Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 438
Alerts This Week
Warning Icon 1 438

Ubuntu 21.04 & 20.04 LTS USN-5088-1 Critical: EDK II Denial of Service

ubuntu
Calendar Grey September 23, 2021
Dist Ubuntu Esm H88
Ubuntu addresses EDK II security flaws: Discover the relevant fixes and updates that are essential to implement promptly.
Several security issues were fixed in EDK II.

Summary

Several security issues were fixed in EDK II.

Software Description:

- edk2: UEFI firmware for virtual machines

Details:

It was discovered that EDK II incorrectly handled input validation in

MdeModulePkg. A local user could possibly use this issue to cause EDK II to

crash, resulting in a denial of service, obtain sensitive information or

execute arbitrary code. (CVE-2019-11098)

Paul Kehrer discovered that OpenSSL used in EDK II incorrectly handled

certain input lengths in EVP functions. An attacker could possibly use this

issue to cause EDK II to crash, resulting in a denial of service.

(CVE-2021-23840)

Ingo Schwarze discovered that OpenSSL used in EDK II incorrectly handled

certain ASN.1 strings. An attacker could use this issue to cause EDK II to

crash, resulting in a denial of service, or possibly obtain sensitive

information. (CVE-2021-3712)

It was discovered that EDK II incorrectly decoded certain strings. A remote

attacker could use this issue to ...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
  ovmf                            2020.11-4ubuntu0.1
  ovmf-ia32                       2020.11-4ubuntu0.1
  qemu-efi                        2020.11-4ubuntu0.1
  qemu-efi-aarch64                2020.11-4ubuntu0.1
  qemu-efi-arm                    2020.11-4ubuntu0.1

Ubuntu 20.04 LTS:
  ovmf                            0~20191122.bd85bf54-2ubuntu3.3
  qemu-efi                        0~20191122.bd85bf54-2ubuntu3.3
  qemu-efi-aarch64                0~20191122.bd85bf54-2ubuntu3.3
  qemu-efi-arm                    0~20191122.bd85bf54-2ubuntu3.3

After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-5088-1

CVE-2019-11098, CVE-2021-23840, CVE-2021-3712, CVE-2021-38575

Severity
critical
Lowest
Low
Medium
High
Critical

September 23, 2021

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.