OSG-SEC-2022-03-09 CRITICAL “dirtypipe” vulnerability in Linux Kernel 5.8 and above
Dear OSG Security Contacts,
A CRITICAL vulnerability has been identified in Linux Kernel versions 5.8 and higher, and a proof-of-concept exploit has been published for Debian and reported for Ubuntu . Sites running affected hosts should update to a patched version immediately.
Systems running Ubuntu or Debian with Linux Kernel 5.8 or higher. RHEL 8 and derivatives are not susceptible to the published proof-of-concept , but may be vulnerable to other undisclosed exploitation methods in the future and should be patched as well.
Kernel version can be checked with “uname -r”.
RHEL 7 and derivatives are not affected .
WHAT ARE THE VULNERABILITIES:
An exploit was introduced in Linux Kernel version 5.8 which may allow the writing of arbitrary data to arbitrary files even if they are O_RDONLY, immutable, or on MS_RDONLY filesystems . A usable exploit for this vulnerability has already been published for Debian systems and reported for Ubuntu systems .
WHAT YOU SHOULD DO:
Hosts running affected versions of Linux should be updated as soon as possible, especially hosts running Debian  and Ubuntu .
The vulnerability is fixed in kernel versions 5.16.11, 5.15.25, and 5.10.102 .
There are currently no mitigations for this vulnerability.
Please contact the OSG Security team at [email protected]d.org if you have any questions or concerns.
OSG Security team