Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - RHEL 9 - Buffer overflow
vulnerability in Linux Kernel Netfilter. [EGI-SVG-CVE-2023-0179]
Date: 2023-03-13
Updated: 2023-04-21
Affected software and risk
==========================
CRITICAL Risk vulnerability concerning Linux Kernel Netfilter.
Package : Linux Kernel
CVE ID : CVE-2023-0179
CVSS Score : 7.8 [R 1]
A buffer overflow vulnerability was found in the Netfilter subsystem in the
Linux Kernel. This issue could allow the leakage of both stack and heap
addresses, and potentially allow Local Privilege Escalation to the root
user via arbitrary code execution.
For RHEL and derivatives, only 9 is affected. [R 1]
Actions required/recommended
============================
Sites that have UIs, WNs or other hosts which may have unprivileged users
(including inside containers) running on RHEL9 or derivatives must urgently
update.
All running resources MUST be either patched or have mitigation in place or
software removed by 2023-03-21 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
Component installation information
==================================
Sites running RHEL 9 should see [R 1]
Sites running CentOS Stream 9 should also see [R 1] and [R 2]
Sites running RockyLinux 9 should see [R 3]
Sites running Almalinux 9 should see [R 4]
Sites running Debian should see [R 5]
Sites running Ubuntu should see [R 6]
More information
================
For detailed background information see [R 7]
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for
distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2023-0179
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 99]
References
==========
[R 1] https://access.redhat.com/security/cve/CVE-2023-0179
[R 2] https://lists.centos.org/pipermail/centos-announce/
[R 3] https://errata.build.resf.org/
[R 4] https://errata.almalinux.org/
[R 5] https://security-tracker.debian.org/tracker/CVE-2023-0179
[R 6] https://ubuntu.com/security/CVE-2023-0179
[R 7] https://www.openwall.com/lists/oss-security/2023/01/13/2
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3867
Timeline
========
Yyyy-mm-dd [EGI-SVG-2023-CVE-2023-0179]
2023-03-08 SVG became aware of this issue
2023-03-09 Since RHEL9 is an option for sites, decided to issue an advisory.
2023-03-10 Risk assessment complete.
2023-03-13 Advisory Sent to sites
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 99] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.
-----------------------------
This advisory is subject to the Creative commons licence
https://creativecommons.org/licenses/by/4.0/
and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------
On behalf of the EGI SVG,