Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-28321

Publication date 19 September 2022

Last updated 24 July 2024


Ubuntu priority

Negligible

Why this priority?

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

Read the notes from the security team

Status

Package Ubuntu Release Status
pam 23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic
Fixed 1.5.2-2ubuntu1.1
22.04 LTS jammy
Fixed 1.4.0-11ubuntu2.1
20.04 LTS focal
Fixed 1.3.1-5ubuntu4.4
18.04 LTS bionic
Fixed 1.1.8-3.6ubuntu2.18.04.4
16.04 LTS xenial
14.04 LTS trusty

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes


rodrigo-zaiden

it was stated that upstream is not affected, so, Ubuntu might not be affected as well, it worth checking


mdeslaur

This CVE was assigned to a flaw in SUSE-specific code that was part of the upstream PR226, and did not make its way into the the upstream Linux-PAM code. The issue was fixed in PR447, which was included in upstream Linux-PAM 1.5.3. USN-5825-1 and USN-5825-2 added the whole PR447 which fixed a bug, even though the original package didn't contain the vulnerability described in this CVE. Marking lunar, mantic, and noble as not-affected since they do not contain the vulnerable code.

Severity score breakdown

Parameter Value
Base score 9.8 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H