Date: 2024-04-12
Updated: 2024-05-24
CRITICAL risk vulnerability in the Netfilter subsystem in the Linux kernel
EGI SVG ID : EGI-SVG-2024-08
CVE ID : CVE-2024-1086
CVSS Score : 7.8 [R 1] [R 2]
Sites should update relevant components as soon as possible, when patches for the versions of Linux they deploy are available according to the references below.
Sites running distributions where a patched version is not available yet are strongly recommended to carry out mitigation, unless this disables functionality required.
EGI SVG and EGI CSIRT recommend disabling network namespaces where they are not needed, see [R 6], although we are increasingly becoming aware of situations where this disables functionality required.
See also [R 2], [R 9] for mitigation in this case, which involves disabling the nf_tables module.
Although RedHat considers this vulnerability as ‘Important’ rather than ‘Critical’ the EGI SVG has rated as ‘Critical’ due to the way the EGI Grid Services function.
UPDATE 2024-05-24
This is now fixed for all RedHat derivatives.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2024-08
https://advisories.egi.eu/Advisory-SVG-CVE-2024-1086
Minor updates may be made without re-distribution to the sites.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI (https://www.egi.eu/) Software Vulnerability Group -----------------------------
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 4] https://security-tracker.debian.org/tracker/CVE-2024-1086
[R 6] https://csirt.egi.eu/2022/10/19/linux-namespaces-and-containers/
[R 7] https://errata.build.resf.org/ (RockyLinux)
[R 8] https://errata.almalinux.org/ (AlmaLinux)
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Barbara Krasovec.