CVE-2022-42012 D-Bus before 1.12.24, 1.13.x and 1.14.4, and 1.15.x before 1.15.2 has an issue.

D-Bus packages that are enabled by default on Ubuntu Trusty and later distributions were vulnerable before D-Bus 1.16 was released. An attacker could exploit this to crash the D-Bus daemon, which could lead to arbitrary code execution.

Impacted systems: Ubuntu Trusty USN-3076-1 - D-Bus vulnerability - Link

CVE ID: None issued - Details: This issue was discovered by Juan Pablo Ramirez Munoz of the Red Hat team.

9.1. How to address the issues?

To resolve the issue, upgrade D-Bus to version 1.16 or later.

9.2. What to do in case of in-place upgrade?

If you are upgrading from D-Bus 1.14 or earlier, upgrade D-Bus first, then upgrade the affected applications. Please note that upgrading from D-Bus 1.14 or earlier will break applications that are dependent on 1.15 or later. Upgrading an application may require manual changes to configuration files.

10. Conclusion

D-Bus is a system bus that allows applications to communicate with each other. Unauthorised access to D-Bus can potentially result in a variety of security issues including remote code execution. While this issue was officially announced as fixed in D-Bus 1.16, the issue was already resolved in D-Bus 1.15.2. An upgrade to D-Bus 1.15.2 is

References:

- CVE-2022-42012
- Link: https://usn.ubuntu.com/usn/usn-3076-1

Timeline

Published on: 10/10/2022 00:15:00 UTC
Last modified on: 11/14/2022 15:16:00 UTC