The device-mapper-multipath flaw CVE-2022-41974 (bug 2133988) was addressed in Red Hat Enterprise Linux 8 via erratum RHSA-2022:7192 and in Red Hat Enterprise Linux 9 via erratum RHSA-2022:7185, released on Oct 25, 2022: https://access.redhat.com/errata/RHSA-2022:7192 https://access.redhat.com/errata/RHSA-2022:7185 However, the fix for this issue was not included in the device-mapper-multipath updates released as part of Red Hat Enterprise Linux 8.7 (RHBA-2022:7714) and 9.1 (RHBA-2022:8313), causing a security regression of previously released fix. A new CVE id CVE-2022-3787 was assigned for this security regression. Note that this issue and CVE id is specific to the device-mapper-multipath packages as shipped with Red Hat Enterprise Linux and is not applicable to any upstream device-mapper-multipath version or device-mapper-multipath packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages. For more information about the original flaw, refer to the CVE page or bug linked above.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7928 https://access.redhat.com/errata/RHSA-2022:7928
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8453 https://access.redhat.com/errata/RHSA-2022:8453
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3787