Skip to content

OSG-SEC-2023-03-08 HIGH multiple Linux kernel vulnerabilities

Dear OSG Security Contacts,

Red Hat has recently released errata announcements for a variety of bug and security fixes.[1][2] In particular there are three vulnerabilities which we feel are important to patch or mitigate: CVE-2022-4378 (stack overflow flaw in the Linux kernel's SYSCTL subsystem), CVE-2022-4379 (A use-after-free vulnerability in the nfs4 code), and CVE-2023-0179 (a buffer overflow vulnerability was found in the Netfilter subsystem). More information and references can be found in the sections below.

IMPACTED VERSIONS:

CVE-2022-4378: RHEL 7,8,9 based distributions.

CVE-2022-4379: RHEL 7,8,9 based distributions.

CVE-2023-0179: RHEL 9 based distributions.

WHAT ARE THE VULNERABILITIES:

CVE-2022-4378: A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system. To trigger this issue, the user needs some privileges (for example, access to the sysctl files).[3]

CVE-2022-4379: A use-after-free vulnerability was found in __nfs42_ssc_open() in fs/nfs/nfs4file.c in the Linux kernel. This flaw allows an attacker to conduct a remote denial of service.[4] This vulnerability is only of concern for systems with NFS services enabled.

CVE-2023-0179: A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.[5]

WHAT YOU SHOULD DO:

For RHEL7 based distributions:

Patches are available for CVE-2022-4378. See the RHSA-2023:1091 errata [2] for a list of the relevant software packages. The 'yum update kernel' command will update the kernel and all relevant dependencies automatically. Reboot the system for the changes to take effect. There are no patches or mitigations for CVE-2022-4379 yet, but if you are not running an NFS server, this vulnerability won't impact you. Lastly, CVE-2023-0179 doesn't affect RHEL7 distributions.

For RHEL8 based distributions:

No patches are available yet for CVE-2022-4378 for RHEL8 distributions, but these are expected to be available within the next few days. There are no patches or mitigations for CVE-2022-4379 yet, but if you are not running an NFS server, this vulnerability won't impact you. Lastly, CVE-2023-0179 doesn't affect RHEL8 distributions.

For RHEL9 based distributions:

Patches are available for all three listed vulnerabilities. See the RHSA-2023:0951 errata [1] for a list of the relevant software packages. The 'yum update kernel' command will update the kernel and all relevant dependencies automatically. Reboot the system for the changes to take effect.

REFERENCES

[1] https://access.redhat.com/errata/RHSA-2023:0951

[2] https://access.redhat.com/errata/RHSA-2023:1091

[3] https://access.redhat.com/security/cve/CVE-2022-4378

[4] https://access.redhat.com/security/cve/CVE-2022-4379

[5] https://access.redhat.com/security/cve/CVE-2023-0179

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team