Bug 1196299 - (CVE-2022-25636) VUL-0: CVE-2022-25636: kernel-source-rt,kernel-source-azure,kernel-source: heap out of bounds write in nf_dup_netdev.c
(CVE-2022-25636)
VUL-0: CVE-2022-25636: kernel-source-rt,kernel-source-azure,kernel-source: he...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/324487/
CVSSv3.1:SUSE:CVE-2022-25636:7.8:(AV:...
:
Depends on:
Blocks: 1196301
  Show dependency treegraph
 
Reported: 2022-02-22 15:20 UTC by Carlos López
Modified: 2022-07-21 20:31 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-22 15:20:02 UTC
rh#2056830

An out-of-bounds (OOB) memory access flaw was found in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c in netfilter subcomponent in the Linux kernel due to a heap out of bounds write problem. In this flaw, an attacker with a user account on the system to gain access to out-of-bounds memory leads to a system crash or a privilege escalation threat.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6
https://www.openwall.com/lists/oss-security/2022/02/21/2
https://bugzilla.redhat.com/show_bug.cgi?id=2056830
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25636
http://seclists.org/oss-sec/2022/q1/153
Comment 1 Carlos López 2022-02-22 15:23:06 UTC
Affected branches:
 - master
 - stable
 - SLE15-SP4-GA
 - SLE15-SP3

The fix has not been merged to the upstream kernel yet.
Comment 4 Alexander Bergmann 2022-03-16 07:43:09 UTC
According to the oss-security post [1] and NIST page [2] this is only affecting kernel 5.4 through 5.6.10. Therefore only SLE-15-SP4 is/was affected.

[1] https://www.openwall.com/lists/oss-security/2022/02/21/2
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25636
Comment 5 Marcus Meissner 2022-03-16 07:59:30 UTC
Buggy patch was backported to 15-sp3:

SLE15-SP3 branch:

grep -r be2861dc36d7 patches*

patches.suse/netfilter-nft_-fwd-dup-_netdev-add-offload-support.patch:Git-commit: be2861dc36d77ff3778979b9c3c79ada4affa131
Comment 6 Thomas Bogendoerfer 2022-03-16 08:48:18 UTC
The fix is now present in

SLE15-SP3            30b89a9c7b13
SLE15-SP4-GA         f8ec61386efc

No other branches are affected

Reassigning back to the security team.
Comment 15 Swamp Workflow Management 2022-03-30 13:21:15 UTC
SUSE-SU-2022:1039-1: An update that solves 22 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-livepatch-SLE15-SP3_Update_16-1-150300.7.5.3
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.60.4, kernel-obs-build-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-syms-5.3.18-150300.59.60.4
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.60.4, kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-zfcpdump-5.3.18-150300.59.60.4
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.60.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-03-30 13:25:47 UTC
SUSE-SU-2022:1038-1: An update that solves 24 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193787,1194516,1194943,1195051,1195211,1195353,1195403,1195516,1195612,1195897,1195908,1195947,1195949,1195987,1196079,1196095,1196130,1196155,1196299,1196301,1196403,1196468,1196472,1196488,1196627,1196723,1196776,1196779,1196830,1196866,1196868,1197300,922815,998635
CVE References: CVE-2021-0920,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0492,CVE-2022-0516,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966,CVE-2022-27223
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.82.1, kernel-rt_debug-5.3.18-150300.82.1, kernel-source-rt-5.3.18-150300.82.1, kernel-syms-rt-5.3.18-150300.82.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-03-30 13:32:06 UTC
openSUSE-SU-2022:1039-1: An update that solves 22 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.60.4, kernel-64kb-5.3.18-150300.59.60.4, kernel-debug-5.3.18-150300.59.60.4, kernel-default-5.3.18-150300.59.60.4, kernel-default-base-5.3.18-150300.59.60.4.150300.18.37.5, kernel-docs-5.3.18-150300.59.60.4, kernel-kvmsmall-5.3.18-150300.59.60.4, kernel-obs-build-5.3.18-150300.59.60.4, kernel-obs-qa-5.3.18-150300.59.60.4, kernel-preempt-5.3.18-150300.59.60.4, kernel-source-5.3.18-150300.59.60.4, kernel-syms-5.3.18-150300.59.60.4, kernel-zfcpdump-5.3.18-150300.59.60.4
Comment 18 Swamp Workflow Management 2022-03-30 13:36:07 UTC
openSUSE-SU-2022:1037-1: An update that solves 12 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1195211,1195254,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196627,1196723,1196779,1196830,1196836,1196866,1196868
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-44879,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.50.1, kernel-source-azure-5.3.18-150300.38.50.1, kernel-syms-azure-5.3.18-150300.38.50.1
Comment 19 Swamp Workflow Management 2022-03-30 13:40:48 UTC
SUSE-SU-2022:1037-1: An update that solves 12 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1195211,1195254,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196627,1196723,1196779,1196830,1196836,1196866,1196868
CVE References: CVE-2021-0920,CVE-2021-39657,CVE-2021-44879,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.50.1, kernel-source-azure-5.3.18-150300.38.50.1, kernel-syms-azure-5.3.18-150300.38.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Carlos López 2022-06-08 13:12:21 UTC
Done.