EGI SVG Advisories

Advisory-SVG-CVE-2022-0847

Title:   EGI SVG 'ADVISORY' [TLP:AMBER] 'CRITICAL' risk Linux Kernel 'dirtypipe' 
         vulnerability CVE-2022-0847 [EGI-SVG-CVE-2022-0847] 

Date:    2022-03-09
Updated: 2022-03-15

Affected software and risk
==========================

'CRITICAL' risk vulnerability concerning the linux kernel

Package    : Linux Kernel
CVE ID     : CVE-2022-0847
Bug ID     :  
CVSS Score : 7.8 [R 3]

A vulnerability has been found which may allow the writing of arbitrary data to arbitrary files. [R 1]
This has been called the 'dirtypipe' vulnerability. A public exploit has been made available which appears
to work for Debian and Ubuntu, but not for RHEL8 and its derivatives. 

RHEL7 and derivatives are not affected.

**UPDATE 2022-03-15**

This has been fixed for Debian, Ubuntu, RHEL8 and for RockyLinux.


Actions required/recommended
============================

**UPDATE 2022-03-15**

All running vulnerable resources MUST be either patched or have mitigation
in place or software removed by 2022-03-23  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.


Component installation information
==================================

Sites running Debian should see [R 2] 

Sites running RHEL 8 should see [R 3]

Sites running Ubuntu should see [R 4]

Sites running RockyLinux should see [R 5]

Sites running AlmaLinux should see [R 6]

Affected software details
=========================

This vulnerability is fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

A working exploit is available for Debian and has been reported for Ubuntu.

RHEL version 7 and derivatives are not affected.

RHEL version 8 and derivatives are affected, but a working exploit has not been found.

Other versions are still under investigation. 


Mitigation
==========

No mitigation has so far been identified for versions of linux affected by this vulnerability.

TLP and URL
===========

** WHITE information - Unlimited distribution
 - see https://go.egi.eu/tlp for distribution restrictions **

URL: https://advisories.egi.eu/Advisory-SVG-CVE-2022-0847

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]

Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC era.


References
==========

[R 1] https://www.openwall.com/lists/oss-security/2022/03/07/1

[R 2] https://security-tracker.debian.org/tracker/CVE-2022-0847

[R 3] https://access.redhat.com/security/cve/CVE-2022-0847

[R 4] https://ubuntu.com/security/CVE-2022-0847

[R 5] RockyLinux https://errata.rockylinux.org

[R 6] AlmaLinux https://errata.almalinux.org

[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145


Credit
======

SVG was alerted to this vulnerability by Laurent Caillat-Vallet

Timeline
========

Yyyy-mm-dd  [EGI-SVG-2022-CVE-2022-0847] 

2022-02-07 SVG alerted to this issue by Laurent Caillat-Vallet
2022-02-08 Acknowledgement from the EGI SVG to the reporter
2022-02-08 Investigation of vulnerability and relevance to EGI carried out.  
2022-02-08 EGI SVG Risk Assessment completed
2022-02-08 Decided to draft advisory to sites even though information incomplete
2022-02-09 Advisory sent to sites
2022-02-15 Advisory updated as fixed for most linux versions. 
2022-07-07 Public disclosure

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.

-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and 
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
------------------------------

Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC catalogue.

On behalf of the EGI SVG,