Bug 1197131 - (CVE-2022-27666) VUL-0: CVE-2022-27666: kernel: buffer overflow in IPsec ESP transformation code
(CVE-2022-27666)
VUL-0: CVE-2022-27666: kernel: buffer overflow in IPsec ESP transformation code
Status: RESOLVED FIXED
: 1197462 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/326065/
CVSSv3.1:SUSE:CVE-2022-0886:7.5:(AV:N...
:
Depends on:
Blocks: 1197133
  Show dependency treegraph
 
Reported: 2022-03-15 13:27 UTC by Alexander Bergmann
Modified: 2022-04-22 16:06 UTC (History)
12 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-15 13:27:02 UTC
rh#2061633

Identified a buffer overflow vulnerability in IPsec ESP transformation code.

Upstream commit:
https://github.com/torvalds/linux/commit/ebe48d368e97d007bfeb76fcb065d6cfc4c96645

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2061633
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0886
Comment 1 Vlastimil Babka 2022-03-16 18:49:57 UTC
Given the recent mail from Marcus, with score 7.5 shouldn't this go to 15-SP4-GA kernel?
Comment 2 Vlastimil Babka 2022-03-16 21:59:17 UTC
(In reply to Vlastimil Babka from comment #1)
> Given the recent mail from Marcus, with score 7.5 shouldn't this go to
> 15-SP4-GA kernel?

Michal resubmitted to GA, I merged.
Comment 4 Thomas Leroy 2022-03-24 09:32:35 UTC
*** Bug 1197462 has been marked as a duplicate of this bug. ***
Comment 6 Denis Kirjanov 2022-03-30 13:13:42 UTC
Affected branches are:
cve/linux-5.3
cve/linux-4.12

Patch has been backported, re-assigning back to security team
Comment 7 Gianluca Gabrielli 2022-03-30 13:24:35 UTC
done
Comment 8 Sean Stanton 2022-04-04 13:17:03 UTC
I have a customer asking about this CVE vulnerability. Our public cve web page shows that SLES 12 SP5 and SLES 15 SP2 and SP3 are affected, but there is no mention there of when a fix for those versions might be available. Is there any estimate of when the fixes will be available for those versions?
Comment 9 Denis Kirjanov 2022-04-04 13:24:01 UTC
(In reply to Sean Stanton from comment #8)
> I have a customer asking about this CVE vulnerability. Our public cve web
> page shows that SLES 12 SP5 and SLES 15 SP2 and SP3 are affected, but there
> is no mention there of when a fix for those versions might be available. Is
> there any estimate of when the fixes will be available for those versions?

The fix should be release on the next MU:
Release Target Date: 12 Apr 2022
Comment 10 Sean Stanton 2022-04-04 13:31:09 UTC
(In reply to Denis Kirjanov from comment #9)
> (In reply to Sean Stanton from comment #8)
> > I have a customer asking about this CVE vulnerability. Our public cve web
> > page shows that SLES 12 SP5 and SLES 15 SP2 and SP3 are affected, but there
> > is no mention there of when a fix for those versions might be available. Is
> > there any estimate of when the fixes will be available for those versions?
> 
> The fix should be release on the next MU:
> Release Target Date: 12 Apr 2022

Thanks. The customer is also asking if disabling user namespaces as per the recommended workaround by Red Hat at the link below is recommended/supported by us until the MU is available:

https://access.redhat.com/security/cve/CVE-2022-27666
Comment 11 Denis Kirjanov 2022-04-05 12:19:57 UTC
(In reply to Sean Stanton from comment #10)
> (In reply to Denis Kirjanov from comment #9)
> > (In reply to Sean Stanton from comment #8)
> > > I have a customer asking about this CVE vulnerability. Our public cve web
> > > page shows that SLES 12 SP5 and SLES 15 SP2 and SP3 are affected, but there
> > > is no mention there of when a fix for those versions might be available. Is
> > > there any estimate of when the fixes will be available for those versions?
> > 
> > The fix should be release on the next MU:
> > Release Target Date: 12 Apr 2022
> 
> Thanks. The customer is also asking if disabling user namespaces as per the
> recommended workaround by Red Hat at the link below is recommended/supported
> by us until the MU is available:
> 
> https://access.redhat.com/security/cve/CVE-2022-27666

the exploit found [0] uses  unshare(CLONE_NEWNS|CLONE_NEWUSER);
and FUSE to exploit the vulnerability

[0] https://github.com/plummm/CVE-2022-27666/blob/main/poc.c
Comment 12 Sean Stanton 2022-04-05 12:27:54 UTC
(In reply to Denis Kirjanov from comment #11)
> (In reply to Sean Stanton from comment #10)
> > (In reply to Denis Kirjanov from comment #9)
> > > (In reply to Sean Stanton from comment #8)
> > > > I have a customer asking about this CVE vulnerability. Our public cve web
> > > > page shows that SLES 12 SP5 and SLES 15 SP2 and SP3 are affected, but there
> > > > is no mention there of when a fix for those versions might be available. Is
> > > > there any estimate of when the fixes will be available for those versions?
> > > 
> > > The fix should be release on the next MU:
> > > Release Target Date: 12 Apr 2022
> > 
> > Thanks. The customer is also asking if disabling user namespaces as per the
> > recommended workaround by Red Hat at the link below is recommended/supported
> > by us until the MU is available:
> > 
> > https://access.redhat.com/security/cve/CVE-2022-27666
> 
> the exploit found [0] uses  unshare(CLONE_NEWNS|CLONE_NEWUSER);
> and FUSE to exploit the vulnerability
> 
> [0] https://github.com/plummm/CVE-2022-27666/blob/main/poc.c

Sorry, I am not a developer. Is that a "yes" or a "no" to my question?
Comment 13 Marcus Meissner 2022-04-05 12:30:34 UTC
Yes, the disable user namespaces workaround will also work on SUSE.
Comment 14 Sean Stanton 2022-04-05 12:38:50 UTC
(In reply to Marcus Meissner from comment #13)
> Yes, the disable user namespaces workaround will also work on SUSE.

Thank you.
Comment 20 Gianluca Gabrielli 2022-04-06 09:27:52 UTC
Mitre rejected CVE-2022-0886 and used CVE-2022-27666
Comment 32 Swamp Workflow Management 2022-04-19 13:30:07 UTC
SUSE-SU-2022:1255-1: An update that solves 20 vulnerabilities, contains one feature and has three fixes is now available.

Category: security (important)
Bug References: 1189562,1194943,1195051,1195353,1196018,1196114,1196468,1196488,1196514,1196639,1196761,1196830,1196836,1196942,1196973,1197131,1197227,1197331,1197366,1197391,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-0886,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-18234
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1, kernel-zfcpdump-4.12.14-150000.150.89.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150000.150.89.1, kernel-livepatch-SLE15_Update_29-1-150000.1.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150000.150.89.1, kernel-docs-4.12.14-150000.150.89.1, kernel-obs-build-4.12.14-150000.150.89.1, kernel-source-4.12.14-150000.150.89.1, kernel-syms-4.12.14-150000.150.89.1, kernel-vanilla-4.12.14-150000.150.89.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150000.150.89.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.