CVE-2022-0500
Description
A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernelβs BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges Red Hat statement The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attackβ¦
Description
kernel: Linux ebpf logic vulnerability leads to critical memory read and write gaining root privileges
Red Hat statement
The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: ``` # cat /proc/sys/kernel/unprivileged_bpf_disabled ``` The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw. A kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN (or CAP_BPF) capabilities.
CVSS v3: 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | kernel-rt-0:4.18.0-553.rt7.342.el8_10 | RHSA-2024:2950 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 8 | kernel-0:4.18.0-553.el8_10 | RHSA-2024:3138 | 2024-05-22T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Extended Update Support | kernel-0:4.18.0-372.91.1.el8_6 | RHSA-2024:0724 | 2024-02-07T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | kernel-0:4.18.0-477.81.1.el8_8 | RHSA-2024:10262 | 2024-11-26T00:00:00Z |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | kernel-0:4.18.0-372.91.1.el8_6 | RHSA-2024:0724 | 2024-02-07T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected |
| Red Hat Enterprise Linux 7 | kernel | Not affected |
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected |
| Red Hat Enterprise Linux 9 | kernel | Affected |
| Red Hat Enterprise Linux 9 | kernel-rt | Will not fix |
Apply commands
yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rtAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 6 | Not affected |
| redhat | Red Hat Enterprise Linux 7 | Not affected |
| redhat | Red Hat Enterprise Linux 7 | Not affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 5.16.10-1 |
| sid | Fixed | 5.16.10-1 |
| forky | Fixed | 5.16.10-1 |
| bullseye | Affected | β |
| bookworm | Fixed | 5.16.10-1 |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | kernel-rt-modules-extra-4.18.0-553.rt7.342.el8_10.x86_64.rpm |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Fixed | 5.15.54-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | β |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | β |
References
- https://errata.rockylinux.org/RLSA-2024:2950
- https://www.suse.com/security/cve/CVE-2022-0500.html
- https://security-tracker.debian.org/tracker/CVE-2022-0500
- https://access.redhat.com/errata/RHSA-2024:3138
- https://bugzilla.redhat.com/1731000
- https://bugzilla.redhat.com/1746732
- https://bugzilla.redhat.com/1888726
- https://bugzilla.redhat.com/1999589
- https://bugzilla.redhat.com/2039178
- https://bugzilla.redhat.com/2043520
- https://bugzilla.redhat.com/2044578
- https://bugzilla.redhat.com/2150953
- https://bugzilla.redhat.com/2151959
- https://bugzilla.redhat.com/2177759
- https://bugzilla.redhat.com/2179892
- https://bugzilla.redhat.com/2213132
- https://bugzilla.redhat.com/2218332
- https://bugzilla.redhat.com/2219359
- https://bugzilla.redhat.com/2221039
- https://bugzilla.redhat.com/2221463
- https://bugzilla.redhat.com/2221702
- https://bugzilla.redhat.com/2226777
- https://bugzilla.redhat.com/2226784
- https://bugzilla.redhat.com/2226787
- https://bugzilla.redhat.com/2226788
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.