Red Hat and Ubuntu have issued warnings about a serious vulnerability in their Linux distributions.
It’s described as a heap-based buffer overflow flaw (CVE 2022-0185). According to Ubuntu, the file system context functionality in the Linux kernel contained an integer underflow vulnerability, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
As The Register notes, the discovery also comes as Ubuntu 21.04 reached end of life, so rather than apply Ubutu’s mitigation to servers running this version, Linux admins should upgrade them to version 21.10, and apply a patch to it.
According to 9to5 Linux, the security vulnerability affects all supported Ubuntu releases, including Ubuntu 21.10 (dubbed Impish Indri) systems running Linux kernel 5.13, Ubuntu 21.04 (Hirsute Hippo) systems running Linux kernel 5.11, as well as Ubuntu 20.04 LTS (Focal Fossa) and Ubuntu 18.04 LTS (Bionic Beaver) systems running Linux kernel 5.4 LTS.
Red Hat says the issue affects the Linux kernel packages shipped with Red Hat Enterprise Linux 8.4 GA onwards. Previous Red Hat Enterprise Linux versions are not affected.
On Red Hat OpenShift Container Platform, where the default restricted SCC (Security Context Constraint) is used, this issue is not exploitable.
To mitigate the issue on installations of Red Hat Enterprise Linux 8 that aren’t running containers, admins can disable user namespaces by setting user.max_user_namespaces to 0. Note that on containerized deployments, such as Red Hat OpenShift Container Platform, this mitigation cannot be applied.
Fixes have been issued for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 8.4 Extended Update Support.