Bug 2225275 (CVE-2023-4004) - CVE-2023-4004 kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove()
Summary: CVE-2023-4004 kernel: netfilter: use-after-free due to improper element remov...
Keywords:
Status: NEW
Alias: CVE-2023-4004
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2225276 2225277 2227503 2227504 2227505 2227506 2227507 2227508 2227509 2227510 2227511 2227512 2227513 2227514 2227515 2227516 2227517 2227518 2227519 2228794 2228795 2228796 2228797 2228798 2228799 2228800
Blocks: 2225252
TreeView+ depends on / blocked
 
Reported: 2023-07-24 20:33 UTC by Alex
Modified: 2023-11-27 01:08 UTC (History)
49 users (show)

Fixed In Version: kernel 6.5-rc5
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5149 0 None None None 2023-09-14 05:20:44 UTC
Red Hat Product Errata RHBA-2023:5162 0 None None None 2023-09-14 08:11:50 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:23 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:39 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:53 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:45 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:56 UTC
Red Hat Product Errata RHBA-2023:7490 0 None None None 2023-11-27 01:08:43 UTC
Red Hat Product Errata RHSA-2023:4961 0 None None None 2023-09-05 08:58:54 UTC
Red Hat Product Errata RHSA-2023:4962 0 None None None 2023-09-05 09:06:45 UTC
Red Hat Product Errata RHSA-2023:4967 0 None None None 2023-09-05 09:06:54 UTC
Red Hat Product Errata RHSA-2023:5069 0 None None None 2023-09-12 10:14:23 UTC
Red Hat Product Errata RHSA-2023:5091 0 None None None 2023-09-12 09:51:00 UTC
Red Hat Product Errata RHSA-2023:5093 0 None None None 2023-09-12 09:52:30 UTC
Red Hat Product Errata RHSA-2023:5221 0 None None None 2023-09-19 08:00:30 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:26 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:32 UTC
Red Hat Product Errata RHSA-2023:5548 0 None None None 2023-10-10 09:40:48 UTC
Red Hat Product Errata RHSA-2023:5627 0 None None None 2023-10-10 16:26:30 UTC
Red Hat Product Errata RHSA-2023:7382 0 None None None 2023-11-21 11:16:09 UTC
Red Hat Product Errata RHSA-2023:7389 0 None None None 2023-11-21 11:12:32 UTC
Red Hat Product Errata RHSA-2023:7411 0 None None None 2023-11-21 12:24:32 UTC
Red Hat Product Errata RHSA-2023:7417 0 None None None 2023-11-21 14:43:42 UTC
Red Hat Product Errata RHSA-2023:7431 0 None None None 2023-11-21 15:26:31 UTC
Red Hat Product Errata RHSA-2023:7434 0 None None None 2023-11-21 15:32:02 UTC

Description Alex 2023-07-24 20:33:46 UTC 
A flaw in the Linux Kernel found. Improper element removal in function nft_pipapo_remove when insert an element without a NFT_SET_EXT_KEY_END that can lead to use-after-free.

Reference:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230719190824.21196-1-fw@strlen.de/
Comment 6 Alex 2023-07-30 11:29:39 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2227503]
Comment 13 Justin M. Forbes 2023-08-07 21:39:24 UTC 
This was fixed for Fedora with the 6.4.7 stable kernel updates.
Comment 14 errata-xmlrpc 2023-09-05 08:58:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961
Comment 15 errata-xmlrpc 2023-09-05 09:06:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962
Comment 16 errata-xmlrpc 2023-09-05 09:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4967 https://access.redhat.com/errata/RHSA-2023:4967
Comment 17 errata-xmlrpc 2023-09-12 09:50:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091
Comment 18 errata-xmlrpc 2023-09-12 09:52:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093
Comment 19 errata-xmlrpc 2023-09-12 10:14:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069
Comment 20 errata-xmlrpc 2023-09-19 08:00:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221
Comment 21 errata-xmlrpc 2023-09-19 14:02:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255
Comment 22 errata-xmlrpc 2023-09-19 14:35:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244
Comment 23 errata-xmlrpc 2023-10-10 09:40:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5548 https://access.redhat.com/errata/RHSA-2023:5548
Comment 24 errata-xmlrpc 2023-10-10 16:26:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627
Comment 26 errata-xmlrpc 2023-11-21 11:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389
Comment 27 errata-xmlrpc 2023-11-21 11:16:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382
Comment 28 errata-xmlrpc 2023-11-21 12:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411
Comment 29 errata-xmlrpc 2023-11-21 14:43:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:7417 https://access.redhat.com/errata/RHSA-2023:7417
Comment 30 errata-xmlrpc 2023-11-21 15:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7431 https://access.redhat.com/errata/RHSA-2023:7431
Comment 31 errata-xmlrpc 2023-11-21 15:31:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7434 https://access.redhat.com/errata/RHSA-2023:7434
Note You need to log in before you can comment on or make changes to this bug.