Headline
CVE-2023-6273: December
Permission management vulnerability in the module for disabling Sound Booster. Successful exploitation of this vulnerability may cause features to perform abnormally.
HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:
This security update includes the following third-party library patches:
This security update includes the CVE announced in the November 2023 Android security bulletin:
Critical: none
High: CVE-2023-40104, CVE-2023-40111, CVE-2023-40112, CVE-2023-40110, CVE-2023-40114, CVE-2023-40105, CVE-2023-40106, CVE-2023-40109, CVE-2023-40115, CVE-2023-40100, CVE-2023-33031, CVE-2023-33055, CVE-2023-33059
Medium: CVE-2023-28572, CVE-2023-28553
Low: none
Already included in previous updates: CVE-2022-29824, CVE-2023-21253, CVE-2021-44828, CVE-2022-28348, CVE-2023-33200, CVE-2023-4211, CVE-2023-21237, CVE-2022-20264, CVE-2022-27404, CVE-2023-21295, CVE-2023-21308, CVE-2023-21311, CVE-2023-21319, CVE-2023-21320, CVE-2023-21326, CVE-2023-21331, CVE-2023-21344, CVE-2023-21346, CVE-2023-21348, CVE-2023-21349, CVE-2023-21355, CVE-2023-21369, CVE-2023-21372, CVE-2023-21374, CVE-2023-21388
※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).
This security update includes the following HUAWEI patches:
CVE-2023-44099: Vulnerability of data verification errors in the kernel module
Severity: Medium
Affected versions: EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may cause WLAN interruption.
CVE-2023-44113: Vulnerability of missing permission verification for APIs in the Designed for Reliability (DFR) module
Severity: Medium
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-46773: Permission management vulnerability in the PMS module
Severity: High
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may cause privilege escalation.
CVE-2023-49239: Unauthorized access vulnerability in the card management module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49240: Unauthorized access vulnerability in the launcher module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49241: API permission control vulnerability in the network management module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49242: Free broadcast vulnerability in the running management module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49243: Vulnerability of unauthorized access to email attachments in the email module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49244: Permission management vulnerability in the multi-user module
Severity: Medium
Affected versions: EMUI 13.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49245: Unauthorized access vulnerability in the HUAWEI Share module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49246: Unauthorized access vulnerability in the card management module
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49247: Permission verification vulnerability in distributed scenarios
Severity: High
Affected versions: EMUI 13.0.0, EMUI 12.0.0
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-49248: Vulnerability of unauthorized file access in the Settings app
Severity: High
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may cause unauthorized file access.
CVE-2023-6273: Permission management vulnerability in the module for disabling Sound Booster
Severity: Medium
Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple locations, there is a possible way to crash multiple system services due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Categories: Android Categories: News Tags: Google Tags: Android Tags: Qualcomm Tags: webp Tags: ARM Mali Tags: cve-2023-4863 Tags: cve-2023-4211 Tags: cve-2023-33106 Tags: cve-2023-33107 Tags: cve-2023-22071 Tags: cve-2023-33063 Tags: 2023-10-006 Tags: patch level Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. (Read more...) The post Update your Android devices now! Google patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.
Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. "There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107,
Arm has released security patches to contain a security flaw in the Mali GPU Kernel Driver that has come under active exploitation in the wild. Tracked as CVE-2023-4211, the shortcoming impacts the following driver versions - Midgard GPU Kernel Driver: All versions from r12p0 - r32p0 Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0 Valhall GPU Kernel Driver: All versions from r19p0 -
Arm has released security patches to contain a security flaw in the Mali GPU Kernel Driver that has come under active exploitation in the wild. Tracked as CVE-2023-4211, the shortcoming impacts the following driver versions - Midgard GPU Kernel Driver: All versions from r12p0 - r32p0 Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0 Valhall GPU Kernel Driver: All versions from r19p0 -
DoS vulnerability in the PMS module. Successful exploitation of this vulnerability may cause the system to restart.
In applyRemoteView of NotificationContentInflater.java, there is a possible way to hide foreground service notification due to misleading or insufficient UI. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-251586912
Red Hat Security Advisory 2023-1174-01 - OpenShift API for Data Protection (OADP) 1.1.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Openshift Logging Bug Fix Release (5.3.14) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8750-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat OpenShift Virtualization release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24921: golang: regexp: stack exhaustion via a deeply nested expression * CVE-2022-28327: golang: crypto/elliptic: panic caus...
Red Hat Security Advisory 2022-6040-01 - Version 1.24.0 of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, 4.10, and 4.11. This release includes security and bug fixes, and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2022-5909-01 - Openshift Logging Bug Fix Release. Issues addressed include denial of service and out of bounds read vulnerabilities.
Openshift Logging Bug Fix Release (5.2.13) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Red Hat Security Advisory 2022-5840-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
The Migration Toolkit for Containers (MTC) 1.7.3 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1365: cross-fetch: Exposure of Private Personal Information to an Unauthorized Actor * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Secondary Scheduler Operator for Red Hat OpenShift 1.0.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29526: golang: syscall: faccessat checks wrong group
Red Hat Security Advisory 2022-5704-01 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a privilege escalation vulnerability.
Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Red Hat Security Advisory 2022-5250-01 - The libxml2 library is a development toolbox providing the implementation of various XML standards. Issues addressed include integer overflow and out of bounds write vulnerabilities.
An update for libxml2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29824: libxml2: integer overflows in xmlBuf and xmlBuffer lead to out-of-bounds write
Arm Mali GPU Kernel Driver (Midgard r4p0 through r31p0, Bifrost r0p0 through r36p0 before r37p0, and Valhall r19p0 through r36p0 before r37p0) allows improper GPU memory operations to reach a use-after-free situation.