Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Hello everyone,
I have a few questions regarding the below two vulnerabilities since searching the forums didn't return any results:
* CVE-2022-0185
* CVE-2021-4034
Regarding CVE-2022-0185, I see RedHat mentioning that kernels of RHEL 7 are not affected but it doesn't mention any specific kernel versions. Does that mean that all kernel versions in CentOS 7 are also not affected by this issue? Is there a way to verify that? For example how can I verify that my 3.10 kernels are vulnerable or not on this vulnerability?
For CVE-2021-4034, there's a detection script that defines the vulnerable versions in it, so I suppose that in that case if any of the systems use any of these versiosn then it's vulnerable to this vulnerability.
Regards,
nullpid
I have a few questions regarding the below two vulnerabilities since searching the forums didn't return any results:
* CVE-2022-0185
* CVE-2021-4034
Regarding CVE-2022-0185, I see RedHat mentioning that kernels of RHEL 7 are not affected but it doesn't mention any specific kernel versions. Does that mean that all kernel versions in CentOS 7 are also not affected by this issue? Is there a way to verify that? For example how can I verify that my 3.10 kernels are vulnerable or not on this vulnerability?
For CVE-2021-4034, there's a detection script that defines the vulnerable versions in it, so I suppose that in that case if any of the systems use any of these versiosn then it's vulnerable to this vulnerability.
Regards,
nullpid
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
The bug was introduced in 5.1-rc1 so a 3.10 kernel is not affected.Regarding CVE-2022-0185, I see RedHat mentioning that kernels of RHEL 7 are not affected but it doesn't mention any specific kernel version
All versions of polkit everywhere on everything are affected by CVE-2021-4034.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
If I to refer to https://access.redhat.com/security/cve/CVE-2022-0185, CentOS 8 might be impacted tho, even if it's in 4.18, feature might have been backported.
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Hi TrevorH and thank you for your quick response.
I'm happy that 3.10 kernel is not affected but also a little confused: isn't RHEL (and CentOS) backporting features to 3.10 kernels from newer kernels or did I misunderstand this and backporting is just happening only to patch issues whenever the occur?
Regards, nullpid
I'm happy that 3.10 kernel is not affected but also a little confused: isn't RHEL (and CentOS) backporting features to 3.10 kernels from newer kernels or did I misunderstand this and backporting is just happening only to patch issues whenever the occur?
Regards, nullpid
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Yes, if I understand that correctly, CentOS 8 was affected and now is marked as fixed as there are updates available to mitigate the issue.tmandel wrote: ↑2022/01/26 11:00:28If I to refer to https://access.redhat.com/security/cve/CVE-2022-0185, CentOS 8 might be impacted tho, even if it's in 4.18, feature might have been backported.
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Red Hat backport fixes to both CentOS 7 and 8 still. Red Hat backport enhancements and new features only for CentOS 8 (CentOS 7 has moved out of the relevant maintenance phase to get such active support).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Questions regarding vulnerabilities CVE-2022-0185 and CVE-2021-4034
Yup, Kernel 5.x was in RC phase while RH8 was being pushed out, so we can assume they got in and took features they wanted.
We can also assume that most resources went to RH8 instead of RH7, so once RH8 got out, RH7 is pretty much going in maintenance mode, and subsequent release 7.8 & 7.9 are mostly security release, including maybe some 3rd party package upgrade, but take that with caution, I'm not related to RedHat, I'm just assuming here.