About CVE-2023-21666: memory leak vulnerability (3rd May 2023)

Preface: The product does not sufficiently track and release allocated memory after it has been used. Such design weakness will belongs to CWE-401.

Background: Snapdragon Heterogeneous Compute SDK: provides developers with the ability to allocate work to any of the three processors on Snapdragon. The SDK provides C++ API’s for the Kryo CPU and Adreno GPU, the latter of which interacts through OpenGL and OpenCL calls.

Vulnerability details: Improper Release of Memory Before Removing Last Reference (`Memory Leak`) in Graphics.

Solution: Official announcement, please refer to the link – https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/9968fcdd9d1c853d0c6472307510a81f5db398da

About CVE-2023-46365: Hard Code value vs access privileges control! (2nd May 2023)

Preface: In order to avoid vulnerabilities, cloud service providers have their hands full!

Background: It will be open-sourced under the name of StreamX in April 2021, renamed StreamPark in August 2022, and then formally become an incubation project of the Apache Open Source Software Foundation through voting in September.
StreamPark is a streaming application development framework. Aimed at ease building and managing streaming applications, StreamPark provides development framework for writing streaming process application with Apache Flink and Apache Spark.
Apache Spark and Apache Flink are two of the most popular tools used for machine learning and data science.
Known for its speed and scalability, Apache Spark can handle a wide variety of workloads, including batch processing, stream processing, and machine learning. On the other hand, Apache Flink is designed for real-time data processing and optimized for low latency and high throughput.

Vulnerability details: Apache StreamPark (incubating): Logic error causing any account reset.

Affected products: Apache StreamPark 1.0.0 before 2.0.0

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2022-46365