CVE-2022-39377
Publication date 8 November 2022
Last updated 24 July 2024
Ubuntu priority
sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE). This issue has been patched in version 12.7.1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| sysstat | ||
| 22.04 LTS jammy |
Fixed 12.5.2-2ubuntu0.1
|
|
| 20.04 LTS focal |
Fixed 12.2.0-2ubuntu0.2
|
|
| 18.04 LTS bionic |
Fixed 11.6.1-1ubuntu0.2
|
|
| 16.04 LTS xenial |
Fixed 11.2.0-1ubuntu0.3+esm1
|
|
| 14.04 LTS trusty |
Fixed 10.2.0-1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5735-1
- Sysstat vulnerability
- 22 November 2022
- USN-5748-1
- Sysstat vulnerability
- 29 November 2022
- USN-6145-1
- Sysstat vulnerabilities
- 7 June 2023