Bugzilla – Bug 917274
VUL-0: CVE-2015-1573: kernel: panic while flushing nftables rules that reference deleted chains.
Last modified: 2016-09-08 12:23:08 UTC
rh#1190966 A flaw was found in the nft_flush_table function in the Linux kernel netfilter tables implementation. The kernel would panic if it was commanded to flush rules referencing chains that had already been deleted. A local attacker with the CAP_NET_ADMIN capability could use this to panic (denial of service) a system if they were able to flush an effected chain. Docker images with "root" permissions are not granted this capability by default. Systems with privileged containers (started with docker run -privileged .. ) will be able to expose the system to this condition allowing the defect to be exploited. Fix: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac References: https://bugzilla.redhat.com/show_bug.cgi?id=1190966 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1573 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1573.html
bugbot adjusting priority
Michal, can you please take a look.
As nftables were added in mainline 3.13 and were not backported to SLE12, this should only affect openSUSE 13.2 (the fix is in 3.19-rc5 and Factory already has 3.19.3). I'll check if 13.2 is really affected and prepare a backport if it is.
After some unsuccessful attempts to reproduce the issue, I checked the code. Apparently the buggy code (and, actually, the ability to flush the entire table (not only rules in it) wasn't added until v3.18-rc1. Therefore none of our kernels is curently vulnerable (master/stable are already fixed and released SLE/openSUSE kernels never were). Reassigning back to the Security team.
is only upstream