security bulletin in May 2022

Signed-off-by: N louis.liuxu <louis.liuxu@huawei.com>

security bulletin in May 2022
Signed-off-by: N louis.liuxu <louis.liuxu@huawei.com>
ed7cfcd9 · louis.liuxu · 09ea5734 · ed7cfcd9 · ed7cfcd9 · ed7cfcd9
5 changed file
--- a/en/security-disclosure/2021/2021-09.md
+++ b/en/security-disclosure/2021/2021-09.md
@@ -5,4 +5,4 @@
 | -------- |-------- | -------- | -------- | ----------- | ----------- | -------- | ------- |
 |OpenHarmony-SA-2021-0901 | NA | The component distributedschedule_samgr_lite has a UAF vulnerability.|This vulnerability can be exploited to bypass verification when calling an SA.|OpenHarmony-v2.2(Trunk)|distributedschedule_samgr_lite|   [Link](https://gitee.com/openharmony/distributedschedule_samgr_lite/pulls/24/files) |Reported by OpenHarmony Team|
 |OpenHarmony-SA-2021-0902 | NA | The component kernel_liteos_a has an invalid address access vulnerability.|This vulnerability can be exploited to write to illegal address in kernel, causing Remote Code Execute. |OpenHarmony-v2.2(Trunk)|kernel_liteos_a|   [Link](https://gitee.com/openharmony/kernel_liteos_a/pulls/373/files) |Reported by OpenHarmony Team|
-|OpenHarmony-SA-2021-0903 | NA | The component drivers_adapter has an integer overflow vulnerability.|This vulnerability can be exploited to apply large memory, causing Dos attacks.|OpenHarmony-v2.2(Trunk)|drivers_adapter|   [Link](https://gitee.com/openharmony/drivers_adapter/pulls/31/files) |[Reported by OpenHarmony Team|
+|OpenHarmony-SA-2021-0903 | NA | The component drivers_adapter has an integer overflow vulnerability.|This vulnerability can be exploited to apply large memory, causing Dos attacks.|OpenHarmony-v2.2(Trunk)|drivers_adapter|   [Link](https://gitee.com/openharmony/drivers_adapter/pulls/31/files) |Reported by OpenHarmony Team|
--- a/en/security-disclosure/2022/2022-05.md
+++ b/en/security-disclosure/2022/2022-05.md
+## Security Vulnerabilities in May 2022
+_published May 6,2022_
+
+| Vulnerability ID | related Vulnerability | Vulnerability Descripton | Vulnerability Impact | affected versions | affected projects| fix link | reference |
+| -------- |-------- | -------- | -------- | ----------- | ----------- | -------- | ------- |
+|OpenHarmony-SA-2022-0501 | NA | The softbus subsystem in OpenHarmony has a heap overflow vulnerability. | Local attackers can overwrite the memory and get system control. |OpenHarmony-3.0-LTS|communication_dsoftbus|   [Link](https://gitee.com/openharmony/communication_dsoftbus/pulls/1198) |Reported by OpenHarmony Team|
+|OpenHarmony-SA-2022-0502 | NA | The softbus subsystem in OpenHarmony has a heap overflow vulnerability when receive a tcp message. | LAN attackers can lead to remote code execution(RCE) and get system control. |OpenHarmony-3.0-LTS|communication_dsoftbus|   [Link](https://gitee.com/openharmony/communication_dsoftbus/pulls/1113) |Reported by OpenHarmony Team|
+|OpenHarmony-SA-2022-0503 | NA | The softbus subsystem in OpenHarmony has an out-of-bounds access vulnerability when handle a synchronized message from another device. | Local attackers can elevate permissions to SYSTEM. |OpenHarmony-3.0-LTS|communication_dsoftbus|   [Link](https://gitee.com/openharmony/communication_dsoftbus/pulls/1369) |Reported by OpenHarmony Team|
+|OpenHarmony-SA-2022-0504 | NA | The calss Lock in OpenHarmony has a double free vulnerability. | Local attackers can elevate permissions to SYSTEM. |OpenHarmony-3.0-LTS|global_resmgr_standard|   [Link](https://gitee.com/openharmony/global_resmgr_standard/pulls/136) |Reported by OpenHarmony Team|
+
+### The following table lists the third-party library vulnerabilities with only the CVE, severity, and affected OpenHarmony versions provided. For more details, see the security bulletins released by third-parties.
+
+| CVE | severity | affected OpenHarmony versions | fix link |
+| --- | -------- | ----------------------------- | -------- |
+| CVE-2022-0778  | Medium | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/third_party_openssl/pulls/34) |
+| CVE-2018-25032 | High | OpenHarmony-1.0-LTS<br/>OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/third_party_zlib/pulls/31)<br/>[Link](https://gitee.com/openharmony/third_party_zlib/pulls/30) |
+| CVE-2021-28714 | Medium | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a93b4179235f709fbdfffe) |
+| CVE-2021-28715 | Medium | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe744760db99c77aff2253) |
+| CVE-2022-23222 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908ffb1c9593205bb7f80ed) |
+| CVE-2022-0185  | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558dc67851b1a455ae7d3421) |
+| CVE-2021-22600 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39ab3ecf95b5fab274fe1a) |
+| CVE-2022-22942 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc7874b5f1cc193b3819b402) |
+| CVE-2022-0492  | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b3dfa51cddb9c5c40fec4) |
+| CVE-2022-24448 | Low | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5e3fff63d20cf46eda38f)<br/>[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e33a287fb83c8c0d487881)<br/>[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac919c052f1e82f4cdfbae) |
+| CVE-2022-0516  | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d3d5b10ced7a4f66c05c9) |
+| CVE-2022-0617  | Medium | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c64aa8b4b98df436327096)<br/>[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb649935cd02fdcd47cfe0) |
+| CVE-2022-0847  | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b21583494b44f97e30b58ec3d) |
+| CVE-2022-26490 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/pulls/141) |
+| CVE-2022-25636 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/62e6212596777900936105d7dbc18ed2303026c0) |
+| CVE-2022-26966 | Medium | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b5b19096299b017541e1d) |
+| CVE-2022-1011  | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3beb0936060e07644fc251d) |
+| CVE-2022-27223 | High | OpenHarmony-3.0-LTS |[Link](https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe31834c2ee00c5bc0514e2) |
--- a/en/security-disclosure/README.md
+++ b/en/security-disclosure/README.md
@@ -2,10 +2,13 @@

 This document describes the security vulnerabilities of OpenHarmony.

+## Security Vulnerabilities in 2022
+**[Security Vulnerabilities in May](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2022/2022-05.md)**  
+
 ## Security Vulnerabilities in 2021
- **[Security Vulnerabilities in March](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-03.md)**  
- **[Security Vulnerabilities in August](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-08.md)**  
- **[Security Vulnerabilities in September](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-09.md)** 
+**[Security Vulnerabilities in March](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-03.md)**  
+**[Security Vulnerabilities in August](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-08.md)**  
+**[Security Vulnerabilities in September](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2021/2021-09.md)**  

 ## Security Vulnerabilities in 2020
- **[Security Vulnerabilities in September](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2020/2020-09.md)** 
+**[Security Vulnerabilities in September](https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2020/2020-09.md)**  
--- a/zh/security-disclosure/2022/2022-05.md
+++ b/zh/security-disclosure/2022/2022-05.md
+## 2022年5月安全漏洞
+_发布于2022.5.6_
+
+| 漏洞编号 | 相关漏洞 | 漏洞描述 | 漏洞影响 | 受影响的版本 | 受影响的仓库 | 修复链接 | 参考链接 |
+| -------- |-------- | -------- | -------- | ----------- | ----------- | -------- | ------- |
+|OpenHarmony-SA-2022-0501 | NA | 软总线子系统存在堆溢出漏洞。| 攻击者可在本地发起攻击，造成内存访问越界，可获取系统控制权。|OpenHarmony-3.0-LTS|communication_dsoftbus|   [链接](https://gitee.com/openharmony/communication_dsoftbus/pulls/1198) |本项目组上报|
+|OpenHarmony-SA-2022-0502 | NA | 软总线子系统在接收TCP消息时存在堆溢出漏洞。| 攻击者可在局域网内发起攻击，进行远程代码执行，获得系统控制权。|OpenHarmony-3.0-LTS|communication_dsoftbus|   [链接](https://gitee.com/openharmony/communication_dsoftbus/pulls/1113) |本项目组上报|
+|OpenHarmony-SA-2022-0503 | NA | 软总线处理设备同步消息时存在越界访问漏洞。| 攻击者可在局域网内发起攻击，可造成内存访问越界，造成DoS攻击。|OpenHarmony-3.0-LTS|communication_dsoftbus|   [链接](https://gitee.com/openharmony/communication_dsoftbus/pulls/1369) |本项目组上报|
+|OpenHarmony-SA-2022-0504 | NA | Lock类包含的一个指针成员存在重复释放问题。| 攻击者可在本地发起攻击，可获取系统控制权。|OpenHarmony-3.0-LTS|global_resmgr_standard|   [链接](https://gitee.com/openharmony/global_resmgr_standard/pulls/136) |本项目组上报|
+
+### 以下为三方库漏洞，只提供CVE、严重程度、受影响的OpenHarmony版本，详细信息请参考三方公告。
+
+| CVE | 严重程度 | 受影响的OpenHarmony版本 | 修复链接 |
+| --- | -------- | ---------------------- | ------- |
+| CVE-2022-0778  | 中 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/third_party_openssl/pulls/34) |
+| CVE-2018-25032 | 高 | OpenHarmony-1.0-LTS<br/>OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/third_party_zlib/pulls/31)<br/>[链接](https://gitee.com/openharmony/third_party_zlib/pulls/30) |
+| CVE-2021-28714 | 中 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/06639c05f98d596690a93b4179235f709fbdfffe) |
+| CVE-2021-28715 | 中 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/2938e8ac18d248567afe744760db99c77aff2253) |
+| CVE-2022-23222 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/4e695c44106d3f0f9908ffb1c9593205bb7f80ed) |
+| CVE-2022-0185  | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/76a954013f985828558dc67851b1a455ae7d3421) |
+| CVE-2021-22600 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/214329f8032e15f72d39ab3ecf95b5fab274fe1a) |
+| CVE-2022-22942 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/9a967f71164cf3b3fc7874b5f1cc193b3819b402) |
+| CVE-2022-0492  | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/ea8f5c0c115c8c61a76b3dfa51cddb9c5c40fec4) |
+| CVE-2022-24448 | 低 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/9e4a6ed92bb4e0b964c5e3fff63d20cf46eda38f)<br/>[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/af9e3d1a2dc61aa346e33a287fb83c8c0d487881)<br/>[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/51fef9de52b5b1431cac919c052f1e82f4cdfbae) |
+| CVE-2022-0516  | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/8ba71b83e7acfbbf351d3d5b10ced7a4f66c05c9) |
+| CVE-2022-0617  | 中 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/999c29733c45ac8864c64aa8b4b98df436327096)<br/>[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/7d65b9dbe4277bac42eb649935cd02fdcd47cfe0) |
+| CVE-2022-0847  | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/b4e786c8ebae053b21583494b44f97e30b58ec3d) |
+| CVE-2022-26490 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/pulls/141) |
+| CVE-2022-25636 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/62e6212596777900936105d7dbc18ed2303026c0) |
+| CVE-2022-26966 | 中 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/4b80b2d8eba4d9df430b5b19096299b017541e1d) |
+| CVE-2022-1011  | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/013bad7096d7bee6a3beb0936060e07644fc251d) |
+| CVE-2022-27223 | 高 | OpenHarmony-3.0-LTS |[链接](https://gitee.com/openharmony/kernel_linux_5.10/commit/5939446d63ddecefdbe31834c2ee00c5bc0514e2) |
+
--- a/zh/security-disclosure/README.md
+++ b/zh/security-disclosure/README.md
@@ -2,12 +2,14 @@

 本文档主要发布OpenHarmony软件的安全漏洞公告。

-
- ## 2021年安全漏洞
- **[2021年3月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md)**   
-  **[2021年8月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-08.md)**   
-  **[2021年9月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-09.md)** 
+## 2022年安全漏洞
+**[2022年5月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2022/2022-05.md)**  
+ 
+## 2021年安全漏洞
+**[2021年3月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-03.md)**  
+**[2021年8月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-08.md)**  
+**[2021年9月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2021/2021-09.md)**  

 ## 2020年安全漏洞
- **[2020年9月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2020/2020-09.md)** 
+**[2020年9月安全漏洞](https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2020/2020-09.md)**