EDK II CVE information

---

CVE-2023-45237

• Bugzilla: BZ 4542
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202405
• Commit(s) where fixed: Push #5582: available WW21 (12 applicable commits for Intel-based platforms)
• Important: Due to new DEPEXs added in NetworkPkg to DxeNetLib.inf (gEfiRngProtocolGuid) and TcpDxe.inf (gEfiHash2ServiceBindingProtocolGuid), please ensure your platform has RngDxe.inf and Hash2CryptoDxe.inf included in your FDF/DSC files for full Network functionality.
• Note: NetworkPkg Bug 09
• Note: Adds new platform dependency (See Update Note and Edk2 Devel #119227)

---

CVE-2023-45236

• Bugzilla: BZ 4541
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202405
• Commit(s) where fixed: Push #5582: available WW21 (12 applicable commits for Intel-based platforms)
• Important: Due to new DEPEXs added in NetworkPkg to DxeNetLib.inf (gEfiRngProtocolGuid) and TcpDxe.inf (gEfiHash2ServiceBindingProtocolGuid), please ensure your platform has RngDxe.inf and Hash2CryptoDxe.inf included in your FDF/DSC files for full Network functionality.
• Note: NetworkPkg Bug 08
• Note: Adds new platform dependency (See Update Note and Edk2 Devel #119227)

---

CVE-2023-45235

• Bugzilla: BZ 4540
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 07

---

CVE-2023-45234

• Bugzilla: BZ 4539
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 06

---

CVE-2023-45233

• Bugzilla: BZ 4538
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 05

---

CVE-2023-45232

• Bugzilla: BZ 4537
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 04

---

CVE-2023-45231

• Bugzilla: BZ 4536
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 03

---

CVE-2023-45230

• Bugzilla: BZ 4535
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 02

---

CVE-2023-45229

• Bugzilla: BZ 4534
• GHSA-hc6x-cw6p-gj7h
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5352: available WW06
• Note: NetworkPkg Bug 01

---

CVE-2022-36765

• Bugzilla: BZ 4166
• GHSA-ch4w-v7m3-g8wx
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Push #5252: available January 16
• Note: HOB issue

---

CVE-2022-36764

• Bugzilla: BZ 4118
• GHSA-4hcq-p8q8-hj8j
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Both Push #5264 and Push #5273 (last 3 commits)
• Note: TCG related

---

CVE-2022-36763

• Bugzilla: BZ 4117
• GHSA-xvv8-66cq-prwr
• Stable Tag where fixed: 202402
• Commit(s) where fixed: Both Push #5264 and Push #5273 (last 3 commits)
• Note: TCG related

---

CVE-2021-38578

• Bugzilla: BZ 3387
• Stable Tag where fixed: 202211
• Commit(s) where fixed: cab1f02565d3b29081dd21afb074f35fdb4e1fd6

---

CVE-2021-38576

• Bugzilla: BZ 3499
• Stable Tag where fixed: 202302
• Commit(s) where fixed: 1. Push #1968: sample code in SecurityPkg for TcgPlatformDxe/PEI, 2. Push #2034: OvmfPkg support for disabling the TPM 2 platform hierarchy, (Note: There is also an example platform implementation available in edk2-platforms)

---

CVE-2021-38575

• Bugzilla: BZ 3356
• Stable Tag where fixed: 202108
• Commit(s) where fixed: Push #1698

---

CVE-2021-28213

• Bugzilla: BZ 1866
• Stable Tag where fixed: 201905
• Commit(s) where fixed: d55d9d0664366efe731db461e14c6fc380fca776 (removed NetworkPkg/IpSecDxe driver per BZ 1697)

---

CVE-2021-28211

• Bugzilla: BZ 1816
• Stable Tag where fixed: 202011
• Commit(s) where fixed: 6aeaea14e97f2a36f07ccd4fd2ffb971d68b3b0a

---

CVE-2021-28210

• Bugzilla: BZ 1743
• Stable Tag where fixed: 202011
• Commit(s) where fixed: Push #1137

---

CVE-2019-14587

• Bugzilla: BZ 1989
• Stable Tag where fixed: 202002
• Commit(s) where fixed: e36d5ac7d10a6ff5becb0f52fdfd69a1752b0d14

---

CVE-2019-14586

• Bugzilla: BZ 1995
• Stable Tag where fixed: 202002
• Commit(s) where fixed: c32be82e99ef272e7fa742c2f06ff9a4c3756613

---

CVE-2019-14584

• Bugzilla: BZ 1914
• Stable Tag where fixed: 202011
• Commit(s) where fixed: 26442d11e620a9e81c019a24a4ff38441c64ba10

---

CVE-2019-14575

• Bugzilla: BZ 1608
• Stable Tag where fixed: 202002
• Commit(s) where fixed: BZ Comment 60 is “Pushed fbb9607223...c230c002ac” with 10 results from search:

1. c230c002accc4281ccc57bba7153a9b2d9b9ccd3
2. cb30c8f25162e6d8142c6b098f14c1e4e7f125ce
3. fbb96072233b5eaecf4d229cbee47b13dcab39e1
4. 5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da
5. c13742b180095e5181e41dffda954581ecbd9b9c
6. b1c11470598416c89c67b75c991fd0773bcbab9d
7. a83dbf008cc73406cbdc0d5ac3164cc19fff6683
8. adc6898366298d1f64b91785e50095527f682758
9. 929d1a24d12822942fd4f9fa83582e27f92de243
10. 9e569700901857d0ba418ebdd30b8086b908688c

---

CVE-2019-14563

• Bugzilla: BZ 2001
• Stable Tag where fixed: 202011
• Commit(s) where fixed: 322ac05f8bbc1bce066af1dabd1b70ccdbe28891

---

CVE-2019-14562

• Bugzilla: BZ 2215
• Stable Tag where fixed: 202008
• Commit(s) where fixed: 0b143fa43e92be15d11e22f80773bcb1b2b0608f

---

CVE-2019-14559

• Bugzilla: BZ 2031
• Stable Tag where fixed: 202002
• Commit(s) where fixed: 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8

---

CVE-2019-14553

• Bugzilla: BZ 960
• Stable Tag where fixed: 201911
• Commit(s) where fixed: BZ Comment 47 is “Pushed as commit range b15646484eaf..e2fc50812895” with 8 results from search:

1. e2fc50812895b17e8b23f5a9c43cde29531b200f
2. 703e7ab21ff8fda9ababf7751d59bd28ad5da947
3. 2ca74e1a175232cc201798e27437700adc7fb07e
4. 8d16ef8269b2ff373d8da674e59992adfdc032d3
5. 1e72b1fb2ec597caedb5170079bb213f6d67f32a
6. 2ac41c12c0d4b3d3ee8f905ab80da019e784de00
7. eb520d94dba7369d1886cd5522d5a2c36fb02209
8. 31efec82796cb950e99d1622aa9c0eb8380613a0

---

CVE-2017-5731

• Bugzilla: BZ 686
• Stable Tag where fixed: Pre-Stable Tags: Edk2-master (2018), UDK2018, UDK2017, UDK2015
• Commit(s) where fixed: BZ Comment 10 is “Fix it in edk2 master
  2ec7953d49677142c5f7552e9e3d96fb406ba0c4..041d89bc0f0119df37a5fce1d0f16495ff905089 edk2 UDK2018
  fb72f6fd6f1c4130f0d0037f33a5153fe9fdb322..96c32854ad69cb7cc983165926d58049f7ab27cc edk2 UDK2017
  167e6e48af8dfd558aa3c7497959092d58b26d54..1d707a02d86e5f43cf0ed2cd43f7583a8d7a39db edk2 UDK2015 ee9ec6e6426f8f36bb9cd1301eb836959ef1412e..551888b06a1987b9db5040e10cdde5be34236653 with 3 results from search:

1. 041d89bc0f0119df37a5fce1d0f16495ff905089
2. 684db6da64bc7b5faee4e1174e801c245f563b5c
3. 2ec7953d49677142c5f7552e9e3d96fb406ba0c4

---

CVE-2014-8271, CERT CC VU# 533140

• Bugzilla: Pre-BZ, Tianocore SA 17
• Stable Tag where fixed: Pre-Stable Tags: UDK2015 +
• Commit(s) where fixed: Originally: https://sourceforge.net/p/edk2/code/16280/, https://github.com/tianocore/edk2/commit/6ebffb67c8eca68cf5eb36bd308b305ab84fdd99

---

CVE-2014-4860, CERT CC VU# 552286

• Bugzilla: Pre-BZ, Tianocore SA 15
• Stable Tag where fixed: Pre-Stable Tags: UDK2015 +
• Commit(s) where fixed: Originally: https://sourceforge.net/p/edk2/code/15137, https://github.com/tianocore/edk2/commit/ff284c56a11a9a9b32777c91bc069093d5b5d8a9

---

CVE-2014-4859, CERT CC VU# 552286

• Bugzilla: Pre-BZ, Tianocore SA 15
• Stable Tag where fixed: Pre-Stable Tags: UDK2015 +
• Commit(s) where fixed: Originally: https://sourceforge.net/p/edk2/code/15136, https://github.com/tianocore/edk2/commit/3a1966c4e2f04374178872b064c3a8e42a0eb776