Bug 1686373 (CVE-2019-3874)
| Summary: | CVE-2019-3874 kernel: SCTP socket buffer memory leak leading to denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dbaker, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jshepherd, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, mchehab, mcroce, mjg59, mlangsdo, mleitner, nmurray, nvinto, plougher, rvrbovsk, security-response-team, spagno, steved, sthangav, trankin, vdronov, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-06 00:52:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1575105, 1665243, 1690646, 1690649, 1690650 | ||
| Bug Blocks: | 1686374 | ||
|
Description
Andrej Nemec
2019-03-07 11:05:49 UTC
Statement: While this issue affects the Linux Kernel in Red Hat Enterprise Linux, and not OpenShift Container Platform (OCP) 3 code directly. OCP 3 makes use of CGroups in the Kernel to measure and report on the amount of system resources used by an end user application. The default Security Context Constraints (SCC) in OpenShift Container Platform 3.x disallow an end user from running a container as root. Also a check is performed by the OCP 3 Installer to ensure SELinux is enabled, [1]. [1] https://github.com/openshift/openshift-ansible/blob/006fb14e9a28df9bd1a58ac376bbdf3eba50fa51/roles/openshift_node/tasks/main.yml#L3 Mitigation: SELinux prevents a bind of the SCTP socket by a non-root user. To mitigate this issue if not using SELinux, or if a Security Context Constraint allows running pods as the root user the 'sctp' module should be blacklisted. Please this this Knowledge Base article for more information on how to blacklist a kernel module. https://access.redhat.com/solutions/41278 Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1690646] Acknowledgments: Name: Matteo Croce (Red Hat), Natale Vinto (Red Hat), Andrea Spagnolo (Red Hat) The Kubernetes Security team made a public announcement about this vulnerability here: https://discuss.kubernetes.io/t/kubernetes-security-announcement-linux-kernel-memory-cgroups-escape-via-sctp-cve-2019-3874/5594 External References: https://lore.kernel.org/netdev/20190401113110.GA20717@hmswarspite.think-freely.org/T/#u https://discuss.kubernetes.io/t/kubernetes-security-announcement-linux-kernel-memory-cgroups-escape-via-sctp-cve-2019-3874/5594 This was fixed for Fedora with the 5.2 kernel rebases. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3309 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3517 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3874 |