Bug 2262126 (CVE-2024-1086)
| Summary: | CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acaringi, ajmitchell, allarkin, aquini, bhu, chaekim, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, fwestpha, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kacij88804, kcarcia, kgrant, kyoshida, ldoskova, lgoncalv, lyly.gm19, lzampier, mbenatto, mcascell, mleitner, mmilgram, mstowell, nmurray, prodsec-ir-bot, ptalbert, rogbas, rparrazo, rrobaina, rvrbovsk, scweaver, solar, sukulkar, tglozar, vkumar, wcosta, williams, wmealing, xiaoyali, ycote, ykopkova, zhijwang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | kacij88804:
needinfo?
(acaringi) |
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 6.8-rc2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nft_verdict_init() function, allowing positive values as a drop error within the hook verdict, therefore, the nf_hook_slow() function can cause a double-free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT. The nf_tables component can be exploited to achieve local privilege escalation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2262128 | ||
| Bug Blocks: | 2269240, 2262125 | ||
|
Description
Patrick Del Bello
2024-01-31 18:06:13 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2262128] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404 *** Bug 2269217 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614 Hi. https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all (it only mentions other major versions and 9.2 EUS), whereas 9.3 is in fact affected - the published exploit just works all the way to a root shell. I wonder if this maybe slipped through the cracks, and actually delays fixing the issue for 9.3/9.4? And even if not, it's something to fix on that access page. Thanks! > https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all
Oops, I was wrong, sorry! It does say RHEL 9 is Affected on the second page of results (the first page is "1-10 of 12"). I find this UI non-intuitive, and keep forgetting more pages of results may exist. Anyway, good to know the issue is known and acknowledged.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2697 https://access.redhat.com/errata/RHSA-2024:2697 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Via RHSA-2024:3319 https://access.redhat.com/errata/RHSA-2024:3319 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Via RHSA-2024:3318 https://access.redhat.com/errata/RHSA-2024:3318 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3427 https://access.redhat.com/errata/RHSA-2024:3427 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3530 https://access.redhat.com/errata/RHSA-2024:3530 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:3528 https://access.redhat.com/errata/RHSA-2024:3528 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3529 https://access.redhat.com/errata/RHSA-2024:3529 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:3805 https://access.redhat.com/errata/RHSA-2024:3805 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Via RHSA-2024:4075 https://access.redhat.com/errata/RHSA-2024:4075 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4074 https://access.redhat.com/errata/RHSA-2024:4074 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:4073 https://access.redhat.com/errata/RHSA-2024:4073 (In reply to errata-xmlrpc from comment #55) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 7 > https://pokerogue.io > Via RHSA-2024:4073 https://access.redhat.com/errata/RHSA-2024:4073 Great! This comment was flagged as spam, view the edit history to see the original text if required. This comment was flagged as spam, view the edit history to see the original text if required. This comment was flagged as spam, view the edit history to see the original text if required. This comment was flagged as spam, view the edit history to see the original text if required. From caves and cliffs to lush caves and deep darks, Minecraft’s updates always keep things exciting.https://theminecraft.com.in/ |