Bug 1202095 - (CVE-2022-2586) VUL-0: CVE-2022-2586: kernel-source: use-after-free with nf_tables cross-table reference
(CVE-2022-2586)
VUL-0: CVE-2022-2586: kernel-source: use-after-free with nf_tables cross-tabl...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michal Kubeček
Security Team bot
https://smash.suse.de/issue/338823/
CVSSv3.1:SUSE:CVE-2022-2586:6.7:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-03 09:06 UTC by Robert Frohl
Modified: 2022-12-01 14:19 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 7 Robert Frohl 2022-08-10 05:49:05 UTC
oss-security:

CVE-2022-2586 - Linux kernel nf_tables cross-table reference UAF

It was discovered that a nft object or expression could reference a nft set on
a different nft table, leading to a use-after-free once that table was deleted.

Team Orca of Sea Security (@seasecresponse) working with Trend Micro's Zero Day
Initiative discovered that this vulnerability could be exploited for Local
Privilege Escalation. This has been reported as ZDI-CAN-17470, and assigned
CVE-2022-2586.

This bug was introduced by commit 958bee14d071 ("netfilter: nf_tables: use new
transaction infrastructure to handle sets"), which is present since v3.16-rc1.

Exploiting it requires CAP_NET_ADMIN in any user or network namespace.

A PoC that will trigger KASAN is going to be posted in a week.

Fixes have been sent to netfilter-devel@vger.kernel.org and are at
https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo@canonical.com/T/#t.
Comment 8 Karasulli 2022-08-31 07:38:52 UTC
This bug seems to approach a good date for CVE SLA fulfillment [1].
What is its status, please?
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
Comment 10 Oscar Salvador 2022-09-27 03:43:22 UTC
A gentle ping from Kernel Security Sentinel: https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel

This security bug has been ignored for weeks.  Could you guys give an update (either fix or reassign-back)?  Thanks.
Comment 11 Michal Kubeček 2022-09-27 23:47:50 UTC
(In reply to Oscar Salvador from comment #10)
> This security bug has been ignored for weeks.

No, it has not been ignored.

The fix has been already merged into all 5.14 and 5.3 based branches. I'm
stuck with 4.12 based, though, as the table pointer is not available in
struct nft_set there yet (it was added later in an unrelated commit) and
adding it would break kABI. So I'm trying to find a way to either work around
the kABI breakage or to get the necessary information in a different way.
Comment 25 Swamp Workflow Management 2022-10-14 13:23:23 UTC
SUSE-SU-2022:3585-1: An update that solves 9 vulnerabilities, contains 12 features and has 38 fixes is now available.

Category: security (important)
Bug References: 1152472,1152489,1185032,1190497,1194023,1194869,1195917,1196444,1196869,1197659,1198189,1200622,1201309,1201310,1201987,1202095,1202960,1203039,1203066,1203101,1203197,1203263,1203338,1203360,1203361,1203389,1203410,1203505,1203552,1203664,1203693,1203699,1203701,1203767,1203769,1203794,1203798,1203893,1203902,1203906,1203908,1203933,1203935,1203939,1203969,1203987,1203992
CVE References: CVE-2022-1263,CVE-2022-2586,CVE-2022-3202,CVE-2022-3239,CVE-2022-3303,CVE-2022-39189,CVE-2022-41218,CVE-2022-41848,CVE-2022-41849
JIRA References: PED-387,PED-529,PED-652,PED-664,PED-682,PED-688,PED-720,PED-729,PED-755,PED-763,SLE-19924,SLE-24814
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.16.1, kernel-source-azure-5.14.21-150400.14.16.1, kernel-syms-azure-5.14.21-150400.14.16.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.16.1, kernel-source-azure-5.14.21-150400.14.16.1, kernel-syms-azure-5.14.21-150400.14.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-10-18 13:26:11 UTC
SUSE-SU-2022:3609-1: An update that solves 26 vulnerabilities, contains two features and has 89 fixes is now available.

Category: security (important)
Bug References: 1023051,1065729,1156395,1177471,1179722,1179723,1181862,1185032,1191662,1191667,1191881,1192594,1194023,1194272,1194535,1196444,1196616,1196867,1197158,1197659,1197755,1197756,1197757,1197760,1197763,1197920,1198971,1199255,1199291,1200084,1200313,1200431,1200622,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201309,1201310,1201420,1201442,1201489,1201610,1201645,1201705,1201726,1201865,1201948,1201990,1202095,1202096,1202097,1202154,1202341,1202346,1202347,1202385,1202393,1202396,1202447,1202577,1202636,1202672,1202677,1202701,1202708,1202709,1202710,1202711,1202712,1202713,1202714,1202715,1202716,1202717,1202718,1202720,1202722,1202745,1202756,1202810,1202811,1202860,1202895,1202898,1202960,1202984,1203063,1203098,1203107,1203116,1203117,1203135,1203136,1203137,1203159,1203313,1203389,1203410,1203424,1203552,1203622,1203737,1203769,1203906,1203909,1203933,1203935,1203939,1203987,1203992
CVE References: CVE-2016-3695,CVE-2020-16119,CVE-2020-27784,CVE-2020-36516,CVE-2021-4155,CVE-2021-4203,CVE-2022-20368,CVE-2022-20369,CVE-2022-2503,CVE-2022-2586,CVE-2022-2588,CVE-2022-26373,CVE-2022-2639,CVE-2022-2663,CVE-2022-2905,CVE-2022-2977,CVE-2022-3028,CVE-2022-3239,CVE-2022-3303,CVE-2022-36879,CVE-2022-39188,CVE-2022-39190,CVE-2022-41218,CVE-2022-41222,CVE-2022-41848,CVE-2022-41849
JIRA References: PED-529,SLE-24635
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.80.1, kernel-source-azure-5.3.18-150300.38.80.1, kernel-syms-azure-5.3.18-150300.38.80.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.80.1, kernel-source-azure-5.3.18-150300.38.80.1, kernel-syms-azure-5.3.18-150300.38.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-10-24 16:21:43 UTC
SUSE-SU-2022:3704-1: An update that solves 15 vulnerabilities, contains one feature and has three fixes is now available.

Category: security (important)
Bug References: 1177471,1199564,1200288,1201309,1201310,1202095,1202385,1202677,1202960,1203552,1203622,1203769,1203770,1203987,1203992,1204051,1204059,1204060
CVE References: CVE-2020-16119,CVE-2022-20008,CVE-2022-2503,CVE-2022-2586,CVE-2022-32296,CVE-2022-3239,CVE-2022-3303,CVE-2022-41218,CVE-2022-41222,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721
JIRA References: PED-529
Sources used:
SUSE Manager Server 4.1 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Manager Proxy 4.1 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-livepatch-SLE15-SP2_Update_31-1-150200.5.3.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-150200.24.134.1
SUSE Enterprise Storage 7 (src):    kernel-default-5.3.18-150200.24.134.1, kernel-default-base-5.3.18-150200.24.134.1.150200.9.63.2, kernel-docs-5.3.18-150200.24.134.1, kernel-obs-build-5.3.18-150200.24.134.1, kernel-preempt-5.3.18-150200.24.134.1, kernel-source-5.3.18-150200.24.134.1, kernel-syms-5.3.18-150200.24.134.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-10-26 14:14:19 UTC
SUSE-SU-2022:3775-1: An update that solves 17 vulnerabilities, contains one feature and has 29 fixes is now available.

Category: security (important)
Bug References: 1177471,1185032,1194023,1196444,1197659,1199564,1200313,1200622,1201309,1201310,1201489,1201645,1201865,1201990,1202095,1202341,1202385,1202677,1202960,1202984,1203159,1203290,1203313,1203389,1203410,1203424,1203514,1203552,1203622,1203737,1203769,1203770,1203906,1203909,1203935,1203939,1203987,1203992,1204051,1204059,1204060,1204125,1204289,1204290,1204291,1204292
CVE References: CVE-2020-16119,CVE-2022-20008,CVE-2022-2503,CVE-2022-2586,CVE-2022-3169,CVE-2022-3239,CVE-2022-3303,CVE-2022-40768,CVE-2022-41218,CVE-2022-41222,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722
JIRA References: PED-529
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.98.1, kernel-default-base-5.3.18-150300.59.98.1.150300.18.56.3
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.98.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.98.1, kernel-64kb-5.3.18-150300.59.98.1, kernel-debug-5.3.18-150300.59.98.1, kernel-default-5.3.18-150300.59.98.1, kernel-default-base-5.3.18-150300.59.98.1.150300.18.56.3, kernel-docs-5.3.18-150300.59.98.1, kernel-kvmsmall-5.3.18-150300.59.98.1, kernel-obs-build-5.3.18-150300.59.98.1, kernel-obs-qa-5.3.18-150300.59.98.1, kernel-preempt-5.3.18-150300.59.98.1, kernel-source-5.3.18-150300.59.98.1, kernel-syms-5.3.18-150300.59.98.1, kernel-zfcpdump-5.3.18-150300.59.98.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.98.1, kernel-preempt-5.3.18-150300.59.98.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.98.1, kernel-livepatch-SLE15-SP3_Update_25-1-150300.7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.98.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.98.1, kernel-obs-build-5.3.18-150300.59.98.1, kernel-preempt-5.3.18-150300.59.98.1, kernel-source-5.3.18-150300.59.98.1, kernel-syms-5.3.18-150300.59.98.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.98.1, kernel-default-5.3.18-150300.59.98.1, kernel-default-base-5.3.18-150300.59.98.1.150300.18.56.3, kernel-preempt-5.3.18-150300.59.98.1, kernel-source-5.3.18-150300.59.98.1, kernel-zfcpdump-5.3.18-150300.59.98.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.98.1, kernel-default-base-5.3.18-150300.59.98.1.150300.18.56.3
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.98.1, kernel-default-base-5.3.18-150300.59.98.1.150300.18.56.3
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.98.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-10-31 14:29:31 UTC
SUSE-SU-2022:3809-1: An update that solves 32 vulnerabilities, contains two features and has 84 fixes is now available.

Category: security (important)
Bug References: 1023051,1065729,1152489,1156395,1177471,1179722,1179723,1181862,1185032,1191662,1191667,1191881,1192594,1194023,1194272,1194535,1196444,1197158,1197659,1197755,1197756,1197757,1197760,1197763,1197920,1198971,1199291,1200288,1200313,1200431,1200622,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201309,1201310,1201420,1201489,1201610,1201705,1201726,1201865,1201948,1201990,1202095,1202096,1202097,1202341,1202346,1202347,1202385,1202393,1202396,1202447,1202577,1202636,1202638,1202672,1202677,1202701,1202708,1202709,1202710,1202711,1202712,1202713,1202714,1202715,1202716,1202717,1202718,1202720,1202722,1202745,1202756,1202810,1202811,1202860,1202895,1202898,1202960,1202984,1203063,1203098,1203107,1203117,1203135,1203136,1203137,1203159,1203290,1203389,1203410,1203424,1203514,1203552,1203622,1203737,1203769,1203770,1203802,1203906,1203909,1203935,1203939,1203987,1203992,1204051,1204059,1204060,1204125
CVE References: CVE-2016-3695,CVE-2020-16119,CVE-2020-27784,CVE-2021-4155,CVE-2021-4203,CVE-2022-20368,CVE-2022-20369,CVE-2022-2503,CVE-2022-2586,CVE-2022-2588,CVE-2022-26373,CVE-2022-2663,CVE-2022-2905,CVE-2022-2977,CVE-2022-3028,CVE-2022-3169,CVE-2022-32296,CVE-2022-3239,CVE-2022-3303,CVE-2022-36879,CVE-2022-39188,CVE-2022-39190,CVE-2022-40768,CVE-2022-41218,CVE-2022-41222,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722
JIRA References: PED-529,SLE-24635
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.106.1, kernel-rt_debug-5.3.18-150300.106.1, kernel-source-rt-5.3.18-150300.106.1, kernel-syms-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2022-11-01 23:22:55 UTC
SUSE-SU-2022:3844-1: An update that solves 15 vulnerabilities, contains 12 features and has 33 fixes is now available.

Category: security (important)
Bug References: 1185032,1190497,1194023,1194869,1195917,1196444,1196869,1197659,1198189,1200288,1200622,1201309,1201310,1201987,1202095,1202960,1203039,1203066,1203101,1203197,1203263,1203338,1203360,1203361,1203389,1203410,1203505,1203552,1203664,1203693,1203699,1203767,1203769,1203770,1203794,1203798,1203893,1203902,1203906,1203908,1203935,1203939,1203987,1203992,1204051,1204059,1204060,1204125
CVE References: CVE-2022-1263,CVE-2022-2586,CVE-2022-3202,CVE-2022-32296,CVE-2022-3239,CVE-2022-3303,CVE-2022-39189,CVE-2022-41218,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722
JIRA References: PED-387,PED-529,PED-652,PED-664,PED-682,PED-688,PED-720,PED-729,PED-755,PED-763,SLE-19924,SLE-24814
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.28.1, kernel-64kb-5.14.21-150400.24.28.1, kernel-debug-5.14.21-150400.24.28.1, kernel-default-5.14.21-150400.24.28.1, kernel-default-base-5.14.21-150400.24.28.1.150400.24.9.5, kernel-docs-5.14.21-150400.24.28.1, kernel-kvmsmall-5.14.21-150400.24.28.1, kernel-obs-build-5.14.21-150400.24.28.1, kernel-obs-qa-5.14.21-150400.24.28.1, kernel-source-5.14.21-150400.24.28.1, kernel-syms-5.14.21-150400.24.28.1, kernel-zfcpdump-5.14.21-150400.24.28.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.28.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.28.1, kernel-livepatch-SLE15-SP4_Update_4-1-150400.9.3.5
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.28.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.28.1, kernel-obs-build-5.14.21-150400.24.28.1, kernel-source-5.14.21-150400.24.28.1, kernel-syms-5.14.21-150400.24.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.28.1, kernel-default-5.14.21-150400.24.28.1, kernel-default-base-5.14.21-150400.24.28.1.150400.24.9.5, kernel-source-5.14.21-150400.24.28.1, kernel-zfcpdump-5.14.21-150400.24.28.1
SUSE Linux Enterprise Micro 5.3 (src):    kernel-default-5.14.21-150400.24.28.1, kernel-default-base-5.14.21-150400.24.28.1.150400.24.9.5
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.