Linux Kernel Vulnerability Affecting Secure Boot Mechanisms
CVE-2022-21505

6.7MEDIUM

Key Information:

Vendor: Oracle
Status: Oracle Linux
Vendor: CVE Published:; 24 December 2024

Summary

In the Linux kernel, a security flaw exists related to the use of Integrity Measurement Architecture (IMA) appraisal with the boot parameter 'ima_appraise=log'. If this parameter is set and Secure Boot is either disabled or not available, the system's lockdown can potentially be exploited using the kexec command. While IMA provides protection by preventing the setting of 'ima_appraise=log' when Secure Boot is enabled, this safeguard does not extend to scenarios where lockdown is operational without Secure Boot. This situation raises significant concerns regarding the confidentiality, integrity, and availability of the affected systems, as malicious actors may exploit this vulnerability to bypass security mechanisms.

Affected Version(s)

Oracle Linux Oracle Linux: 7

Oracle Linux Oracle Linux: 8

Oracle Linux Oracle Linux: 9

References

https://git.kernel.org/linus/543ce63b664e2c2f9533d089a466...

issue-tracking

https://linux.oracle.com/cve/CVE-2022-21505.html

vendor-advisory

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Nov 15, 2021

Collectors

NVD DatabaseMitre Database