CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Support for security such as Firewalls and securing linux
Post Reply
tboroske
Posts: 4
Joined: 2022/07/05 10:46:52

CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by tboroske » 2022/07/19 10:30:34

Dear CentOS maintainers and fellow users,


I have some systems (application servers and workstations) running on CentOS-8 Stream.

These systems are, to my understanding, affected by the privilege escalation bug in nftables namespaces that the two CVE in the subject line are concerned with.

I have employed mitigation measures (disabling user namespaces) so the affected systems should be secure, however, a fixed kernel would be better.

The last kernel package I am seeing on my CentOS 8 Stream systems is kernel-core-4.18.0-394.el8.x86_64 which is dated May 31 2022, too early to contain the fixed code I think.

CentOS-8-Stream is supposed to go EOL on May 31st, 2024, still some time out.

Will there be a new kernel containing a fix, backported or rebased, addressing this bug eventually or did I miss newer packages being available somewhere, wrong dnf config on my part or something like that?


Many thanks for any answer.

Kind regards,

Thomas Boroske

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by TrevorH » 2022/07/19 12:00:18

Neither of these appear to be fixed in the RHEL 8.6 kernels either. And RH said that security fixes will go first to the RHEL kernel and Stream only as an after-thought.

https://access.redhat.com/security/cve/CVE-2022-32250 & https://access.redhat.com/security/cve/CVE-2022-1966
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tboroske
Posts: 4
Joined: 2022/07/05 10:46:52

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by tboroske » 2022/07/19 14:24:16

So, this means CentOS 8 Stream is also unusable now, not just CentOS 8, if I get that right?

I thought Stream was the "replacement" for the discontinued CentOS 8, even if it switched to rolling releases.

So what can we use now:

- Fedora for bleeding edge
- CentOS 7 for stuff that can be ancient

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by TrevorH » 2022/07/19 14:41:14

If it's not fixed in RHEL 8 then it's not fixed in any of the clones either so that means Rocky/Alma/OEL/Springdale/Navy Linux, all will be missing the fix. CentOS Stream 8 would also appear to be missing it. I also checked the current Stream 8 kernel changelog with rpm -qpl --changelog http://mirror.centos.org/centos/8-strea ... x86_64.rpm | less and there doesn't seem to be any sign of it being fixed there.

Are you sure it is vulnerable? The comment on https://access.redhat.com/security/cve/CVE-2022-32250 says "The latest kernel in RHCOS is kernel-4.18.0-305.49.1.el8 which does not contain the vulnerable code and is not affected, also OCP v4.9 or earlier are not affected.".
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by jlehtone » 2022/07/19 21:30:43

tboroske wrote:
2022/07/19 14:24:16
I thought Stream was the "replacement" for the discontinued CentOS 8, even if it switched to rolling releases.
It is not replacement for CentOS Linux. The CentOS Stream is a putative preview into future point update content (and has lower priority on security fixes because it is "rolling" and not "officially released RHEL for paying customers").

Latest kernel in CentOS Stream 8 is now either:
* Predecessor to kernel that will be in RHEL 8.7
* Version that the RHEL 8.7's kernel is branched from
or
* Predecessor to kernel that will be in RHEL 8.8

The CentOS Linux would have had now the kernel of RHEL 8.6.


Note that the status of CVE-2022-32250 is "fixed" for RHEL 9. Therefore, also Alma 9, Rocky 9, etc should have it fixed.

tboroske
Posts: 4
Joined: 2022/07/05 10:46:52

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by tboroske » 2022/07/20 07:58:17

No, I do not really know if it is affected. The kernels available on my systems are

kernel-core-4.18.0-338.el8.x86_64
kernel-core-4.18.0-383.el8.x86_64
kernel-core-4.18.0-394.el8.x86_64

though, so these all appear to be later than the .305 in the comment.

Regarding the question what CentOS Stream 8 is or isn't and what it can be used for: Originally we wanted something newer than CentOS 7
on our workstations, so switched to CentOS 8. Got caught out by the premature support EOL and so upgraded to CentOS Stream 8.

I'm not sure what to do now really.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by jlehtone » 2022/07/20 09:01:29

I had CentOS 6 on some servers and switched them into CentOS 8 before the 6 died. I would have installed more of 8, but then came the new EoL announcement. I did wait at first. Last Summer there were already Alma and Rocky (in addition to Stream) as options so I side-graded the CentOS 8's into Alma 8 (the choice was almost toss of a coin).

This Spring I had a CentOS Stream 9 in testing, but replaced it with Alma 9 when that materialized. If things do work out, then I'll replace all my CentOS 7 workstations with 9. The 9 requires that CPU supports x86-64-v2 micro-architecture, and my systems do. There are still some applications to work out.

Side-grade from Stream 8 into Alma/Rocky should be possible (although tricky as you'll have to downgrade). I'd rather do clean reinstalls.


Red Hat has backported the vulnerability into their "4.18.0" kernel at some point after the 305. Stream had 338. RH branched 348 for RHEL 8.5. RH branched 372 for RHEL 8.6, while Stream advanced with 383 and 394. RH will hopefully release a fix into the 372, for RHEL 8.6. They will most likely incorporate the fix into future Stream kernel, along with other, novel backports.

tboroske
Posts: 4
Joined: 2022/07/05 10:46:52

Re: CVE-2022-32250 / CVE-2022-1966 für 8-Stream

Post by tboroske » 2022/07/21 08:41:14

There is a new kernel now, that has in it's changelog:

* Fri Jun 10 2022 Jarod Wilson <jarod@redhat.com> [4.18.0-400.el8]
...
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2092987] {CVE-2022-1966}

The kernel version is 4.18.0-408.el8, the 4.18.9-400 mentioned in the changelog was not made publicly available in the meantime, it seems.

Post Reply