

A-

Android bug ID

Versions

Version

Date

Notes

1.0

February 22, 2022

Security Release Notes Published

Related news

CVE-2022-44556: November

Missing parameter type validation in the DRM module. Successful exploitation of this vulnerability may affect availability.

CVE-2022-41587: October

Uncaptured exceptions in the home screen module. Successful exploitation of this vulnerability may affect stability.

CVE-2021-0696: Android Security Bulletin—October 2022  |  Android Open Source Project

In dllist_remove_node of TBD, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-242344778

CVE-2022-31761: June

Configuration defects in the secure OS module. Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE-2022-29795: May

The frame scheduling module has a null pointer dereference vulnerability. Successful exploitation of this vulnerability will affect the kernel availability.

CVE-2021-46785: May

The Property module has a vulnerability in permission control.This vulnerability can be exploited to obtain the unique device identifier.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907