An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1358 Final 1.0 1.0 2021-09-30 Initial 2021-09-30 2021-09-30 openEuler SA Tool V1.0 2021-09-30 edk2 security update An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. Security Fix(es): A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-38575) An update for edk2 is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High edk2 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1358 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-38575 https://nvd.nist.gov/vuln/detail/CVE-2021-38575 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 edk2-devel-202002-6.oe1.aarch64.rpm edk2-debugsource-202002-6.oe1.aarch64.rpm edk2-debuginfo-202002-6.oe1.aarch64.rpm edk2-debugsource-202002-6.oe1.aarch64.rpm edk2-devel-202002-6.oe1.aarch64.rpm edk2-debuginfo-202002-6.oe1.aarch64.rpm python3-edk2-devel-202002-6.oe1.noarch.rpm edk2-help-202002-6.oe1.noarch.rpm edk2-aarch64-202002-6.oe1.noarch.rpm edk2-ovmf-202002-6.oe1.noarch.rpm python3-edk2-devel-202002-6.oe1.noarch.rpm edk2-help-202002-6.oe1.noarch.rpm edk2-aarch64-202002-6.oe1.noarch.rpm edk2-ovmf-202002-6.oe1.noarch.rpm edk2-202002-6.oe1.src.rpm edk2-202002-6.oe1.src.rpm edk2-devel-202002-6.oe1.x86_64.rpm edk2-debugsource-202002-6.oe1.x86_64.rpm edk2-debuginfo-202002-6.oe1.x86_64.rpm edk2-debuginfo-202002-6.oe1.x86_64.rpm edk2-devel-202002-6.oe1.x86_64.rpm edk2-debugsource-202002-6.oe1.x86_64.rpm A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. 2021-09-30 CVE-2021-38575 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 High 8.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H edk2 security update 2021-09-30 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1358