Bug 2035652 (CVE-2021-4197)

Summary: CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration perm checks
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.17-rc1 Doc Type: If docs needed, set a value
Doc Text:
An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 13:46:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2035668, 2035766, 2035767, 2035768, 2075018, 2075019, 2075020, 2075021, 2075022, 2075023    
Bug Blocks: 2030983, 2036691    

Description Alex 2021-12-26 13:49:57 UTC 
In cgroups (control groups) functionality of Linux Kernel found potential security weakness that may allow scenarios where a less privileged process tricks a more privileged one into writing into a fd that it created. This could lead to local escalation of privilege for the containers or other processes that uses cgroups in such a way. User interaction is not needed for exploitation.

Reference and upstream patch:
https://lore.kernel.org/lkml/20211209214707.805617-1-tj@kernel.org/T/
Comment 3 Alex 2021-12-26 16:48:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2035668]
Comment 11 errata-xmlrpc 2022-05-10 14:40:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
Comment 12 errata-xmlrpc 2022-05-10 14:46:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
Comment 13 Product Security DevOps Team 2022-05-11 13:46:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4197
Comment 14 errata-xmlrpc 2022-07-19 21:06:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626
Comment 15 errata-xmlrpc 2022-07-19 21:07:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633