JCloud security update, March 2022
Multiple
critical security vulnerabilibites in software from different vendors
have been published since last update. Some of them are or could be closely
related to JCloud services. Security information about these products
are therefore published in this article.
JCloud do NOT use
the following products, neither in infrastructure nor by its employees,
and is therefore NOT vulnerable to any published security
vulnerabilities in:
- Microsoft products
- Gitlab products
- Cisco products
- D-link products
- Adobe products
- TP-Link products
- Dell products
- Linux kernel CVE-2022-0492 Cgroup privilege escalation
- Docker / Cgroups is not enabled in JCloud Linux
- AMD and Intel CVE-2021-26341 Spectre-v2 Branch History Injection
- Kernel code insertion / BPF is not enabled in JCloud Linux
JCloud have detected and patched the following vulnerabilites. No security incidents have been reported
- CVE-2022-0847 dirty pipe
- Package affected: kernel
- Type: Local privilege escalation
- Fixed in version: 5.15.26
- Date: 2022-03-07
- CVE-2022-26485 Use-after-free in XSLT parameter processing
- Package affected: firefox
- Type: Privilege escalation
- Fixed in version: 97.0.2
- Date: 2022-03-07
JCERT, 2022-03-14