Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2234: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files and may lead to memory corruption or possibly arbitrary code execution due to an incorrectly sized buffer.
Red Hat Security Data
#vulnerability#web#ios#linux#red_hat#nodejs#js#java#kubernetes#aws#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-09

Updated:

2023-05-09

RHSA-2023:2234 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: sysstat security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for sysstat is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.

Security Fix(es):

  • sysstat: arithmetic overflow in allocate_structures() on 32 bit systems (CVE-2022-39377)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64

Fixes

  • BZ - 2141207 - CVE-2022-39377 sysstat: arithmetic overflow in allocate_structures() on 32 bit systems

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

Red Hat Enterprise Linux for x86_64 9

SRPM

sysstat-12.5.4-5.el9.src.rpm

SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed

x86_64

sysstat-12.5.4-5.el9.x86_64.rpm

SHA-256: 0a0714685cca15063110e18b5d6e7bfebb11733ba17efc2a46712d1c5b0f5c68

sysstat-debuginfo-12.5.4-5.el9.x86_64.rpm

SHA-256: 8f9dce02957ed92822ecea916d677b1811075ae0ea4fba5d98578c20ce581d3b

sysstat-debugsource-12.5.4-5.el9.x86_64.rpm

SHA-256: 7948102d4fd4e7275c91cf24d387d974e3a1f7e232fe43da945fe6ee3591c439

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

sysstat-12.5.4-5.el9.src.rpm

SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed

s390x

sysstat-12.5.4-5.el9.s390x.rpm

SHA-256: c674618b39a9d11dbe36d3b07a65818340d52693be13030c0a683c302cd88af3

sysstat-debuginfo-12.5.4-5.el9.s390x.rpm

SHA-256: 347f3b8ed67a140ed31df5bec7c426773dd991b4e72a788455cea5931160ea7c

sysstat-debugsource-12.5.4-5.el9.s390x.rpm

SHA-256: 9d6503e6ba3d9ab1e32cda301bebd1aa1b8369e096e1878f3a55f439c7224d6f

Red Hat Enterprise Linux for Power, little endian 9

SRPM

sysstat-12.5.4-5.el9.src.rpm

SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed

ppc64le

sysstat-12.5.4-5.el9.ppc64le.rpm

SHA-256: 55cc47f8397edec90cfbcbb3be9cff7b5d318809a7745703a79b53b9e6affefa

sysstat-debuginfo-12.5.4-5.el9.ppc64le.rpm

SHA-256: 3f2f9b8385dce2a204e77ba255e3034e2d960044f3ee9d7ec701d8617a4b02b4

sysstat-debugsource-12.5.4-5.el9.ppc64le.rpm

SHA-256: 877879b5d938d798521a3966d757f2db3d8ff8de708e07844d68e87a3510f2a4

Red Hat Enterprise Linux for ARM 64 9

SRPM

sysstat-12.5.4-5.el9.src.rpm

SHA-256: 2072264747b2ca6ffaa7dc97f79d3edc1744e92eeca4acfdcf8b8017a2b2e1ed

aarch64

sysstat-12.5.4-5.el9.aarch64.rpm

SHA-256: 1935b60c55cf01e93407b68037573205dd7f2a9bf408843751cf384fb22f4678

sysstat-debuginfo-12.5.4-5.el9.aarch64.rpm

SHA-256: ec6e9d04cffdaaec36360de843ca5a4db26447d98e184b9dd9bb48462460fae5

sysstat-debugsource-12.5.4-5.el9.aarch64.rpm

SHA-256: 396ccb1567c7ff35c7c55ff0f1ceb705ce5f9b2ad583467b3683cc72c05afd84

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Ubuntu Security Notice USN-6145-1

Ubuntu Security Notice 6145-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only fixed for Ubuntu 16.04 LTS. It was discovered that Sysstat incorrectly handled certain arithmetic multiplications in 64-bit systems, as a result of an incomplete fix for CVE-2022-39377. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

RHSA-2023:2800: Red Hat Security Advisory: sysstat security and bug fix update

An update for sysstat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-39377: An arithmetic overflow issue was discovered in Sysstat on 32-bit systems. The allocate_structures() function in sa_common.c insufficiently checks bounds before arithmetic multiplication, allowing an overflow in the size allocated for the buffer representing system activities. The vulnerability can be triggered when displaying activity data files ...

Red Hat Security Advisory 2023-2234-01

Red Hat Security Advisory 2023-2234-01 - The sysstat packages provide the sar and iostat commands. These commands enable system monitoring of disk, network, and other I/O activity.

Ubuntu Security Notice USN-5748-1

Ubuntu Security Notice 5748-1 - It was discovered that Sysstat incorrectly handled certain arithmetic multiplications. An attacker could use this issue to cause Sysstat to crash, resulting in a denial of service, or possibly execute arbitrary code.

Ubuntu Security Notice USN-5735-1

Ubuntu Security Notice 5735-1 - It was discovered that Sysstat did not properly check bounds when performing certain arithmetic operations on 32 bit systems. An attacker could possibly use this issue to cause a crash or arbitrary code execution.

Gentoo Linux Security Advisory 202211-07

Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

CVE-2022-39377: sysstat overflow on 32-bit systems

sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.