OSG-SEC-2021-09-10 Vulnerability in Linux Kernel Traffic Control Subsystem
Dear OSG Security Contacts,
A use-after-free vulnerability (CVE-2021-3715) has been identified in the Linux kernel Traffic Control networking subsystem. OSG Security Team considers this vulnerability to be of HIGH severity if unprivileged_network_namespaces are not disabled [4].
IMPACTED VERSIONS:
All systems running RHEL 7 and 8 or derivatives [1], Debian systems [2], and Ubuntu systems [3] may be vulnerable.
WHAT ARE THE VULNERABILITIES:
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system [1].
WHAT YOU SHOULD DO:
Sites and VOs should update their systems to a patched version as soon as it becomes available and disable unprivileged_network_namespaces if not specifically required.
Mitigation of this vulnerability is possible by disabling unprivileged_network_namespaces. In general unprivileged_network_namespaces should be disabled if they are not required [4].
Note that this mitigation is available for Singularity as enabling unprivileged_network_namespaces is not required for Singularity. However, they may be required for other software packages or system services on RHEL 8 and CentOS8, please see reference [4] below for more information.
REFERENCES
[1] https://access.redhat.com/security/cve/CVE-2021-3715
[2] https://security-tracker.debian.org/tracker/CVE-2021-3715
[3] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3715
[4] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team