2138959 – (CVE-2022-3787) CVE-2022-3787 device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux

Bug 2138959 (CVE-2022-3787) - CVE-2022-3787 device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux

Summary: CVE-2022-3787 device-mapper-multipath: Regression of CVE-2022-41974 fix in Re...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-3787
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2133995 2133998
Blocks:	2133535
TreeView+	depends on / blocked

Reported:	2022-10-31 19:06 UTC by Tomas Hoger
Modified:	2023-12-07 15:28 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
Clone Of:
Environment:
Last Closed:	2022-12-07 03:33:10 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7928	0	None	None	None	2022-11-14 08:55:37 UTC
Red Hat Product Errata	RHSA-2022:8453	0	None	None	None	2022-11-15 16:02:38 UTC

Description Tomas Hoger 2022-10-31 19:06:00 UTC

The device-mapper-multipath flaw CVE-2022-41974 (bug 2133988) was addressed in Red Hat Enterprise Linux 8 via erratum RHSA-2022:7192 and in Red Hat Enterprise Linux 9 via erratum RHSA-2022:7185, released on Oct 25, 2022:

https://access.redhat.com/errata/RHSA-2022:7192
https://access.redhat.com/errata/RHSA-2022:7185

However, the fix for this issue was not included in the device-mapper-multipath updates released as part of Red Hat Enterprise Linux 8.7 (RHBA-2022:7714) and 9.1 (RHBA-2022:8313), causing a security regression of previously released fix.  A new CVE id CVE-2022-3787 was assigned for this security regression.

Note that this issue and CVE id is specific to the device-mapper-multipath packages as shipped with Red Hat Enterprise Linux and is not applicable to any upstream device-mapper-multipath version or device-mapper-multipath packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages.

For more information about the original flaw, refer to the CVE page or bug linked above.

Comment 4 errata-xmlrpc 2022-11-14 08:55:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7928 https://access.redhat.com/errata/RHSA-2022:7928

Comment 5 errata-xmlrpc 2022-11-15 16:02:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8453 https://access.redhat.com/errata/RHSA-2022:8453

Comment 6 Product Security DevOps Team 2022-12-07 03:33:08 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3787

Note You need to log in before you can comment on or make changes to this bug.