CVE-2021-44225

Publication date 26 November 2021

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.4 · Medium

Score breakdown

In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property

Status

Package Ubuntu Release Status
keepalived 22.04 LTS jammy
Fixed 1:2.2.4-0.2
21.10 impish
Fixed 1:2.1.5-0.2ubuntu1.1
21.04 hirsute
Fixed 1:2.1.5-0.2ubuntu0.1
20.04 LTS focal
Fixed 1:2.0.19-2ubuntu0.1
18.04 LTS bionic
Fixed 1:1.3.9-1ubuntu0.18.04.3
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
keepalived

Severity score breakdown

Parameter Value
Base score 5.4 · Medium
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-5188-1
    • Keepalived vulnerability
    • 13 December 2021

Other references