Headline
RHSA-2023:2800: Red Hat Security Advisory: sysstat security and bug fix update
An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files and may lead to memory corruption or possibly arbitrary code execution due to an incorrectly sized buffer.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-16
Updated:
2023-05-16
RHSA-2023:2800 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: sysstat security and bug fix update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for sysstat is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
Security Fix(es):
- sysstat: arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2141207 - CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
Red Hat Enterprise Linux for x86_64 8
SRPM
sysstat-11.7.3-9.el8.src.rpm
SHA-256: 126ea8468de4f41c454f286a0aacf053285a327ba0dee574bb512fa23328777d
x86_64
sysstat-11.7.3-9.el8.x86_64.rpm
SHA-256: 39bc44cc97ba705af59636740088a130e09ed7a0be2e687bfccb9d393f6fc9bf
sysstat-debuginfo-11.7.3-9.el8.x86_64.rpm
SHA-256: 8e93034b6432e116f780009345a45dbee5117cf6258ab66451e78d5218083a92
sysstat-debugsource-11.7.3-9.el8.x86_64.rpm
SHA-256: 438e6eb181911c3db12383c70151e005325d06dbcfff25bcfa0f4c4d37f6b52a
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
sysstat-11.7.3-9.el8.src.rpm
SHA-256: 126ea8468de4f41c454f286a0aacf053285a327ba0dee574bb512fa23328777d
s390x
sysstat-11.7.3-9.el8.s390x.rpm
SHA-256: 146d08e083b213c42b7a7ba99db1ff04050b6d145d9a51523b440c30e00cb539
sysstat-debuginfo-11.7.3-9.el8.s390x.rpm
SHA-256: 6fd902760dc60b0538265b468ddf16ea591aeab00057c4888d7ea03b606bba80
sysstat-debugsource-11.7.3-9.el8.s390x.rpm
SHA-256: c8ed8d081d245ef71f44548f52b22e8a258654b4bbccf1662483db4f75766046
Red Hat Enterprise Linux for Power, little endian 8
SRPM
sysstat-11.7.3-9.el8.src.rpm
SHA-256: 126ea8468de4f41c454f286a0aacf053285a327ba0dee574bb512fa23328777d
ppc64le
sysstat-11.7.3-9.el8.ppc64le.rpm
SHA-256: 4df8cd0dde00eae658316887031699e8f4ae14410b7ca9e573ba08a675eaf7c9
sysstat-debuginfo-11.7.3-9.el8.ppc64le.rpm
SHA-256: 88920496f66f96e67da56270786cf37a25b1791d1f1084954b3362bf8d04a3c2
sysstat-debugsource-11.7.3-9.el8.ppc64le.rpm
SHA-256: 14c6254490c77acd2e5d5fe7b7628e5beeac40e41221f80d423daa829a05feb1
Red Hat Enterprise Linux for ARM 64 8
SRPM
sysstat-11.7.3-9.el8.src.rpm
SHA-256: 126ea8468de4f41c454f286a0aacf053285a327ba0dee574bb512fa23328777d
aarch64
sysstat-11.7.3-9.el8.aarch64.rpm
SHA-256: 7c7c0679e30a35c41da705b9c33543a7d4f1144d0319974fbee3cde0e40b3136
sysstat-debuginfo-11.7.3-9.el8.aarch64.rpm
SHA-256: f1eee6fe855658f89ba4ecfef52463a3db5cb2aed7a10cb9482f19e1d3e33edd
sysstat-debugsource-11.7.3-9.el8.aarch64.rpm
SHA-256: d142ac83f28243da03f39252b558a53929eb3dfd58e0fef47bad2b4a97f34edd
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.
An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...
Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.
Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.