Microsoft Security Response Center

**What are some of the services affected by this vulnerability?** The following table lists some of the affected services, and the changes associated with the remedy for this vulnerability: Affected Product New Version Number Customer action required DSC Patch for Version 3: 3.0.0.7 and Patch for Version 2: 2.71.1.33 No Customer Action required; these are auto updated for all customers. SCOM For 2016: 7.6.1108.0; for 2019: 10.19.1152.0; and for 2022: 10.22.1024.0 Customers need to update MPs 2016, 2019, and 2022. OMS 1.14.13 There are 2 ways to install OMS Agent: Bundle or through VM Extension. Using a Bundle Link and for VM Extensions, through Azure Powershell CMDlets or Azure CLI. ASC 1.14.13 Update via VM extension. Container Monitoring Solution Image tag: microsoft-oms-latest with full ID: sha256:6131e66cdf7bd07f9db3bbb17902ea8695a2f2bda0cf72ff16170aaf93b56f3b See How to Upgrade OMS Docker for details on how to check your current image ID and to upgrade OMS-docke...

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**Why is this Intel CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update. Please see the following for more information: * Microsoft Advisory 220002 * Intel-SA-00615

**Why is this Intel CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update. Please see the following for more information: * Microsoft Advisory 220002 * Intel-SA-00615

**Are there any special conditions necessary for this vulnerability to be exploitable?** Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable. For more information, please see LDAP policies.

**According to the CVSS metric, Privileges Required is High (PR:H). What would lead to a successful attack?** In order for the successful attack to be initiated, the attacker would need to have read/write access to the cluster and the ability to host a hostile code without any isolation.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**Why is this Rapid7 CVE included in the Security Update Guide?** The vulnerability assigned to this CVE was originally classified as a stability bug in Windows. Rapid7 discovered that this bug could be used to cause a denial of service condition on affected versions of Windows. Microsoft had provided an update to address this issue prior to being contacted about it by Rapid 7. Microsoft appreciates the strong partnership that we have with Rapid7. **Why are the May updates associated with the operating systems rows in the Security Updates table?** This vulnerability was addressed in the May 2022 security updates.