Für das OS Android sind Update verfügbar, die mehrere Sicherheitslücken im beliebten OS auf Smartphones, schließen. Wer das akutelle Update installiert hat, sieht den Patchlevel 2022-05-05 in seinem Gerät. Das Update beinhaltet auch den aktuellen Patch 2022-05-01. Die Lücken sind zum Teil als kritisch eingestuft, weshalb ein Update dringend empfohlen wird. Betroffen sind neben dem System, das Framework, Kernel und MediaTek. Einige Lücken sind in der Komponente von Qualcomm gefunden worden.
Außer der Reihe patcht Google die Geräte der Pixel Serie, siehe CVE-2022-20120 und CVE-2022-20117. Zudem endet für das Pixel 3a und Pixel 3a XL der Support mit diesem Update. Für Pixel 4 und Pixel 4 XL endet der Support im Oktober 2022.
2022-05-01 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-05-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could lead to local escalation of privilege with User execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2021-39662 | A-197302116 | EoP | High | 11, 12 |
| CVE-2022-20004 | A-179699767 | EoP | High | 10, 11, 12, 12L |
| CVE-2022-20005 | A-219044664 | EoP | High | 10, 11, 12, 12L |
| CVE-2022-20007 | A-211481342 | EoP | High | 10, 11, 12, 12L |
| CVE-2021-39700 | A-201645790 | ID | Moderate | 10, 11, 12 |
System
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2022-20113 | A-205996517 | EoP | High | 12, 12L |
| CVE-2022-20114 | A-211114016 | EoP | High | 10, 11, 12, 12L |
| CVE-2022-20116 | A-212467440 | EoP | High | 12, 12L |
| CVE-2022-20010 | A-213519176 | ID | High | 12, 12L |
| CVE-2022-20011 | A-214999128 | ID | High | 10, 11, 12, 12L |
| CVE-2022-20115 | A-210118427 | ID | High | 12, 12L |
| CVE-2021-39670 | A-204087139 | DoS | High | 12, 12L |
| CVE-2022-20112 | A-206987762 | DoS | High | 10, 11, 12, 12L |
Google Play system updates
The following issues are included in Project Mainline components.
| Component | CVE |
|---|---|
| MediaProvider | CVE-2021-39662 |
2022-05-05 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-05-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.
Kernel components
The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.
| CVE | References | Type | Severity | Component |
|---|---|---|---|---|
| CVE-2022-0847 | A-220741611 Upstream kernel [2] [3] | EoP | High | pipes |
| CVE-2022-20009 | A-213172319 Upstream kernel [2] | EoP | High | Linux |
| CVE-2022-20008 | A-216481035 Upstream kernel [2] [3] | ID | High | SD MMC |
| CVE-2021-22600 | A-213464034 Upstream kernel | EoP | Moderate | Kernel |
MediaTek components
These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.
| CVE | References | Severity | Component |
|---|---|---|---|
| CVE-2022-20084 | A-223071148 M-ALPS06498874 * | High | telephony |
| CVE-2022-20109 | A-223072269 M-ALPS06399915 * | High | ion |
| CVE-2022-20110 | A-223071150 M-ALPS06399915 * | High | ion |
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Component |
|---|---|---|---|
| CVE-2022-22057 | A-218337595 QC-CR#3077687 | High | Display |
| CVE-2022-22064 | A-218338071 QC-CR#3042282 QC-CR#3048959 QC-CR#3056532 QC-CR#3049158 [2] | High | WLAN |
| CVE-2022-22065 | A-218337597 QC-CR#3042293 QC-CR#3064612 | High | WLAN |
| CVE-2022-22068 | A-218337596 QC-CR#3084983 [2] | High | Kernel |
| CVE-2022-22072 | A-218339149 QC-CR#3073345 [2] | High | WLAN |
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Component |
|---|---|---|---|
| CVE-2021-35090 | A-204905205* | Critical | Closed-source component |
| CVE-2021-35072 | A-204905110* | High | Closed-source component |
| CVE-2021-35073 | A-204905209* | High | Closed-source component |
| CVE-2021-35076 | A-204905151* | High | Closed-source component |
| CVE-2021-35078 | A-204905326* | High | Closed-source component |
| CVE-2021-35080 | A-204905287* | High | Closed-source component |
| CVE-2021-35086 | A-204905289* | High | Closed-source component |
| CVE-2021-35087 | A-204905111* | High | Closed-source component |
| CVE-2021-35094 | A-204905838* | High | Closed-source component |
| CVE-2021-35096 | A-204905290* | High | Closed-source component |
| CVE-2021-35116 | A-209469826* | High | Closed-source component |
Details findest du unter: Android Security Bulletin—May 2022 | Android Open Source Project
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.