Bug 2138959 (CVE-2022-3787)

Summary: CVE-2022-3787 device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agk, arachman, bmarzins, heinzm, lveyde, lvm-team, michal.skrivanek, mperina, msnitzer, prajnoha, security-response-team, zkabelac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 03:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133995, 2133998    
Bug Blocks: 2133535    

Description Tomas Hoger 2022-10-31 19:06:00 UTC 
The device-mapper-multipath flaw CVE-2022-41974 (bug 2133988) was addressed in Red Hat Enterprise Linux 8 via erratum RHSA-2022:7192 and in Red Hat Enterprise Linux 9 via erratum RHSA-2022:7185, released on Oct 25, 2022:

https://access.redhat.com/errata/RHSA-2022:7192
https://access.redhat.com/errata/RHSA-2022:7185

However, the fix for this issue was not included in the device-mapper-multipath updates released as part of Red Hat Enterprise Linux 8.7 (RHBA-2022:7714) and 9.1 (RHBA-2022:8313), causing a security regression of previously released fix.  A new CVE id CVE-2022-3787 was assigned for this security regression.

Note that this issue and CVE id is specific to the device-mapper-multipath packages as shipped with Red Hat Enterprise Linux and is not applicable to any upstream device-mapper-multipath version or device-mapper-multipath packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages.

For more information about the original flaw, refer to the CVE page or bug linked above.
Comment 4 errata-xmlrpc 2022-11-14 08:55:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7928 https://access.redhat.com/errata/RHSA-2022:7928
Comment 5 errata-xmlrpc 2022-11-15 16:02:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8453 https://access.redhat.com/errata/RHSA-2022:8453
Comment 6 Product Security DevOps Team 2022-12-07 03:33:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3787