2022年第5期
【预警类型】高危预警
【预警内容】微软多个安全漏洞
近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞75个,影响到微软产品的其他厂商漏洞1个。包括Microsoft Windows LDAP 输入验证错误漏洞(CNNVD-202205-2869、CVE-2022-22012)、Microsoft Windows Network File System 输入验证错误漏洞(CNNVD-202205-2781、CVE-2022-26937)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布了漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、 漏洞介绍
2022年5月10日,微软发布了2022年5月份安全更新,共76个漏洞的补丁程序,CNNVD对这些漏洞进行了收录。本次更新主要涵盖了Microsoft Windows 和 Windows 组件、Microsoft Windows ALPC、Windows Failover Cluster Automation Server、MicrosoftGraphics Component、Microsoft Excel、Microsoft Windows WLAN Auto Config Service等。CNNVD对其危害等级进行了评价,其中超危漏洞3个,高危漏洞50个,中危漏洞22个,低危漏洞1个。微软多个产品和系统版本受漏洞影响,具体影响范围可访问https://portal.msrc.microsoft.com/zh-cn/security-guidance查询。
二、漏洞详情
此次更新共包括73个新增漏洞的补丁程序,其中超危漏洞3个,高危漏洞47个,中危漏洞22个,低危漏洞1个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 官方链接 |
1 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2869 | CVE-2022-22012 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22012 |
2 | Microsoft Windows Network File System 输入验证错误漏洞 | CNNVD-202205-2781 | CVE-2022-26937 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937 |
3 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2758 | CVE-2022-29130 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29130 |
4 | Microsoft Windows Point-to-Point Tunneling Protocol 竞争条件问题漏洞 | CNNVD-202205-2865 | CVE-2022-21972 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21972 |
5 | Microsoft Exchange Server 权限许可和访问控制问题漏洞 | CNNVD-202205-2736 | CVE-2022-21978 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21978 |
6 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2876 | CVE-2022-22013 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22013 |
7 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2868 | CVE-2022-22014 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22014 |
8 | Microsoft Windows PlayToManager 竞争条件问题漏洞 | CNNVD-202205-2873 | CVE-2022-22016 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22016 |
9 | Microsoft Remote Desktop Client 输入验证错误漏洞 | CNNVD-202205-2872 | CVE-2022-22017 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22017 |
10 | Microsoft Windows Remote Procedure Call Runtime 输入验证错误漏洞 | CNNVD-202205-2870 | CVE-2022-22019 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22019 |
11 | Microsoft Visual Studio和Microsoft .NET 输入验证错误漏洞 | CNNVD-202205-2800 | CVE-2022-23267 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23267 |
12 | Microsoft Windows Point-to-Point Tunneling Protocol 竞争条件问题漏洞 | CNNVD-202205-2863 | CVE-2022-23270 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23270 |
13 | Microsoft Windows ALPC 竞争条件问题漏洞 | CNNVD-202205-2856 | CVE-2022-23279 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23279 |
15 | Microsoft Windows Authentication Methods 安全特征问题漏洞 | CNNVD-202205-2853 | CVE-2022-26913 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26913 |
16 | Microsoft Windows Active Directory 权限许可和访问控制问题漏洞 | CNNVD-202205-2850 | CVE-2022-26923 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923 |
17 | Microsoft Local Security Authority Server 安全漏洞 | CNNVD-202205-2846 | CVE-2022-26925 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 |
18 | Microsoft Windows Address Book 输入验证错误漏洞 | CNNVD-202205-2836 | CVE-2022-26926 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26926 |
19 | Microsoft Graphics Component 输入验证错误漏洞 | CNNVD-202205-2830 | CVE-2022-26927 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26927 |
20 | Microsoft Windows Kerberos 权限许可和访问控制问题漏洞 | CNNVD-202205-2812 | CVE-2022-26931 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 |
21 | Microsoft Windows Storage Spaces Controller 权限许可和访问控制问题漏洞 | CNNVD-202205-2804 | CVE-2022-26932 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26932 |
22 | Microsoft Windows Storage Spaces Controller 竞争条件问题漏洞 | CNNVD-202205-2780 | CVE-2022-26938 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26938 |
23 | Microsoft Windows Storage Spaces Controller 竞争条件问题漏洞 | CNNVD-202205-2779 | CVE-2022-26939 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26939 |
24 | Microsoft Windows Remote Access Connection Manager 权限许可和访问控制问题漏洞 | CNNVD-202205-2776 | CVE-2022-29103 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29103 |
25 | Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞 | CNNVD-202205-2775 | CVE-2022-29104 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29104 |
26 | Microsoft Windows Media 输入验证错误漏洞 | CNNVD-202205-2774 | CVE-2022-29105 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29105 |
27 | Microsoft Hyper-V 竞争条件问题漏洞 | CNNVD-202205-2772 | CVE-2022-29106 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29106 |
28 | Microsoft SharePoint Server 输入验证错误漏洞 | CNNVD-202205-2730 | CVE-2022-29108 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29108 |
29 | Microsoft Excel 输入验证错误漏洞 | CNNVD-202205-2737 | CVE-2022-29109 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29109 |
30 | Microsoft Excel 输入验证错误漏洞 | CNNVD-202205-2861 | CVE-2022-29110 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29110 |
31 | Microsoft Windows 竞争条件问题漏洞 | CNNVD-202205-2769 | CVE-2022-29113 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29113 |
32 | Microsoft Windows Fax services 输入验证错误漏洞 | CNNVD-202205-2767 | CVE-2022-29115 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29115 |
33 | Microsoft Visual Studio和Microsoft .NET 输入验证错误漏洞 | CNNVD-202205-2773 | CVE-2022-29117 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29117 |
34 | Microsoft Windows Push Notifications 竞争条件问题漏洞 | CNNVD-202205-2761 | CVE-2022-29125 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29125 |
35 | Microsoft Tablet Windows User Interface 竞争条件问题漏洞 | CNNVD-202205-2760 | CVE-2022-29126 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29126 |
36 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2759 | CVE-2022-29128 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29128 |
37 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2756 | CVE-2022-29129 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29129 |
38 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2753 | CVE-2022-29131 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29131 |
39 | Microsoft Windows Print Spooler Components 权限许可和访问控制问题漏洞 | CNNVD-202205-2755 | CVE-2022-29132 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29132 |
40 | Microsoft Windows Kernel 权限许可和访问控制问题漏洞 | CNNVD-202205-2752 | CVE-2022-29133 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29133 |
41 | Microsoft Windows Cluster Shared Volume 竞争条件问题漏洞 | CNNVD-202205-2751 | CVE-2022-29135 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29135 |
42 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2748 | CVE-2022-29137 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29137 |
43 | Microsoft Windows Cluster Shared Volume 竞争条件问题漏洞 | CNNVD-202205-2750 | CVE-2022-29138 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29138 |
44 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2749 | CVE-2022-29139 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29139 |
45 | Microsoft Windows LDAP 输入验证错误漏洞 | CNNVD-202205-2743 | CVE-2022-29141 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29141 |
46 | Microsoft Windows Kernel 竞争条件问题漏洞 | CNNVD-202205-2747 | CVE-2022-29142 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29142 |
47 | Microsoft Visual Studio和Microsoft .NET 输入验证错误漏洞 | CNNVD-202205-2770 | CVE-2022-29145 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29145 |
48 | Microsoft Visual Studio 输入验证错误漏洞 | CNNVD-202205-2744 | CVE-2022-29148 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29148 |
49 | Microsoft Windows Cluster Shared Volume 竞争条件问题漏洞 | CNNVD-202205-2742 | CVE-2022-29150 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29150 |
50 | Microsoft Windows Cluster Shared Volume 竞争条件问题漏洞 | CNNVD-202205-2746 | CVE-2022-29151 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29151 |
51 | Microsoft Visual Studio Code 输入验证错误漏洞 | CNNVD-202205-2847 | CVE-2022-30129 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30129 |
52 | Microsoft Graphics Components 信息泄露漏洞 | CNNVD-202205-2877 | CVE-2022-22011 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22011 |
53 | Microsoft Windows Remote Desktop Protocol 信息泄露漏洞 | CNNVD-202205-2874 | CVE-2022-22015 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22015 |
54 | Microsoft Hyper-V 竞争条件问题漏洞 | CNNVD-202205-2867 | CVE-2022-22713 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22713 |
55 | Microsoft Hyper-V 安全特征问题漏洞 | CNNVD-202205-2849 | CVE-2022-24466 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24466 |
56 | Microsoft Windows Remote Access Connection Manager 信息泄露漏洞 | CNNVD-202205-2823 | CVE-2022-26930 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26930 |
57 | Microsoft Windows NTFS 信息泄露漏洞 | CNNVD-202205-2794 | CVE-2022-26933 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26933 |
58 | Microsoft Graphics Component 信息泄露漏洞 | CNNVD-202205-2784 | CVE-2022-26934 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26934 |
59 | Microsoft Windows WLAN Auto Config Service 信息泄露漏洞 | CNNVD-202205-2783 | CVE-2022-26935 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26935 |
60 | Microsoft Windows Server Service 信息泄露漏洞 | CNNVD-202205-2782 | CVE-2022-26936 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26936 |
61 | Microsoft Remote Desktop Client 信息泄露漏洞 | CNNVD-202205-2778 | CVE-2022-26940 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26940 |
62 | Windows Failover Cluster Automation Server 信息泄露漏洞 | CNNVD-202205-2777 | CVE-2022-29102 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29102 |
63 | Microsoft Office 安全特征问题漏洞 | CNNVD-202205-2740 | CVE-2022-29107 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29107 |
64 | Microsoft Graphics Component 信息泄露漏洞 | CNNVD-202205-2771 | CVE-2022-29112 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29112 |
65 | Microsoft Windows Print Spooler Components 信息泄露漏洞 | CNNVD-202205-2768 | CVE-2022-29114 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29114 |
66 | Microsoft Windows Kernel 信息泄露漏洞 | CNNVD-202205-2766 | CVE-2022-29116 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29116 |
67 | Microsoft Windows Cluster Shared Volume 信息泄露漏洞 | CNNVD-202205-2765 | CVE-2022-29120 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29120 |
68 | Microsoft Windows WLAN AutoConfig Service 输入验证错误漏洞 | CNNVD-202205-2763 | CVE-2022-29121 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29121 |
69 | Microsoft Windows Cluster Shared Volume 信息泄露漏洞 | CNNVD-202205-2764 | CVE-2022-29122 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29122 |
70 | Microsoft Windows Cluster Shared Volume 信息泄露漏洞 | CNNVD-202205-2762 | CVE-2022-29123 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29123 |
71 | Microsoft Windows BitLocker 安全特征问题漏洞 | CNNVD-202205-2757 | CVE-2022-29127 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29127 |
72 | Microsoft Windows Cluster Shared Volume 信息泄露漏洞 | CNNVD-202205-2754 | CVE-2022-29134 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29134 |
73 | Microsoft Windows Print Spooler Components 信息泄露漏洞 | CNNVD-202205-2745 | CVE-2022-29140 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29140 |
74 | Microsoft .NET Framework 输入验证错误漏洞 | CNNVD-202205-2790 | CVE-2022-30130 | 低危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30130 |
此次更新共包括2个更新漏洞的补丁程序,其中高危漏洞2个。
序号 | 漏洞名称 | CNNVD 编号 | CVE 编号 | 危害等级 | 官方链接 |
1 | Microsoft Visual Studio 安全漏洞 | CNNVD-202204-3059 | CVE-2022-24513 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24513 |
2 | Microsoft Windows PowerShell 权限许可和访问控制问题漏洞 | CNNVD-202204-3062 | CVE-2022-26788 | 高危 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26788 |
此次更新共包括1个影响微软产品的其他厂商漏洞的补丁程序,其中高危漏洞1个。
序号 | 漏洞 名称 | CNNVD编号 | CVE 编号 | 危害等级 | 厂商 | 官方链接 |
1 | Google Chrome 安全漏洞 | CNNVD-202203-2278 | CVE-2022-1096 | 高危 | https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html |
三、修复建议
目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地址:
https://msrc.microsoft.com/update-guide/en-us
CNNVD将继续跟踪上述漏洞的相关情况,及时发布相关信息。如有需要,可与CNNVD联系。联系方式: cnnvdvul@itsec.gov.cn