Bug 1184675 - (CVE-2021-23133) VUL-0: CVE-2021-23133: kernel-source: sctp_destroy_sock list_del race condition
(CVE-2021-23133)
VUL-0: CVE-2021-23133: kernel-source: sctp_destroy_sock list_del race condition
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3.1:SUSE:CVE-2021-23133:7.0:(AV:...
:
Depends on:
Blocks: 1185901
  Show dependency treegraph
 
Reported: 2021-04-13 14:06 UTC by Robert Frohl
Modified: 2022-06-22 00:56 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 8 Michal Kubeček 2021-04-13 19:50:22 UTC
The fix has been submitted to netdev mailing list:

https://patchwork.kernel.org/project/netdevbpf/patch/20210413181031.27557-1-orcohen@paloaltonetworks.com/
Comment 9 Michal Kubeček 2021-04-16 15:43:16 UTC
In net tree now as commit

  b166a20b0738 ("net/sctp: fix race condition in sctp_destroy_sock")

It should appear in mainline with the same commit id soon.
Comment 11 Robert Frohl 2021-04-19 07:01:11 UTC
oss-security:

Hello,

This is an announcement about CVE-2021-23133 which is a race-condition
I found in Linux kernel sctp sockets (net/sctp/socket.c). It can lead to kernel
privilege escalation from the context of a network service or from
an unprivileged process if certain conditions are met.

The bug was fixed on April 13, 2021:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b

=*=*=*=*=*=*=*=*=   VULNERABILITY DETAILS - sctp_destroy_sock list_del
race condition =*=*=*=*=*=*=*=*=

All of the code figures below are from kernel version 5.11

The netns_sctp struct contains sctp related information per network namespace,
one if it's fields is the auto_asconf_splist list.
As the list can be accessed from multiple threads, every access to the list
should be protected by the addr_wq_lock spinlock.

(include/net/netns/sctp.h - netns_sctp structure)
...
    struct list_head addr_waitq;
    struct timer_list addr_wq_timer;
    struct list_head auto_asconf_splist;
    /* Lock that protects both addr_waitq and auto_asconf_splist */
    spinlock_t addr_wq_lock;
...

The sctp_sock struct contains the auto_asconf_list field which is used in order
to add elements to the auto_asconf_splist.

(include/net/sctp/struct.h - sctp_sock structure)
...
    struct list_head auto_asconf_list;
...

When creating a sctp socket, the sctp_init_sock method is called, after
setting up and initializing the sock structure, the following code
is executed in the end of the function:

(net/sctp/socket.c - sctp_init_sock function)
...
if (net->sctp.default_auto_asconf) {
spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list,
    &net->sctp.auto_asconf_splist);
sp->do_auto_asconf = 1;
spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
}
...

net->sctp.default_auto_asconf can be set to true via writing to the
proc variable "/proc/sys/net/sctp/default_auto_asconf", which is per
network namespace. If this variable is set, the socket will be added to
the per network namespace auto_asconf_list and do_auto_asconf will be set
to 1 in the socket.

The bug lies in the sctp_destroy_sock function, this function assumes that
when it's called, the addr_wq_lock is held, so it allows itself to run the
following code without any additional locking mechanism:
...
    if (sp->do_auto_asconf) {
sp->do_auto_asconf = 0;
list_del(&sp->auto_asconf_list);
}
...

However, there are 2 places in kernel code where sk_common_release (which
calls sctp_destroy_sock) is called without taking the lock:
1. In sctp_accept, if the sctp_sock_migrate function fails.
2. In inet_create or inet6_create, if there is a bpf program
   attached to BPF_CGROUP_INET_SOCK_CREATE which denies
   creation of the sctp socket.

=*=*=*=*=*=*=*=*=   TRIGGERING THE VULNERABILITY   =*=*=*=*=*=*=*=*=

I wrote a poc (stcp_race_priv_user.c) which triggers the vulnerability
via technique (2), the poc
simply attaches BPF_CGROUP_SOCK program to BPF_CGROUP_INET_SOCK_CREATE
which denies creation of any socket, and then runs 2 threads that
each one of them creates sctp sockets in a loop. The race is then triggered
and list_add corruption is detected in sctp_init_sock. When running with
CONFIG_DEBUG_LIST the kernel is crashing immediately:

The call stack is as follows:
...
[   69.693724] list_add corruption. prev->next should be next
(ffffffff829fa980), but was dead000000000100. (prev=ffff8881079b8538).
[   69.694693] WARNING: CPU: 12 PID: 409 at lib/list_debug.c:28
__list_add_valid+0x4d/0x70
[   69.695345] Modules linked in:
[   69.695601] CPU: 12 PID: 409 Comm: test_sctp_race Not tainted 5.11.0 #74
[   69.696167] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   69.696949] RIP: 0010:__list_add_valid+0x4d/0x70
[   69.697336] Code: c3 48 89 c1 48 c7 c7 10 97 59 82 e8 4d 4f c1 ff
0f 0b 31 c0 c3 48 89 d1 48 c7 c7 60 97 59 82 48 89 f2 48 89 c6 e8 33
4f c1 ff <0f> 0b 31 c0 c3 48 89 fe 48 89 c1 48 c7 c7 b0 97 59 82 e8 1c
4f c1
[   69.698864] RSP: 0018:ffffc90000647e48 EFLAGS: 00010282
[   69.699300] RAX: 0000000000000000 RBX: ffff8881079a8000 RCX: 0000000000000000
[   69.699903] RDX: ffff88842fd27860 RSI: ffff88842fd17a50 RDI: ffff88842fd17a50
[   69.700487] RBP: ffffffff829fa000 R08: 0000000000000003 R09: 0000000000000001
[   69.701086] R10: ffff888100c83a60 R11: ffffc90000647c58 R12: ffff8881079b8538
[   69.701688] R13: ffff8881079a8538 R14: ffffffff829fa980 R15: 0000000000000084
[   69.702273] FS:  00007f2fb82c7b40(0000) GS:ffff88842fd00000(0000)
knlGS:0000000000000000
[   69.702950] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.703426] CR2: 00007f2fb76bcff8 CR3: 0000000107960004 CR4: 00000000003706e0
[   69.704019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   69.704601] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   69.705200] Call Trace:
[   69.705414]  sctp_init_sock+0x339/0x380
[   69.705759]  inet_create+0x1ac/0x350
[   69.706054]  __sock_create+0xfd/0x200
[   69.706365]  __sys_socket+0x55/0xd0
[   69.706674]  ? exit_to_user_mode_prepare+0x2f/0x120
[   69.707079]  __x64_sys_socket+0x11/0x20
[   69.707398]  do_syscall_64+0x33/0x40
[   69.707715]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.708139] RIP: 0033:0x7f2fb77a7f17
...

This specific poc (stcp_race_priv_user.c) requires CAP_BPF and
CAP_NET_ADMIN capabilities in order
to attach the bpf program, according to https://lwn.net/Articles/820560/,
this is still considered a security boundary.

=*=*=*=*=*=*=*=*=   TRIGGERING FROM UNPRIVILEGED USER  =*=*=*=*=*=*=*=*=

However, if a BPF_CGROUP_INET_SOCK_CREATE program  is already attached,
such that an unprivileged user can fail a creation of some sctp socket,
then the vulnerability can be triggered by an unprivileged user if unprivileged
 user namespaces are enabled, by creating a new user and network
namespace, setting
"/proc/sys/net/sctp/default_auto_asconf" in the new network namespace
and then racing between the 2 threads.

This can be demonstrated by the following files:

1. load_bpf_prog.c - Which loads the BPF_CGROUP_INET_SOCK_CREATE, and should
    be run from a privileged process.
2. stcp_race_unpriv_user.c - Which can be run from a regular, unprivileged
    user.

I haven't checked, but there are probably network security tools which attaches
bpf program to BPF_CGROUP_INET_SOCK_CREATE.

Regarding triggering via technique (2), which is failing sctp_sock_migrate in
sctp_accept, I've tried many tricks in order to fail sctp_sock_migrate
but eventually this requires failing some kmalloc or crypto calls,
which I couldn't
fail in a modern Ubuntu with almost the latest kernel.
However, it may be possible to do that in older kernel versions, or with
some other trick which I am not aware about, or if sctp_accept or
sctp_sock_migrate
changes in the future.

Note that by triggering via this technique, the vulnerability can be triggered
from an unprivileged user without the BPF_CGROUP_INET_SOCK_CREATE
program attached.

=*=*=*=*=*=*=*=*=    TIMELINE    =*=*=*=*=*=*=*=*=

2021-04-08: Bug reported to security () kernel org and linux-distros
() vs openwall org
2021-04-13: Patch submitted to netdev
2021-04-17: Patch committed to mainline kernel
2021-04-18: Public announcement

=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Or Cohen
Palo Alto Networks
Comment 12 Robert Frohl 2021-04-19 08:13:47 UTC
b166a20b0738:
> Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications")

commit 610236587600 part of v4.10, tracking SLE12-SP4 and newer as affected
Comment 13 Marcus Meissner 2021-05-11 09:55:55 UTC
On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:
> Hello,
> 
> This is an announcement about CVE-2021-23133 which is a race-condition
> I found in Linux kernel sctp sockets (net/sctp/socket.c). It can lead to kernel
> privilege escalation from the context of a network service or from
> an unprivileged process if certain conditions are met.
> 
> The bug was fixed on April 13, 2021:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b

It looks that additionally
https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
refer to CVE-2021-23133.

Are both commits necessary?

Regards,
Salvatore
Comment 14 Marcus Meissner 2021-05-11 09:56:25 UTC
From: Alex Murray <alex.murray@canonical.com>                                                                                                                                                

On Mon, 2021-05-10 at 13:54:43 +0930, Salvatore Bonaccorso wrote:                                                                                                                            
                                                                                                                                                                                             
> Hi,                                                                                                                                                                                        
>                                                                                                                                                                                            
> On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:                                                                                                                                  
> > Hello,                                                                                                                                                                                   
> >                                                                                                                                                                                          
> > This is an announcement about CVE-2021-23133 which is a race-condition                                                                                                                   
> > I found in Linux kernel sctp sockets (net/sctp/socket.c). It can lead                                                                                                                    
> > to kernel                                                                                                                                                                                
> > privilege escalation from the context of a network service or from                                                                                                                       
> > an unprivileged process if certain conditions are met.                                                                                                                                   
> >                                                                                                                                                                                          
> > The bug was fixed on April 13, 2021:                                                                                                                                                     
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b                                                                   
>                                                                                                                                                                                            
> It looks that additionally                                                                                                                                                                 
> https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f                                                                                                                      
> refer to CVE-2021-23133.                                                                                                                                                                   


It seems b166a20b07382b8bc1dcee2a448715c9c2c81b5b got reverted in the                                                                                                                        
follow-up commit                                                                                                                                                                             
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sctp/socket.c?id=01bfe5e8e428b475982a98a46cca5755726f3f7f                                                      
and so 34e5b01186858b36c4d7c87e1a025071e8e2401f would appear to be the                                                                                                                       
most correct fix from what I can tell.
Comment 15 Marcus Meissner 2021-05-11 09:56:34 UTC
Hi Alex,                                                                                                                                                                                     
                                                                                                                                                                                             
On Mon, May 10, 2021 at 03:28:02PM +0930, Alex Murray wrote:                                                                                                                                 
>                                                                                                                                                                                            
> On Mon, 2021-05-10 at 13:54:43 +0930, Salvatore Bonaccorso wrote:                                                                                                                          
>                                                                                                                                                                                            
> > Hi,                                                                                                                                                                                      
> >                                                                                                                                                                                          
> > On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:                                                                                                                                
> > > Hello,                                                                                                                                                                                 
> > >                                                                                                                                                                                        
> > > This is an announcement about CVE-2021-23133 which is a race-condition                                                                                                                 
> > > I found in Linux kernel sctp sockets (net/sctp/socket.c). It can                                                                                                                       
> > > lead to kernel                                                                                                                                                                         
> > > privilege escalation from the context of a network service or from                                                                                                                     
> > > an unprivileged process if certain conditions are met.                                                                                                                                 
> > >                                                                                                                                                                                        
> > > The bug was fixed on April 13, 2021:                                                                                                                                                   
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b                                                                 
> >                                                                                                                                                                                          
> > It looks that additionally                                                                                                                                                               
> > https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f                                                                                                                    
> > refer to CVE-2021-23133.                                                                                                                                                                 
>                                                                                                                                                                                            
> It seems b166a20b07382b8bc1dcee2a448715c9c2c81b5b got reverted in the                                                                                                                      
> follow-up commit                                                                                                                                                                           
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sctp/socket.c?id=01bfe5e8e428b475982a98a46cca5755726f3f7f                                                    
> and so 34e5b01186858b36c4d7c87e1a025071e8e2401f would appear to be the                                                                                                                     
> most correct fix from what I can tell.                                                                                                                                                     
                                                                                                                                                                                             
Ah right, I missed the revert of the original commit.                                                                                                                                        
                                                                                                                                                                                             
Thanks for pointing that to me.                                                                                                                                                              
                                                                                                                                                                                             
Regards,                                                                                                                                                                                     
Salvatore
Comment 16 Marcus Meissner 2021-05-11 09:58:19 UTC
can you check if the state is good, as the b6 commit seem to have been reverted?
Comment 17 Michal Kubeček 2021-05-11 19:35:44 UTC
We did not have either of the three commits in any of our branches. The issue
was introduced in 4.10-rc1 by commit 610236587600 ("bpf: Add new cgroup attach
type to enable sock modifications") which was not backported into any older
branch so that only 4.12 and 5.3 based branches and stable are affected.

Submitted 34e5b0118685 to SLE15-SP2 and cve/linux-4.12 together with blacklist
entry for b166a20b0738 (so that git-fixes script does not suggest it) and both
01bfe5e8e428 and 34e5b0118685 into stable (b166a20b0738 is in 5.12 but the
other two are mainline 5.13-rc1).

Reassigning back to security team.
Comment 25 Swamp Workflow Management 2021-06-08 16:18:56 UTC
SUSE-SU-2021:1891-1: An update that solves 12 vulnerabilities and has 15 fixes is now available.

Category: security (important)
Bug References: 1176081,1180846,1183947,1184611,1184675,1185642,1185677,1185680,1185724,1185859,1185860,1185862,1185863,1185898,1185899,1185901,1185938,1185950,1185987,1186060,1186061,1186062,1186111,1186285,1186390,1186484,1186498
CVE References: CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    kernel-default-4.12.14-95.77.1, kernel-source-4.12.14-95.77.1, kernel-syms-4.12.14-95.77.1
SUSE OpenStack Cloud 9 (src):    kernel-default-4.12.14-95.77.1, kernel-source-4.12.14-95.77.1, kernel-syms-4.12.14-95.77.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    kernel-default-4.12.14-95.77.1, kernel-source-4.12.14-95.77.1, kernel-syms-4.12.14-95.77.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    kernel-default-4.12.14-95.77.1, kernel-source-4.12.14-95.77.1, kernel-syms-4.12.14-95.77.1
SUSE Linux Enterprise Live Patching 12-SP4 (src):    kernel-default-4.12.14-95.77.1, kgraft-patch-SLE12-SP4_Update_21-1-6.3.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    kernel-default-4.12.14-95.77.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2021-06-08 16:59:09 UTC
SUSE-SU-2021:1887-1: An update that solves 12 vulnerabilities and has 38 fixes is now available.

Category: security (important)
Bug References: 1064802,1066129,1087082,1101816,1103992,1104427,1104745,1109837,1112374,1113431,1126390,1133021,1152457,1174682,1176081,1177666,1180552,1181383,1182256,1183738,1183754,1183947,1184040,1184081,1184082,1184611,1184675,1184855,1185428,1185481,1185642,1185680,1185703,1185724,1185758,1185859,1185860,1185863,1185898,1185899,1185906,1185938,1186060,1186062,1186285,1186416,1186439,1186441,1186460,1186484
CVE References: CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.59.1, kernel-source-azure-4.12.14-16.59.1, kernel-syms-azure-4.12.14-16.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-06-09 16:33:40 UTC
SUSE-SU-2021:1913-1: An update that solves 12 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 1064802,1066129,1087082,1101816,1103992,1104353,1104427,1104745,1109837,1112374,1113431,1126390,1133021,1152457,1174682,1176081,1177666,1180552,1181383,1182256,1183738,1183754,1183947,1184040,1184081,1184082,1184611,1184675,1184855,1185428,1185481,1185642,1185677,1185680,1185703,1185724,1185758,1185827,1185859,1185860,1185862,1185863,1185898,1185899,1185901,1185906,1185938,1185950,1185987,1186060,1186061,1186062,1186111,1186285,1186390,1186416,1186439,1186441,1186452,1186460,1186484,1186487,1186498,1186573
CVE References: CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.74.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.74.2, kernel-obs-build-4.12.14-122.74.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.74.1, kernel-source-4.12.14-122.74.1, kernel-syms-4.12.14-122.74.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.74.1, kgraft-patch-SLE12-SP5_Update_19-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2021-06-09 16:40:20 UTC
SUSE-SU-2021:1912-1: An update that solves 12 vulnerabilities and has 15 fixes is now available.

Category: security (important)
Bug References: 1181161,1183405,1183738,1183947,1184611,1184675,1185642,1185680,1185725,1185859,1185860,1185862,1185863,1185898,1185899,1185901,1185938,1185950,1185987,1186060,1186061,1186062,1186111,1186285,1186390,1186484,1186498
CVE References: CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1, kernel-zfcpdump-4.12.14-197.92.1
SUSE Manager Retail Branch Server 4.0 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Manager Proxy 4.0 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1, kernel-zfcpdump-4.12.14-197.92.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.92.1, kernel-livepatch-SLE15-SP1_Update_25-1-3.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.92.1
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-197.92.1, kernel-docs-4.12.14-197.92.1, kernel-obs-build-4.12.14-197.92.1, kernel-source-4.12.14-197.92.1, kernel-syms-4.12.14-197.92.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2021-07-21 13:22:40 UTC
SUSE-SU-2021:2421-1: An update that solves 24 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1176081,1179610,1183738,1184611,1184675,1185642,1185725,1185859,1185860,1185861,1185862,1185898,1185987,1186060,1186062,1186111,1186463,1186484,1187038,1187050,1187215,1187452,1187554,1187595,1187601,1188062,1188116
CVE References: CVE-2020-24586,CVE-2020-24587,CVE-2020-24588,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-22555,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-33624,CVE-2021-33909,CVE-2021-34693,CVE-2021-3491,CVE-2021-3609
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150.75.1, kernel-docs-4.12.14-150.75.1, kernel-obs-build-4.12.14-150.75.1, kernel-source-4.12.14-150.75.1, kernel-syms-4.12.14-150.75.1, kernel-vanilla-4.12.14-150.75.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150.75.1, kernel-docs-4.12.14-150.75.1, kernel-obs-build-4.12.14-150.75.1, kernel-source-4.12.14-150.75.1, kernel-syms-4.12.14-150.75.1, kernel-vanilla-4.12.14-150.75.1, kernel-zfcpdump-4.12.14-150.75.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150.75.1, kernel-livepatch-SLE15_Update_25-1-1.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150.75.1, kernel-docs-4.12.14-150.75.1, kernel-obs-build-4.12.14-150.75.1, kernel-source-4.12.14-150.75.1, kernel-syms-4.12.14-150.75.1, kernel-vanilla-4.12.14-150.75.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150.75.1, kernel-docs-4.12.14-150.75.1, kernel-obs-build-4.12.14-150.75.1, kernel-source-4.12.14-150.75.1, kernel-syms-4.12.14-150.75.1, kernel-vanilla-4.12.14-150.75.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Marcus Meissner 2021-09-14 13:41:13 UTC
released