First published: Sun Jul 04 2021(Updated: )
A flaw was discovered in processing setsockopt IPT_SO_SET_REPLACE (or IP6T_SO_SET_REPLACE) for 32 bit processes on 64 bit systems. This flaw will allow local user to gain privileges or cause a DoS through user name space. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.
Credit: cve-coordination@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel-rt | <0:3.10.0-1160.41.1.rt56.1181.el7 | 0:3.10.0-1160.41.1.rt56.1181.el7 |
redhat/kernel | <0:3.10.0-1160.41.1.el7 | 0:3.10.0-1160.41.1.el7 |
redhat/kernel | <0:3.10.0-327.100.1.el7 | 0:3.10.0-327.100.1.el7 |
redhat/kernel | <0:3.10.0-514.92.1.el7 | 0:3.10.0-514.92.1.el7 |
redhat/kernel | <0:3.10.0-693.94.1.el7 | 0:3.10.0-693.94.1.el7 |
redhat/kernel | <0:3.10.0-957.84.1.el7 | 0:3.10.0-957.84.1.el7 |
redhat/kernel | <0:3.10.0-1062.56.1.el7 | 0:3.10.0-1062.56.1.el7 |
redhat/kernel-rt | <0:4.18.0-305.12.1.rt7.84.el8_4 | 0:4.18.0-305.12.1.rt7.84.el8_4 |
redhat/kernel | <0:4.18.0-305.12.1.el8_4 | 0:4.18.0-305.12.1.el8_4 |
redhat/kernel | <0:4.18.0-147.52.1.el8_1 | 0:4.18.0-147.52.1.el8_1 |
redhat/kernel-rt | <0:4.18.0-193.64.1.rt13.115.el8_2 | 0:4.18.0-193.64.1.rt13.115.el8_2 |
redhat/kernel | <0:4.18.0-193.64.1.el8_2 | 0:4.18.0-193.64.1.el8_2 |
redhat/redhat-virtualization-host | <0:4.3.18-20210903.0.el7_9 | 0:4.3.18-20210903.0.el7_9 |
redhat/redhat-virtualization-host | <0:4.4.7-20210804.0.el8_4 | 0:4.4.7-20210804.0.el8_4 |
Linux Linux kernel | >=2.6.19<4.4.267 | |
Linux Linux kernel | >=4.5<4.9.267 | |
Linux Linux kernel | >=4.10<4.14.231 | |
Linux Linux kernel | >=4.15<4.19.188 | |
Linux Linux kernel | >=4.20<5.4.113 | |
Linux Linux kernel | >=5.5<5.10.31 | |
Linux Linux kernel | >=5.11<5.12 | |
Brocade Fabric Operating System | ||
Netapp Fas 8300 Firmware | ||
Netapp Fas 8300 | ||
Netapp Fas 8700 Firmware | ||
Netapp Fas 8700 | ||
Netapp Aff A400 Firmware | ||
Netapp Aff A400 | ||
Netapp Aff A250 Firmware | ||
Netapp Aff A250 | ||
Netapp Aff 500f Firmware | ||
Netapp Aff 500f | ||
Netapp H610c Firmware | ||
Netapp H610c | ||
Netapp H610s Firmware | ||
Netapp H610s | ||
Netapp H615c Firmware | ||
Netapp H615c | ||
Netapp Hci Management Node | ||
Netapp Solidfire | ||
redhat/Kernel | <5.12 | 5.12 |
IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 |
The mitigation for the Red Hat Enterprise Linux 8 is to disable for unprivileged user possibilities of running unshare(CLONE_NEWUSER) or unshare(CLONE_NEWNET) that could be done with the next command: echo 0 > /proc/sys/user/max_user_namespaces For making this change in configuration permanent. Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable. Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file in the "/etc/sysctl.d/" directory: user.max_user_namespaces = 0 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system The other mitigation for containers, if without disabling user namespaces, is blocking the pertinent syscalls in a seccomp policy file. For more information about seccomp, please read: https://www.openshift.com/blog/seccomp-for-fun-and-profit
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-22555 is a heap out-of-bounds write vulnerability affecting Linux kernel since v2.6.19-rc1 in the net/netfilter/x_tables component.
CVE-2021-22555 allows a local user to gain privileges or cause a denial-of-service (DoS) through user name space.
Linux kernel versions between v2.6.19-rc1 and 5.12 are affected by CVE-2021-22555.
CVE-2021-22555 has a severity rating of 7.8 (High).
To fix CVE-2021-22555, update the Linux kernel to version 5.12 or apply the appropriate patches as recommended by the vendor.