CVE-2022-23219

high-risk

Published 2022-01-14

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Do I need to act?

0.50% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (11)

Glibc

Communications Cloud Native Core Binding Support Function

Communications Cloud Native Core Network Function Cloud Native Environment

Communications Cloud Native Core Network Repository Function

Communications Cloud Native Core Security Edge Protection Proxy

Communications Cloud Native Core Unified Data Repository

Enterprise Operations Monitor

Debian Linux

Affected Vendors

Debian Gnu Oracle

References (8)

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html

Third Party Advisory https://security.gentoo.org/glsa/202208-24

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=22542

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html

Third Party Advisory https://security.gentoo.org/glsa/202208-24

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=22542

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 16/34 · Moderate