Login Sign Up

CVE-2022-28652

5.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in Apport's settings file parsing allows a billion laughs attack (XML entity expansion) that can cause denial of service through excessive memory consumption. It affects Ubuntu systems with Apport installed and configured to use the vulnerable settings parsing. The attack requires local access to create or modify the settings file.

💻 Affected Systems

Products:
  • Apport
Versions: Apport versions prior to 2.20.11-0ubuntu82.1
Operating Systems: Ubuntu
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with Apport installed and configured to parse user settings files. Ubuntu desktop installations typically have Apport enabled by default.

📦 What is this software?

Apport by Apport Project

View all CVEs affecting Apport →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system unavailability due to memory exhaustion, potentially requiring reboot and causing service disruption.

🟠

Likely Case

Apport process crash or system slowdown when malicious settings file is parsed, affecting crash reporting functionality.

🟢

If Mitigated

Minimal impact with proper file permissions preventing unauthorized settings file creation/modification.

🌐 Internet-Facing: LOW - Requires local file system access, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users or processes with write access to ~/.config/apport/ can trigger denial of service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to create or modify the settings XML file. The attack technique (billion laughs) is well-known and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apport 2.20.11-0ubuntu82.1 and later

Vendor Advisory: https://ubuntu.com/security/notices/USN-5427-1

Restart Required: No

Instructions:

1. Update system: sudo apt update && sudo apt upgrade
2. Specifically update apport: sudo apt install --only-upgrade apport
3. Verify version: dpkg -l apport

🔧 Temporary Workarounds

Restrict settings file permissions

linux

Set strict permissions on the apport settings directory to prevent unauthorized modifications

chmod 700 ~/.config/apport/
chmod 600 ~/.config/apport/settings

Disable Apport

linux

Temporarily disable Apport crash reporting if not needed

sudo systemctl stop apport
sudo systemctl disable apport

🧯 If You Can't Patch

  • Implement strict file permissions on ~/.config/apport/ directory (chmod 700) and settings file (chmod 600)
  • Monitor for unauthorized modifications to apport settings files using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check Apport version: dpkg -l apport | grep ^ii

Check Version:

dpkg -l apport | grep ^ii | awk '{print $3}'

Verify Fix Applied:

Verify installed version is 2.20.11-0ubuntu82.1 or later: dpkg -l apport

📡 Detection & Monitoring

Log Indicators:

  • Apport process crashes with memory errors
  • System logs showing out-of-memory conditions when apport runs

Network Indicators:

  • None - local file system attack

SIEM Query:

process:name=apport AND (event:out_of_memory OR event:crash)

📊 Metadata

CVE ID: CVE-2022-28652
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-776
Published: June 4, 2024
Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28652, you might also want to check these:

CVE-2019-19144 9.8

This CVE describes an XML External Entity (XXE) injection vulnerability in Quantum DXi6702 backup ap...

Same vulnerability type (CWE-776)
CVE-2021-23926 9.1

This vulnerability in XMLBeans XML parsers allows attackers to perform XML Entity Expansion (XXE) at...

Same vulnerability type (CWE-776)
CVE-2021-32623 8.1

CVE-2021-32623 is a billion laughs attack vulnerability in Opencast that allows authenticated users ...

Same vulnerability type (CWE-776)