Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Edk_ii | Tianocore | udk2015 (including) | udk2015 (including) |
| Edk_ii | Tianocore | udk2017 (including) | udk2017 (including) |
| Edk_ii | Tianocore | udk2018 (including) | udk2018 (including) |
| Red Hat Enterprise Linux 7 | RedHat | ovmf-0:20180508-6.gitee3198e672e2.el7 | * |
| Edk2 | Ubuntu | bionic | * |
| Edk2 | Ubuntu | cosmic | * |
| Edk2 | Ubuntu | esm-apps/bionic | * |
| Edk2 | Ubuntu | esm-apps/xenial | * |
| Edk2 | Ubuntu | trusty | * |
| Edk2 | Ubuntu | xenial | * |
References
- https://access.redhat.com/errata/RHSA-2019:2125
- https://edk2-docs.gitbooks.io/security-advisory/content/authvariable-timestamp-zeroing-on-append_write.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ABTDKZK2G5XP6JCO3HXMPOA2NRTIYDZ/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03912en_us
- https://access.redhat.com/errata/RHSA-2019:2125
- https://edk2-docs.gitbooks.io/security-advisory/content/authvariable-timestamp-zeroing-on-append_write.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ABTDKZK2G5XP6JCO3HXMPOA2NRTIYDZ/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03912en_us