This advisory is archived
Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.
- Advisory ID: CV_2022_01_1
- Title: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility
- Severity: HIGH
- Issued: 2022-01-29
- Updated: 2022-01-29
- CVSS Score Range: 7.0-8.9
- Additional Links:
Impacted Products
The vulnerability may affect the Commvault Hyperscale products.
Resolution
To fix this vulnerability, install the February 2022 Operating System updates on the Hyperscale nodes. You do not require to install maintenance releases.
For more information, see the following:
- Installing Updates on HyperScale X Appliance
- Installing Updates on HyperScale X Reference Architecture
- Installing Operating System Updates for Hyperscale 1.5 Appliance
- Installing Operating System Updates for Hyperscale 1.5 Reference Architecture
CVE Details
| Info | Description |
|---|---|
| A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. |