Bug 1993988 (CVE-2021-3715)

Summary: CVE-2021-3715 kernel: use-after-free in route4_change() in net/sched/cls_route.c
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, asavkov, bhu, blc, brdeoliv, bskeggs, chwhite, crwood, ctoe, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, ivecera, jarod, jarodwilson, jeremy, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, masami256, mchehab, michal.skrivanek, mlangsdo, mleitner, mperina, mvanderw, nmurray, nobody, ptalbert, qzhao, rhandlin, rik.theys, rkeshri, rvrbovsk, sbonazzo, security-response-team, sgrubb, steved, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 5.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-07 20:33:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1824071, 1992926, 1994012, 1994013, 1994014, 1994015, 1994016, 1994018, 1994019, 1994020, 1994463, 1996610, 1996611, 1997195, 1997756, 2114849, 2122585, 2132973    
Bug Blocks: 1993312, 2002252    

Description Petr Matousek 2021-08-16 13:49:46 UTC 
A flaw was found in the way the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem handled changing of classification filters leading to user-after-free condition. An unprivileged local user could use this flaw to escalate their privileges on the system.

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ef299cc3fa1a9e1288665a9fdc8bff55629fd359
Comment 24 errata-xmlrpc 2021-09-07 14:56:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3442 https://access.redhat.com/errata/RHSA-2021:3442
Comment 25 errata-xmlrpc 2021-09-07 14:57:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3439 https://access.redhat.com/errata/RHSA-2021:3439
Comment 26 errata-xmlrpc 2021-09-07 15:07:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3443 https://access.redhat.com/errata/RHSA-2021:3443
Comment 27 errata-xmlrpc 2021-09-07 15:14:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3445 https://access.redhat.com/errata/RHSA-2021:3445
Comment 28 errata-xmlrpc 2021-09-07 15:21:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3444 https://access.redhat.com/errata/RHSA-2021:3444
Comment 29 errata-xmlrpc 2021-09-07 15:25:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3441 https://access.redhat.com/errata/RHSA-2021:3441
Comment 30 errata-xmlrpc 2021-09-07 15:26:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3438 https://access.redhat.com/errata/RHSA-2021:3438
Comment 31 errata-xmlrpc 2021-09-07 16:46:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3446 https://access.redhat.com/errata/RHSA-2021:3446
Comment 32 Product Security DevOps Team 2021-09-07 20:33:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3715
Comment 34 errata-xmlrpc 2021-09-09 09:22:17 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3477 https://access.redhat.com/errata/RHSA-2021:3477
Comment 36 errata-xmlrpc 2022-10-25 13:10:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:7173 https://access.redhat.com/errata/RHSA-2022:7173