Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Linux kernel use after
free vulnerability in cls_route filter CVE-2022-2588 [EGI-SVG-CVE-2022-2588]
Date: 2022-10-19
Updated: 2022-10-25, 2022-11-03, 2022-11-11
Affected software and risk
==========================
CRITICAL risk vulnerability concerning cls_route filter in the Linux kernel
Package : cls_route filter - Linux kernel
CVE ID : CVE-2022-2588
Bug ID : 2114849 [R 1]
CVSS Score : 7.8 [R 2]
A use-after-free flaw was found in route4_change in the net/sched/cls_route.c
filter implementation in the Linux kernel. This flaw allows a local user to
crash the system and possibly lead to a local privilege escalation problem.
[R 2].
Actions required/recommended
============================
Sites are required to urgently install an updated version of the Linux kernel,
if they have not done so already.
**UPDATE 2022-11-11**
A fixed version is now available for CentOS7. Since we previously set the
deadline for patching on the assumption that a CentOS7 patch would be out
shortly after the RHEL 7 was released, for those running CentOS7 we are
revising the deadline for patching to 2022-11-22 00:00 UTC.
**UPDATE 2022-11-03**
All running resources MUST be either patched or have mitigation
in place or software removed by 2022-11-11 00:00 UTC
Sites failing to act and/or failing to respond to requests from the
EGI CSIRT team risk site suspension.
Fixed versions are available for Debian and Ubuntu.
**UPDATE 2022-11-03**
Fixed version is available for RHEL 7 and Scientific Linux.
**UPDATE 2022-10-25**
Fixed version is available for RHEL 8
Component installation information
==================================
Sites running RHEL should see [R 2]
**UPDATE 2022-11-11**
Sites running CentOS should also see [R 2], [R 3], [R 10]
Note that at time of writing there is no announcement in [R 3] but the updated kernel is available in the mirror at [R 10]
Sites running Debian should see [R 4]
Sites running Ubuntu should see [R 5]
Sites running Scientific Linux should see [R 6]
Sites running RockyLinux should see [R 7]
Sites running Almalinux should see [R 8]
Mitigation
==========
Potential mitigations include:
Disable user namespaces or (better) _network_ namespaces.
Information on namespaces and containers is provided on the CSIRT
webpage [R 9]
Restrict the set of people who can run their own code on affected
services like worker nodes or shared login hosts.
Affected software details
=========================
RHEL 6, 7, 8 based distributions [R 2] (RHEL 9 is not affected).
Debian [R 4]
Ubuntu (all actively supported versions). [R 5]
More information
================
Note that an exploit has been released and due to the way some of the
EGI services operate EGI SVG considers this vulnerability to be 'CRITICAL'
even though RedHat classes as 'Important'.
One member of the EGI SVG tested the exploit on C8 and it failed with network
namespaces disabled.
TLP and URL
===========
** WHITE information - Limited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/YYYY/Advisory-SVG-YYYY-XX
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC era.
References
==========
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=2114849
[R 2] https://access.redhat.com/security/cve/CVE-2022-2588
[R 3] https://lists.centos.org/pipermail/centos-announce/
[R 4] https://security-tracker.debian.org/tracker/CVE-2022-2588
[R 5] http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2022-2588.html
[R 6] https://www.scientificlinux.org/category/sl-errata/
**UPDATED 2022-11-03**
[R 7] RockyLinux https://errata.build.resf.org/
[R 8] AlmaLinux https://errata.almalinux.org/
[R 9] https://csirt.egi.eu/2022/10/19/linux-namespaces-and-containers/
[R 10] http://www.mirrorservice.org/sites/mirror.centos.org/7/updates/x86_64/Packages/
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Credit
======
SVG was alerted to this vulnerability by the OSG security team.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2022-CVE-2022-2588]
2022-10-17 SVG alerted to this issue by the OSG security team
2022-10-18 EGI SVG Risk Assessment completed
2022-10-19 Advisory sent to sites
2022-10-25 Update as fixed version available for RHEL8
2022-11-03 Update as fixed version available for RHEL7 and SL and 7 day deadline set
2022-11-11 Update as fixed version available for CentOS7 after some delay.
2023-04-05 Advisory placed on advisories.egi.eu
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 5] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
------------------------------
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC catalogue.
On behalf of the EGI SVG,