cve-2021-45486

[mania]

Hi, according to the Description of this CVE there a an information leak in kernel’s IPv4 implementation. Is it vulnerable by default , even I do not change default config in net/ipv4/route.c? how can I mitigate this vulnerability?
according to redhat 's reply there is no mitigation.
EOL of CentOS 7 is End of 2024 why it says: Out of support scope?

Description
An information leak flaw was found in the Linux kernel’s IPv4 implementation in the ip_rt_init in net/ipv4/route.c function
https://access.redhat.com/security/cve/cve-2021-45486

[jlehtone]

That page explains the "out of scope":

When a product is listed as "Out of Support Scope", it means a vulnerability with the impact level assigned to this CVE is no longer covered by its current support lifecycle phase. The product has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed. The product should be assumed to be affected. Customers are advised to apply any mitigation options documented on this page, consider removing or disabling the impacted component, or upgrade to a supported version of the product that has an update available.

Since they offer no mitigation the options are stop using IPv4, EL7 altogether, or just risk it?

[TrevorH]

The flaw is marked as moderate and only ones of critical and important get fixed at this stage in CentOS 7's life. Or wait and hope that some big $$$$ paying RH customer reports it and wants it fixed.