Bugzilla – Bug 917274
VUL-0: CVE-2015-1573: kernel: panic while flushing nftables rules that reference deleted chains.
Last modified: 2016-09-08 12:23:08 UTC
A flaw was found in the nft_flush_table function in the Linux kernel netfilter tables implementation. The kernel would panic if it was commanded to flush rules referencing chains that had already been deleted.
A local attacker with the CAP_NET_ADMIN capability could use this to panic (denial of service) a system if they were able to flush an effected chain.
Docker images with "root" permissions are not granted this capability by default. Systems with privileged containers (started with docker run -privileged .. ) will be able to expose the system to this condition allowing the defect to be exploited.
bugbot adjusting priority
Michal, can you please take a look.
As nftables were added in mainline 3.13 and were not backported to SLE12,
this should only affect openSUSE 13.2 (the fix is in 3.19-rc5 and Factory
already has 3.19.3). I'll check if 13.2 is really affected and prepare
a backport if it is.
After some unsuccessful attempts to reproduce the issue, I checked the code.
Apparently the buggy code (and, actually, the ability to flush the entire
table (not only rules in it) wasn't added until v3.18-rc1. Therefore none
of our kernels is curently vulnerable (master/stable are already fixed and
released SLE/openSUSE kernels never were).
Reassigning back to the Security team.
is only upstream