Bug 1980101 (CVE-2021-22555) - CVE-2021-22555 kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
Summary: CVE-2021-22555 kernel: out-of-bounds write in xt_compat_target_from_user() in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22555
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1981282 1950014 1980102 1980483 1980484 1980485 1980487 1980488 1980489 1980490 1980491 1980492 1980493 1980494 1980495 1980496 1980497 1980498 1980499 1980500 1980501 1980502 1980503 1980504 1980505 1980506 1980507 1980510 1980511 1980512 1980514 1980515 1980516 1980517 1980518 1980519 1980520 1980521 1981238 1981239 1981283 1981284
Blocks: 1980103
TreeView+ depends on / blocked
 
Reported: 2021-07-07 18:58 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-02-04 12:01 UTC (History)
72 users (show)

Fixed In Version: Kernel 5.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:29:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3127 0 None None None 2021-08-10 18:05:38 UTC
Red Hat Product Errata RHBA-2021:3136 0 None None None 2021-08-11 15:39:31 UTC
Red Hat Product Errata RHBA-2021:3474 0 None None None 2021-09-09 05:11:16 UTC
Red Hat Product Errata RHBA-2021:3475 0 None None None 2021-09-09 06:51:11 UTC
Red Hat Product Errata RHSA-2021:3044 0 None None None 2021-08-10 11:13:21 UTC
Red Hat Product Errata RHSA-2021:3057 0 None None None 2021-08-10 13:14:43 UTC
Red Hat Product Errata RHSA-2021:3088 0 None None None 2021-08-10 13:08:12 UTC
Red Hat Product Errata RHSA-2021:3173 0 None None None 2021-08-17 08:29:25 UTC
Red Hat Product Errata RHSA-2021:3181 0 None None None 2021-08-17 08:31:36 UTC
Red Hat Product Errata RHSA-2021:3235 0 None None None 2021-08-19 15:48:49 UTC
Red Hat Product Errata RHSA-2021:3321 0 None None None 2021-08-31 08:03:50 UTC
Red Hat Product Errata RHSA-2021:3327 0 None None None 2021-08-31 09:09:16 UTC
Red Hat Product Errata RHSA-2021:3328 0 None None None 2021-08-31 09:09:32 UTC
Red Hat Product Errata RHSA-2021:3363 0 None None None 2021-08-31 09:21:00 UTC
Red Hat Product Errata RHSA-2021:3375 0 None None None 2021-08-31 08:53:42 UTC
Red Hat Product Errata RHSA-2021:3380 0 None None None 2021-08-31 09:04:25 UTC
Red Hat Product Errata RHSA-2021:3381 0 None None None 2021-08-31 09:31:28 UTC
Red Hat Product Errata RHSA-2021:3399 0 None None None 2021-08-31 19:45:11 UTC
Red Hat Product Errata RHSA-2021:3477 0 None None None 2021-09-09 09:22:21 UTC
Red Hat Product Errata RHSA-2021:3522 0 None None None 2021-09-14 08:44:41 UTC
Red Hat Product Errata RHSA-2021:3523 0 None None None 2021-09-14 08:45:08 UTC
Red Hat Product Errata RHSA-2021:3725 0 None None None 2021-10-05 07:52:56 UTC
Red Hat Product Errata RHSA-2021:3812 0 None None None 2021-10-12 15:04:49 UTC
Red Hat Product Errata RHSA-2021:3814 0 None None None 2021-10-12 15:05:24 UTC

Description Guilherme de Almeida Suckevicz 2021-07-07 18:58:59 UTC 
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.

References:
https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21
Comment 1 Guilherme de Almeida Suckevicz 2021-07-07 18:59:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1980102]
Comment 2 Justin M. Forbes 2021-07-08 14:07:05 UTC 
This was fixed for Fedora with the 5.11.15 stable kernel updates.
Comment 25 errata-xmlrpc 2021-08-10 11:13:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3044 https://access.redhat.com/errata/RHSA-2021:3044
Comment 26 errata-xmlrpc 2021-08-10 13:08:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3088 https://access.redhat.com/errata/RHSA-2021:3088
Comment 27 errata-xmlrpc 2021-08-10 13:14:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3057 https://access.redhat.com/errata/RHSA-2021:3057
Comment 28 Product Security DevOps Team 2021-08-10 13:29:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22555
Comment 29 errata-xmlrpc 2021-08-17 08:29:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3173 https://access.redhat.com/errata/RHSA-2021:3173
Comment 30 errata-xmlrpc 2021-08-17 08:31:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3181 https://access.redhat.com/errata/RHSA-2021:3181
Comment 31 errata-xmlrpc 2021-08-19 15:48:46 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235
Comment 32 errata-xmlrpc 2021-08-31 08:03:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:3321 https://access.redhat.com/errata/RHSA-2021:3321
Comment 33 errata-xmlrpc 2021-08-31 08:53:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3375 https://access.redhat.com/errata/RHSA-2021:3375
Comment 34 errata-xmlrpc 2021-08-31 09:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3380 https://access.redhat.com/errata/RHSA-2021:3380
Comment 35 errata-xmlrpc 2021-08-31 09:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3327 https://access.redhat.com/errata/RHSA-2021:3327
Comment 36 errata-xmlrpc 2021-08-31 09:09:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3328 https://access.redhat.com/errata/RHSA-2021:3328
Comment 37 errata-xmlrpc 2021-08-31 09:20:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3363 https://access.redhat.com/errata/RHSA-2021:3363
Comment 38 errata-xmlrpc 2021-08-31 09:31:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3381 https://access.redhat.com/errata/RHSA-2021:3381
Comment 39 errata-xmlrpc 2021-08-31 19:45:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:3399 https://access.redhat.com/errata/RHSA-2021:3399
Comment 40 errata-xmlrpc 2021-09-09 09:22:17 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:3477 https://access.redhat.com/errata/RHSA-2021:3477
Comment 41 errata-xmlrpc 2021-09-14 08:44:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:3522 https://access.redhat.com/errata/RHSA-2021:3522
Comment 42 errata-xmlrpc 2021-09-14 08:45:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2021:3523 https://access.redhat.com/errata/RHSA-2021:3523
Comment 43 errata-xmlrpc 2021-10-05 07:52:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2021:3725 https://access.redhat.com/errata/RHSA-2021:3725
Comment 45 errata-xmlrpc 2021-10-12 15:04:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:3812 https://access.redhat.com/errata/RHSA-2021:3812
Comment 46 errata-xmlrpc 2021-10-12 15:05:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2021:3814 https://access.redhat.com/errata/RHSA-2021:3814
Note You need to log in before you can comment on or make changes to this bug.