Bug 1200015 - (CVE-2022-32250) VUL-0: CVE-2022-32250: kernel: use-after-free in the netfilter subsystem
(CVE-2022-32250)
VUL-0: CVE-2022-32250: kernel: use-after-free in the netfilter subsystem
Status: RESOLVED FIXED
: 1200494 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/333177/
CVSSv3.1:SUSE:CVE-2022-1966:7.8:(AV:L...
:
Depends on:
Blocks: 1200268
  Show dependency treegraph
 
Reported: 2022-05-30 07:49 UTC by Carlos López
Modified: 2022-09-08 15:54 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-30 07:49:52 UTC
Date: Thu, 26 May 2022 08:46:48 +0000

Hello,

We reported a security issue within the Linux kernel netfilter subsystem to
security@kernel.org on the 24th of May. We are now sending a copy of the details to
linux-distros to allow the distro's to determine if they are affected.

I understand the issue can be embargod until the 31st of May (1 week after reporting)
which also fits this list requirements.

The netfilter maintainers have produced a patch and I believe it may be possible
for this patch to make it into an networking fixes pull later this week.

Have cc'd in security@kernel.org and Pablo Neira Ayuso from netfilter to comment
if this will be appropriate.

Can I also please request a CVE?

A copy of what was sent to security.org is as follows (however, POC code inline at
bottom of this email not attached):

The attached poc code triggers a use-after-free write within the netfilter
subsystem which can be exploited to achieve privilege escalation to root.

In order to trigger the issue it requires the ability to create user/net
namespaces.

The issue has been confirmed on the latest linux master (commit
143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be
exploited for privilege escalation on Ubuntu 22.04 (Linux kernel
5.15.0-27-generic).

# Technical Vulnerability Details

The bug is related to the failure to remove an expression from a set's bindings
list before destroying the expression. This specifically happens when specific
expressions that are not marked with the NFT_EXPR_STATEFUL flag are supplied as
a subexpression in a NFT_MSG_NEWSET command. We found that both the lookup and
dynset expressions will be added to a sets binding linked list upon
initialisation, but after the expression is detected as not being stateful, it
is destroyed without properly calling a function like nf_tables_unbind_set().
We found that this affects multiple expressions, at least the lookup and dynset
expressions.

This creates a state where any subsequent use of the set binding list, such
as expression addition or removal, will end up writing a link pointer address
into a slab object that has already been freed, and possibly reallocated.

## KASAN Output

```
[   85.431824] ==================================================================
[   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
[   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
[   85.434756]
[   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
[   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[   85.437228] Call Trace:
[   85.437594]  <TASK>
[   85.437919]  dump_stack_lvl+0x49/0x5f
[   85.438470]  print_report.cold+0x5e/0x5cf
[   85.439073]  ? __cpuidle_text_end+0x4/0x4
[   85.439655]  ? nf_tables_bind_set+0x81b/0xa20
[   85.440286]  kasan_report+0xaa/0x120
[   85.440809]  ? delay_halt_mwaitx+0x31/0x50
[   85.441392]  ? nf_tables_bind_set+0x81b/0xa20
[   85.442022]  __asan_report_store8_noabort+0x17/0x20
[   85.442725]  nf_tables_bind_set+0x81b/0xa20
[   85.443338]  ? nft_set_elem_expr_destroy+0x2a0/0x2a0
[   85.444051]  ? nla_strcmp+0xa8/0xe0
[   85.444520]  ? nft_set_lookup_global+0x88/0x360
[   85.445157]  nft_lookup_init+0x463/0x620
[   85.445710]  nft_expr_init+0x13a/0x2a0
[   85.446242]  ? nft_obj_del+0x210/0x210
[   85.446778]  ? __kasan_check_write+0x14/0x20
[   85.447395]  ? rhashtable_init+0x326/0x6d0
[   85.447974]  ? __rcu_read_unlock+0xde/0x100
[   85.448565]  ? nft_rhash_init+0x213/0x2f0
[   85.449129]  ? nft_rhash_gc_init+0xb0/0xb0
[   85.449717]  ? nf_tables_newset+0x1646/0x2e40
[   85.450359]  ? jhash+0x630/0x630
[   85.450838]  nft_set_elem_expr_alloc+0x24/0x210
[   85.451507]  nf_tables_newset+0x1b3f/0x2e40
[   85.452124]  ? rcu_preempt_deferred_qs_irqrestore+0x579/0xa70
[   85.452948]  ? nft_set_elem_expr_alloc+0x210/0x210
[   85.453636]  ? delay_tsc+0x94/0xc0
[   85.454161]  nfnetlink_rcv_batch+0xeb4/0x1fd0
[   85.454808]  ? nfnetlink_rcv_msg+0x980/0x980
[   85.455444]  ? stack_trace_save+0x94/0xc0
[   85.456036]  ? filter_irq_stacks+0x90/0x90
[   85.456639]  ? __const_udelay+0x62/0x80
[   85.457206]  ? _raw_spin_lock_irqsave+0x99/0xf0
[   85.457864]  ? nla_get_range_signed+0x350/0x350
[   85.458528]  ? security_capable+0x5f/0xa0
[   85.459128]  nfnetlink_rcv+0x2f0/0x3b0
[   85.459669]  ? nfnetlink_rcv_batch+0x1fd0/0x1fd0
[   85.460327]  ? rcu_read_unlock_special+0x52/0x3b0
[   85.461000]  netlink_unicast+0x5ec/0x890
[   85.461563]  ? netlink_attachskb+0x750/0x750
[   85.462169]  ? __kasan_check_read+0x11/0x20
[   85.462766]  ? __check_object_size+0x226/0x3a0
[   85.463408]  netlink_sendmsg+0x830/0xd10
[   85.463968]  ? netlink_unicast+0x890/0x890
[   85.464552]  ? apparmor_socket_sendmsg+0x3d/0x50
[   85.465206]  ? netlink_unicast+0x890/0x890
[   85.465792]  sock_sendmsg+0xec/0x120
[   85.466303]  __sys_sendto+0x1e2/0x2e0
[   85.466821]  ? __ia32_sys_getpeername+0xb0/0xb0
[   85.467470]  ? alloc_file_pseudo+0x184/0x270
[   85.468070]  ? perf_callchain_user+0x60/0xa60
[   85.468683]  ? preempt_count_add+0x7f/0x170
[   85.469280]  ? fd_install+0x14f/0x330
[   85.469800]  ? __sys_socket+0x166/0x200
[   85.470342]  ? __sys_socket_file+0x1c0/0x1c0
[   85.470940]  ? debug_smp_processor_id+0x17/0x20
[   85.471583]  ? fpregs_assert_state_consistent+0x4e/0xb0
[   85.472308]  __x64_sys_sendto+0xe0/0x1a0
[   85.472854]  ? do_syscall_64+0x69/0x80
[   85.473379]  do_syscall_64+0x5c/0x80
[   85.473878]  ? fpregs_restore_userregs+0xf3/0x200
[   85.474532]  ? switch_fpu_return+0xe/0x10
[   85.475099]  ? exit_to_user_mode_prepare+0x140/0x170
[   85.475791]  ? irqentry_exit_to_user_mode+0x9/0x20
[   85.476465]  ? irqentry_exit+0x33/0x40
[   85.476991]  ? exc_page_fault+0x72/0xe0
[   85.477524]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   85.478219] RIP: 0033:0x45c66a
[   85.478648] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[   85.481183] RSP: 002b:00007ffd091bfee8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   85.482214] RAX: ffffffffffffffda RBX: 0000000000000174 RCX: 000000000045c66a
[   85.483190] RDX: 0000000000000174 RSI: 00007ffd091bfef0 RDI: 0000000000000003
[   85.484162] RBP: 00007ffd091c23b0 R08: 00000000004a94c8 R09: 000000000000000c
[   85.485128] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd091c1ef0
[   85.486094] R13: 0000000000000004 R14: 0000000000002000 R15: 0000000000000000
[   85.487076]  </TASK>
[   85.487388]
[   85.487608] Allocated by task 776:
[   85.488082]  kasan_save_stack+0x26/0x50
[   85.488614]  __kasan_kmalloc+0x88/0xa0
[   85.489131]  __kmalloc+0x1b9/0x370
[   85.489602]  nft_expr_init+0xcd/0x2a0
[   85.490109]  nft_set_elem_expr_alloc+0x24/0x210
[   85.490731]  nf_tables_newset+0x1b3f/0x2e40
[   85.491314]  nfnetlink_rcv_batch+0xeb4/0x1fd0
[   85.491912]  nfnetlink_rcv+0x2f0/0x3b0
[   85.492429]  netlink_unicast+0x5ec/0x890
[   85.492985]  netlink_sendmsg+0x830/0xd10
[   85.493528]  sock_sendmsg+0xec/0x120
[   85.494035]  __sys_sendto+0x1e2/0x2e0
[   85.494545]  __x64_sys_sendto+0xe0/0x1a0
[   85.495109]  do_syscall_64+0x5c/0x80
[   85.495630]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   85.496292]
[   85.496479] Freed by task 776:
[   85.496846]  kasan_save_stack+0x26/0x50
[   85.497351]  kasan_set_track+0x25/0x30
[   85.497893]  kasan_set_free_info+0x24/0x40
[   85.498489]  __kasan_slab_free+0x110/0x170
[   85.499103]  kfree+0xa7/0x310
[   85.499548]  nft_set_elem_expr_alloc+0x1b3/0x210
[   85.500219]  nf_tables_newset+0x1b3f/0x2e40
[   85.500822]  nfnetlink_rcv_batch+0xeb4/0x1fd0
[   85.501449]  nfnetlink_rcv+0x2f0/0x3b0
[   85.501990]  netlink_unicast+0x5ec/0x890
[   85.502558]  netlink_sendmsg+0x830/0xd10
[   85.503133]  sock_sendmsg+0xec/0x120
[   85.503655]  __sys_sendto+0x1e2/0x2e0
[   85.504194]  __x64_sys_sendto+0xe0/0x1a0
[   85.504779]  do_syscall_64+0x5c/0x80
[   85.505330]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   85.506095]
[   85.506325] The buggy address belongs to the object at ffff8880286f0e80
[   85.506325]  which belongs to the cache kmalloc-cg-64 of size 64
[   85.508152] The buggy address is located 24 bytes inside of
[   85.508152]  64-byte region [ffff8880286f0e80, ffff8880286f0ec0)
[   85.509845]
[   85.510095] The buggy address belongs to the physical page:
[   85.510962] page:000000008955c452 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880286f0080 pfn:0x286f0
[   85.512566] memcg:ffff888054617c01
[   85.513079] flags: 0xffe00000000200(slab|node=0|zone=1|lastcpupid=0x3ff)
[   85.514070] raw: 00ffe00000000200 0000000000000000 dead000000000122 ffff88801b842780
[   85.515251] raw: ffff8880286f0080 000000008020001d 00000001ffffffff ffff888054617c01
[   85.516421] page dumped because: kasan: bad access detected
[   85.517264]
[   85.517505] Memory state around the buggy address:
[   85.518231]  ffff8880286f0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.519321]  ffff8880286f0e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.520392] >ffff8880286f0e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.521456]                             ^
[   85.522050]  ffff8880286f0f00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   85.523125]  ffff8880286f0f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   85.524200] ==================================================================
[   85.525364] Disabling lock debugging due to kernel taint
[   85.534106] ------------[ cut here ]------------
[   85.534874] WARNING: CPU: 1 PID: 776 at net/netfilter/nf_tables_api.c:4592 nft_set_destroy+0x343/0x460
[   85.536269] Modules linked in:
[   85.536741] CPU: 1 PID: 776 Comm: poc Tainted: G    B   W         5.18.0+ #2
[   85.537792] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[   85.539080] RIP: 0010:nft_set_destroy+0x343/0x460
[   85.539774] Code: 3c 02 00 0f 85 26 01 00 00 49 8b 7c 24 30 e8 94 f0 ee f1 4c 89 e7 e8 ec b0 da f1 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 7d b0 e8
[   85.542475] RSP: 0018:ffff88805911f4f8 EFLAGS: 00010202
[   85.543282] RAX: 0000000000000002 RBX: dead000000000122 RCX: ffff88805911f508
[   85.544291] RDX: 0000000000000000 RSI: ffff888052ab1800 RDI: ffff888052ab1864
[   85.545331] RBP: ffff88805911f550 R08: ffff8880286ce908 R09: 0000000000000000
[   85.546371] R10: ffffed100b223e56 R11: 0000000000000001 R12: ffff888052ab1800
[   85.547447] R13: ffff8880286ce900 R14: dffffc0000000000 R15: ffff8880286ce780
[   85.548487] FS:  00000000018293c0(0000) GS:ffff88806a900000(0000) knlGS:0000000000000000
[   85.549630] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.550470] CR2: 00007ffd091bfee8 CR3: 0000000052156000 CR4: 00000000000006e0
[   85.551551] Call Trace:
[   85.551930]  <TASK>
[   85.552245]  ? rcu_read_unlock_special+0x52/0x3b0
[   85.552971]  __nf_tables_abort+0xd40/0x2f10
[   85.553612]  ? __udelay+0x15/0x20
[   85.554133]  ? __nft_release_basechain+0x5a0/0x5a0
[   85.554878]  ? rcu_read_unlock_special+0x52/0x3b0
[   85.555592]  nf_tables_abort+0x77/0xa0
[   85.556153]  nfnetlink_rcv_batch+0xb23/0x1fd0
[   85.556820]  ? nfnetlink_rcv_msg+0x980/0x980
[   85.557467]  ? stack_trace_save+0x94/0xc0
[   85.558065]  ? filter_irq_stacks+0x90/0x90
[   85.558682]  ? __const_udelay+0x62/0x80
[   85.559321]  ? _raw_spin_lock_irqsave+0x99/0xf0
[   85.559997]  ? nla_get_range_signed+0x350/0x350
[   85.560683]  ? security_capable+0x5f/0xa0
[   85.561307]  nfnetlink_rcv+0x2f0/0x3b0
[   85.561863]  ? nfnetlink_rcv_batch+0x1fd0/0x1fd0
[   85.562555]  ? rcu_read_unlock_special+0x52/0x3b0
[   85.563303]  netlink_unicast+0x5ec/0x890
[   85.563896]  ? netlink_attachskb+0x750/0x750
[   85.564546]  ? __kasan_check_read+0x11/0x20
[   85.565165]  ? __check_object_size+0x226/0x3a0
[   85.565838]  netlink_sendmsg+0x830/0xd10
[   85.566407]  ? netlink_unicast+0x890/0x890
[   85.567044]  ? apparmor_socket_sendmsg+0x3d/0x50
[   85.567724]  ? netlink_unicast+0x890/0x890
[   85.568334]  sock_sendmsg+0xec/0x120
[   85.568874]  __sys_sendto+0x1e2/0x2e0
[   85.569417]  ? __ia32_sys_getpeername+0xb0/0xb0
[   85.570086]  ? alloc_file_pseudo+0x184/0x270
[   85.570757]  ? perf_callchain_user+0x60/0xa60
[   85.571431]  ? preempt_count_add+0x7f/0x170
[   85.572054]  ? fd_install+0x14f/0x330
[   85.572612]  ? __sys_socket+0x166/0x200
[   85.573190]  ? __sys_socket_file+0x1c0/0x1c0
[   85.573805]  ? debug_smp_processor_id+0x17/0x20
[   85.574452]  ? fpregs_assert_state_consistent+0x4e/0xb0
[   85.575242]  __x64_sys_sendto+0xe0/0x1a0
[   85.575804]  ? do_syscall_64+0x69/0x80
[   85.576367]  do_syscall_64+0x5c/0x80
[   85.576901]  ? fpregs_restore_userregs+0xf3/0x200
[   85.577591]  ? switch_fpu_return+0xe/0x10
[   85.578179]  ? exit_to_user_mode_prepare+0x140/0x170
[   85.578947]  ? irqentry_exit_to_user_mode+0x9/0x20
[   85.579676]  ? irqentry_exit+0x33/0x40
[   85.580245]  ? exc_page_fault+0x72/0xe0
[   85.580824]  entry_SYSCALL_64_after_hwframe+0x46/0xb0
[   85.581577] RIP: 0033:0x45c66a
[   85.582059] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[   85.584728] RSP: 002b:00007ffd091bfee8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   85.585784] RAX: ffffffffffffffda RBX: 0000000000000174 RCX: 000000000045c66a
[   85.586821] RDX: 0000000000000174 RSI: 00007ffd091bfef0 RDI: 0000000000000003
[   85.587835] RBP: 00007ffd091c23b0 R08: 00000000004a94c8 R09: 000000000000000c
[   85.588832] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd091c1ef0
[   85.589820] R13: 0000000000000004 R14: 0000000000002000 R15: 0000000000000000
[   85.590899]  </TASK>
[   85.591243] ---[ end trace 0000000000000000 ]---
```

## Details

The vulnerability is due to a failure to properly clean up when a
lookup or dynset expression is encountered as a subexpression of
a `NFT_MSG_NEWSET` command. The `nf_tables_newset()` function is responsible
for handling the `NFT_MSG_NEWSET` netlink message.

From `nf_tables_api.c`:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4300
static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
                            const struct nlattr * const nla[])
{
        u32 ktype, dtype, flags, policy, gc_int, objtype;
        struct netlink_ext_ack *extack = info->extack;
        u8 genmask = nft_genmask_next(info->net);
        u8 family = info->nfmsg->nfgen_family;
        const struct nft_set_ops *ops;
        struct nft_expr *expr = NULL;
        struct net *net = info->net;
        struct nft_set_desc desc;
        struct nft_table *table;
        unsigned char *udata;
        struct nft_set *set;
        struct nft_ctx ctx;
        size_t alloc_size;
        u64 timeout;
        char *name;
        int err, i;
        u16 udlen;
        u64 size;

        if (nla[NFTA_SET_TABLE] == NULL ||
            nla[NFTA_SET_NAME] == NULL ||
            nla[NFTA_SET_KEY_LEN] == NULL ||
            nla[NFTA_SET_ID] == NULL)
                return -EINVAL;
```

Assuming all the set creation field prerequisites are met, this function will
allocate `struct nft_set` structure to track the new set.

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4464
    set = kvzalloc(alloc_size, GFP_KERNEL);
    if (!set)
        return -ENOMEM;

[...]

    INIT_LIST_HEAD(&set->bindings);
    INIT_LIST_HEAD(&set->catchall_list);
    set->table = table;
    write_pnet(&set->net, net);
    set->ops = ops;
    set->ktype = ktype;
    set->klen = desc.klen;
    set->dtype = dtype;
    set->objtype = objtype;
    set->dlen = desc.dlen;
    set->flags = flags;
    set->size = desc.size;
    set->policy = policy;
    set->udlen = udlen;
    set->udata = udata;
    set->timeout = timeout;
    set->gc_int = gc_int;
```

We can see above that it initializes the `set->bindings` list, which will be
say important later. After initialization the code will test whether or not
there are any subexpressions associated with the set, if so it will try to
handle the expression using a set-specific expression allocation handler:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4511
    if (nla[NFTA_SET_EXPR]) {
        expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);
        if (IS_ERR(expr)) {
            err = PTR_ERR(expr);
            goto err_set_expr_alloc;
        }
        set->exprs[0] = expr;
        set->num_exprs++;
    } else if (nla[NFTA_SET_EXPRESSIONS]) {
        [...]
    }
```

If it encounters the `NFTA_SET_EXPR` we will call
`nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);`, to handle whatever
the subexpression type is. The set element expression allocation function is
quite simple:

From `nf_tables_api.c`:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L5404
struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
                     const struct nft_set *set,
                     const struct nlattr *attr)
{
    struct nft_expr *expr;
    int err;

    expr = nft_expr_init(ctx, attr);
    if (IS_ERR(expr))
        return expr;

    err = -EOPNOTSUPP;
    if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
        goto err_set_elem_expr;

    if (expr->ops->type->flags & NFT_EXPR_GC) {
        if (set->flags & NFT_SET_TIMEOUT)
            goto err_set_elem_expr;
        if (!set->ops->gc_init)
            goto err_set_elem_expr;
        set->ops->gc_init(set);
    }

    return expr;

err_set_elem_expr:
    nft_expr_destroy(ctx, expr);
    return ERR_PTR(err);
}
```

The function above will first initialize an expression, and then only after
that expression is initialized will check whether or not that expression type
is actually of the type `NFT_EXPR_STATEFUL` that means it is allowed to be a
subexpression of a set. When the expression is deemed bad and gets destroyed,
the destruction looks like the following:

From `nf_tables_api.c`:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2918
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
{
    nf_tables_expr_destroy(ctx, expr);
    kfree(expr);
}
```

We will look at nft_lookup as the example, although dynset is affected
identically.

We see that a `struct nft_lookup` structure is associated with the expression,
which looks like the following:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L18
struct nft_lookup {
    struct nft_set * set;
    u8 sreg;
    u8 dreg;
    bool invert;
    struct nft_set_binding binding;
};
```

and

```cpp
//https://elixir.bootlin.com/linux/latest/source/include/net/netfilter/nf_tables.h#L576
/**
 *    struct nft_set_binding - nf_tables set binding
 *
 *    @list: set bindings list node
 *    @chain: chain containing the rule bound to the set
 *    @flags: set action flags
 *
 *    A set binding contains all information necessary for validation
 *    of new elements added to a bound set.
 */
struct nft_set_binding {
    struct list_head list;
    const struct nft_chain * chain;
    u32 flags;
};
```

IT `nft_lookup_init` function looks up a referenced set that must already
exist, and if it is found then the lookup expression will be bound to that set:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L101
    struct nft_set *set;
    u32 flags;
    int err;

    if (tb[NFTA_LOOKUP_SET] == NULL ||
        tb[NFTA_LOOKUP_SREG] == NULL)
        return -EINVAL;

    set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET],
                    tb[NFTA_LOOKUP_SET_ID], genmask);
    if (IS_ERR(set))
        return PTR_ERR(set);
    [...]

    priv->binding.flags = set->flags & NFT_SET_MAP;

    err = nf_tables_bind_set(ctx, set, &priv->binding);
    if (err < 0)
        return err;

    priv->set = set;
    return 0;
}
```

The main point above is that it ends up calling `nf_tables_bind_set`, and
passing in the separate set that we just looked up, as well as the address of the
`binding` member of the `nft_lookup`.

From: `nft_tables_api.c`

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4701
int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
               struct nft_set_binding *binding)
{
    struct nft_set_binding *i;
    struct nft_set_iter iter;

    [...]
    if (binding->flags & NFT_SET_MAP) {
        [...]
    }
bind:
    binding->chain = ctx->chain;
    list_add_tail_rcu(&binding->list, &set->bindings);
    nft_set_trans_bind(ctx, set);
    set->use++;

    return 0;
}

```

Assuming everything is ok the lookup expression is then bound to the bindings
list of the set with `list_add_tail_rcu(&binding->list, &set->bindings);`. This
puts the `nft_lookup` structure on to this bindings list. If this structure
ends up being subsequently destroyed, it should be removed from the
`set->bindings` list to avoid a dangling free pointer.

Recall it was shown earlier that if the expression is not NFT_EXPR_STATEFUL,
it's going to be destroyed immediately.

Revisiting the allocation function :

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L5404
struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
                                         const struct nft_set *set,
                                         const struct nlattr *attr)
{
        struct nft_expr *expr;
        int err;

        expr = nft_expr_init(ctx, attr);
        if (IS_ERR(expr))
                return expr;

        err = -EOPNOTSUPP;
        if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
                goto err_set_elem_expr;

        if (expr->ops->type->flags & NFT_EXPR_GC) {
                if (set->flags & NFT_SET_TIMEOUT)
                        goto err_set_elem_expr;
                if (!set->ops->gc_init)
                        goto err_set_elem_expr;
                set->ops->gc_init(set);
        }

        return expr;

err_set_elem_expr:
        nft_expr_destroy(ctx, expr);
        return ERR_PTR(err);
}
```

the `expr` variable will point to the `nft_lookup` structure that was
just added to the `set->bindings` list, and that expression type does not have
the `NFT_EXPR_STATEFUL` flag, so we hit:

```cpp
err_set_elem_expr:
        nft_expr_destroy(ctx, expr);
        return ERR_PTR(err);
}
```

Then the destruction:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2918
void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr)
{
        nf_tables_expr_destroy(ctx, expr);
        kfree(expr);
}
```

First the expression destructor is called before freeing the `nft_lookup` object:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2856
static void nf_tables_expr_destroy(const struct nft_ctx *ctx,
                                   struct nft_expr *expr)
{
        const struct nft_expr_type *type = expr->ops->type;

        if (expr->ops->destroy)
                expr->ops->destroy(ctx, expr);
        module_put(type->owner);
}
```

This corresponds to `nft_lookup_destroy` function as shown in `nft_lookup.c`:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L267
static const struct nft_expr_ops nft_lookup_ops = {
    [...]
    .destroy    = nft_lookup_destroy,
```

It tries to call a destruction routine on the associated set that was bound:

From: `nft_lookup.c`:

```cpp
//https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L173
static void nft_lookup_destroy(const struct nft_ctx *ctx,
                               const struct nft_expr *expr)
{
        struct nft_lookup *priv = nft_expr_priv(expr);

        nf_tables_destroy_set(ctx, priv->set);
}
```

Finally we see that the set destruction routine is actually not going to do
anything because we never created an anonymous set, and the `bindings` list is
not empty because our lookup is associated with the set already:

```cpp
void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
{
        if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
                nft_set_destroy(ctx, set);
}
```

After returning back to 'nft_expr_destroy', the expression will be freed, but
will have never been removed from 'set->bindings'.

One solution is probably to test if the expression is bound and then call
`nf_tables_unbind_set()` before the expression is freed.

Thanks
Comment 3 Carlos López 2022-05-30 08:08:28 UTC
Bug introduced in commit 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")

Netdev patch:
https://lore.kernel.org/netdev/20220526205411.315136-1-pablo@netfilter.org/T/#me63442c24b77995357c04a117eceeede13eb2f24

Branches cve/linux-4.12 and newer have stateful expressions, and include the incomplete cleanup, so they are affected.
Comment 4 Carlos López 2022-05-30 08:10:01 UTC
(In reply to Carlos López from comment #3)
> Branches cve/linux-4.12 and newer have stateful expressions

cve/linux-4.4 and newer
Comment 6 Carlos López 2022-06-01 09:11:54 UTC
Public:
https://www.openwall.com/lists/oss-security/2022/05/31/1
Comment 7 Michal Kubeček 2022-06-06 21:44:52 UTC
The fix is mainline commit 520778042ccc ("netfilter: nf_tables: disallow
non-stateful expression in sets earlier"), in mainline since 5.19-rc1.
But the question when the issue was introduced is more tricky. The Fixes tag
refers to commit 0b2d8a7b638b ("netfilter: nf_tables: add helper functions
for expression handling") in 4.1-rc1 which is true in the sense that this
commit introduced the  nft_expr_init() helper function which does not bail out
if NFT_STATEFUL_EXPR flag is not set.

However, from the point of view of this CVE, the real problem starts with
commit cd5125d8f518 ("netfilter: nf_tables: split set destruction in
deactivate and destroy phase") in 4.20-rc1 as it splits the destroy and
unbind operations into two functions, allowing to call the former without
the latter which results in use after free.

So as a security fix, commit 520778042ccc is needed in cve/linux-5.3, SLE15-SP4
and stable (which already received a backport with 5.18.2 stable update).
SLE12-SP5 should also get it via git-fixes workflow, not as a security fix.
Comment 9 Michal Kubeček 2022-06-07 07:25:23 UTC
The fix has been submitted to all relevant branches:

  stable            5.18.2       (merged)
  SLE15-SP4         382d5dc24196 (merged)
  cve/linux-5.3     41de48021d1d
  SLE12-SP5         1bb9b5bf248a (without the CVE reference)

Reassigning back to security team.
Comment 18 Alexander Bergmann 2022-06-13 12:21:39 UTC
*** Bug 1200494 has been marked as a duplicate of this bug. ***
Comment 21 Swamp Workflow Management 2022-06-14 22:23:25 UTC
SUSE-SU-2022:2080-1: An update that solves 18 vulnerabilities and has 27 fixes is now available.

Category: security (important)
Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1162338,1162369,1173871,1188885,1194124,1195612,1195651,1196426,1196570,1197219,1197601,1198438,1198577,1198899,1198989,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199505,1199507,1199526,1199602,1199605,1199606,1199631,1199650,1199671,1199839,1200015,1200045,1200057,1200143,1200144,1200173,1200249
CVE References: CVE-2019-19377,CVE-2021-33061,CVE-2021-39711,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-24448,CVE-2022-30594
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.100.2, kernel-source-azure-4.12.14-16.100.1, kernel-syms-azure-4.12.14-16.100.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Frank Steiner 2022-06-15 08:56:25 UTC
(In reply to Michal Kubeček from comment #9)
> The fix has been submitted to all relevant branches:
> 
>   stable            5.18.2       (merged)
>   SLE15-SP4         382d5dc24196 (merged)
>   cve/linux-5.3     41de48021d1d
>   SLE12-SP5         1bb9b5bf248a (without the CVE reference)

What about SLE15-SP3, is this not a "relevant branch"? The kernel updates released yesterday don't contain any reference to CVE-2022-1966 or bsc#1200015. Disabling usernamespaces killed docker and chromium for our users, so a fixed kernel for 15-SP3 is relally urgent.
Comment 24 Takashi Iwai 2022-06-15 08:58:02 UTC
Yet another update for SLE15-SP3 kernel is already on its way.  Stay tuned.
Comment 25 Michal Kubeček 2022-06-15 11:18:26 UTC
(In reply to Frank Steiner from comment #23)
> What about SLE15-SP3, is this not a "relevant branch"?

cve/linux-5.3 gets merged into SLE15-SP3, there is no need to list all target
branches the fix ends up in eventually.
Comment 27 Marcos de Souza 2022-06-15 13:16:54 UTC
(In reply to Michal Kubeček from comment #25)
> (In reply to Frank Steiner from comment #23)
> > What about SLE15-SP3, is this not a "relevant branch"?
> 
> cve/linux-5.3 gets merged into SLE15-SP3, there is no need to list all target
> branches the fix ends up in eventually.

Michal do you have a reproducer of this issue? It would help us to test the livepatch more properly. Thanks!
Comment 30 Swamp Workflow Management 2022-06-16 19:29:25 UTC
SUSE-SU-2022:2104-1: An update that solves 23 vulnerabilities, contains one feature and has 19 fixes is now available.

Category: security (important)
Bug References: 1028340,1065729,1071995,1158266,1177282,1191647,1195651,1195926,1196114,1196367,1196426,1196433,1196514,1196570,1196942,1197157,1197343,1197472,1197656,1197660,1197895,1198330,1198400,1198484,1198516,1198577,1198660,1198687,1198778,1198825,1199012,1199063,1199314,1199505,1199507,1199605,1199650,1199918,1200015,1200143,1200144,1200249
CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-20321,CVE-2021-33061,CVE-2022-0168,CVE-2022-1011,CVE-2022-1158,CVE-2022-1184,CVE-2022-1353,CVE-2022-1516,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-28893,CVE-2022-30594
JIRA References: SLE-18234
Sources used:
SUSE Manager Server 4.1 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Manager Retail Branch Server 4.1 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Manager Proxy 4.1 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-livepatch-SLE15-SP2_Update_27-1-150200.5.3.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-150200.24.115.1
SUSE Enterprise Storage 7 (src):    kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-06-20 13:20:54 UTC
SUSE-SU-2022:2116-1: An update that solves 17 vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1162338,1162369,1173871,1188885,1194124,1195651,1196426,1196570,1197219,1197601,1198438,1198577,1198899,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199505,1199507,1199526,1199602,1199605,1199606,1199631,1199650,1199671,1199839,1200015,1200045,1200057,1200143,1200144,1200173,1200249
CVE References: CVE-2019-19377,CVE-2021-33061,CVE-2021-39711,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-30594
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.124.3
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.124.2, kernel-obs-build-4.12.14-122.124.3
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.124.3, kernel-source-4.12.14-122.124.2, kernel-syms-4.12.14-122.124.2
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.124.3, kgraft-patch-SLE12-SP5_Update_32-1-8.3.3
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.124.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Frank Steiner 2022-06-22 07:35:11 UTC
(In reply to Takashi Iwai from comment #24)
> Yet another update for SLE15-SP3 kernel is already on its way.  Stay tuned.

Any idea how long this will take? It's more than 2 weeks that the patch was added to the kernel branches, and given the impact of the mitigation (docker/podman/chromium not working) it was desirable if the QA process for 15 SP3 (which surely is the most-used SP for SLE given that SP4 has just arrived) was given a higher priority...
Comment 36 Gianluca Gabrielli 2022-06-22 08:27:54 UTC
CVE-2022-1966 has been rejected [0] in favor of CVE-2022-32250.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
Comment 37 Michal Kubeček 2022-06-22 08:48:09 UTC
(In reply to Marcos de Souza from comment #27)
> Michal do you have a reproducer of this issue? It would help us to test the
> livepatch more properly. Thanks!

Not at hand. It should be possible to create one based on the issue description
but it may be tricky to detect if the use after free actually happened without
having to rebuild the kernel with some debug config option(s) enabled.
Comment 38 Michal Kubeček 2022-06-22 08:49:31 UTC
(In reply to Gianluca Gabrielli from comment #36)
> CVE-2022-1966 has been rejected [0] in favor of CVE-2022-32250.
> 
> [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966

Should I add the new CVE id to the patches or replace the old one with it?
Comment 39 Marcus Meissner 2022-06-22 10:24:24 UTC
add additionally.... (so we have both)
Comment 43 Swamp Workflow Management 2022-06-24 13:18:38 UTC
SUSE-SU-2022:2172-1: An update that solves 7 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1177282,1184924,1198924,1199365,1199482,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200343,1200494,1200529,1200604
CVE References: CVE-2020-26541,CVE-2022-1012,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-20141,CVE-2022-32250
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.62.1, kernel-source-azure-5.3.18-150300.38.62.1, kernel-syms-azure-5.3.18-150300.38.62.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.62.1, kernel-source-azure-5.3.18-150300.38.62.1, kernel-syms-azure-5.3.18-150300.38.62.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Swamp Workflow Management 2022-06-24 13:20:41 UTC
SUSE-SU-2022:2173-1: An update that solves four vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1177282,1199365,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200268,1200529
CVE References: CVE-2020-26541,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.76.1, kernel-64kb-5.3.18-150300.59.76.1, kernel-debug-5.3.18-150300.59.76.1, kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2, kernel-docs-5.3.18-150300.59.76.1, kernel-kvmsmall-5.3.18-150300.59.76.1, kernel-obs-build-5.3.18-150300.59.76.1, kernel-obs-qa-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-syms-5.3.18-150300.59.76.1, kernel-zfcpdump-5.3.18-150300.59.76.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.76.1, kernel-livepatch-SLE15-SP3_Update_20-1-150300.7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.76.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.76.1, kernel-obs-build-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-syms-5.3.18-150300.59.76.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.76.1, kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-zfcpdump-5.3.18-150300.59.76.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Swamp Workflow Management 2022-06-24 16:24:19 UTC
SUSE-SU-2022:2177-1: An update that solves 20 vulnerabilities, contains three features and has 39 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1103269,1118212,1153274,1154353,1156395,1158266,1167773,1176447,1177282,1178134,1180100,1183405,1188885,1195826,1196426,1196478,1196570,1196840,1197446,1197472,1197601,1197675,1198438,1198577,1198971,1198989,1199035,1199052,1199063,1199114,1199314,1199365,1199505,1199507,1199564,1199626,1199631,1199650,1199670,1199839,1200015,1200019,1200045,1200046,1200143,1200144,1200192,1200206,1200207,1200216,1200249,1200259,1200263,1200529,1200549,1200604
CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-33061,CVE-2022-0168,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1975,CVE-2022-20008,CVE-2022-20141,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-30594,CVE-2022-32250
JIRA References: SLE-13521,SLE-16387,SLE-8371
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.93.1, kernel-rt_debug-5.3.18-150300.93.1, kernel-source-rt-5.3.18-150300.93.1, kernel-syms-rt-5.3.18-150300.93.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.93.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 47 Frank Steiner 2022-07-02 16:05:04 UTC
Has the default policy be changed so that user.max_user_namespaces is set to 0 by default now? When I boot our SP3 with 5.3.18-150300.59.76 user.max_user_namespaces is 0. With 5.3.18-150300.59.71 it is 256166. And I flip-flop-booted the kernels several times to make sure it's not sth. else changing the values.

Setting user.max_user_namespaces to 0 was the mitigation for the buggy kernel 150300.59.71. Given that this has been fixed with 150300.59.76, why should user.max_user_namespaces now default to 0?

chromium and podman are disabled by default with this new default, so I guess it's not a good idea...
Comment 48 Frank Steiner 2022-07-03 12:12:10 UTC
Posting in case someone else steps on this. It turned out that the sysctl file we had created for setting namespaces to 0 was transferred into the initrd when upgrading the kernel package so it was  executed on every reboot even after removing it from /etc/sysctl.d.

I'm not sure it makes sense to put all sysctl config files into the initrd (one wouldn't need systemd-sysctl.service then anymore), but that's not related to this bug.
Comment 56 Swamp Workflow Management 2022-07-21 22:37:18 UTC
SUSE-SU-2022:2520-1: An update that solves 49 vulnerabilities, contains 26 features and has 207 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198410,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198829,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200813,1200815,1200816,1200820,1200821,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201080,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,1201381,1201471,1201524
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1462,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.11.1, kernel-64kb-5.14.21-150400.24.11.1, kernel-debug-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-docs-5.14.21-150400.24.11.1, kernel-kvmsmall-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-obs-qa-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1, kernel-livepatch-SLE15-SP4_Update_1-1-150400.9.5.3
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-source-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 58 Swamp Workflow Management 2022-08-01 13:39:35 UTC
SUSE-SU-2022:2615-1: An update that solves 48 vulnerabilities, contains 26 features and has 202 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200572,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200815,1200816,1200820,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,150300
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 59 Swamp Workflow Management 2022-08-02 19:19:32 UTC
SUSE-SU-2022:2629-1: An update that solves 33 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1177282,1188885,1194013,1194124,1196426,1196570,1196901,1196964,1197170,1197219,1197601,1198438,1198577,1198866,1198899,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199482,1199487,1199505,1199507,1199526,1199605,1199631,1199650,1199657,1199671,1199839,1200015,1200045,1200143,1200144,1200173,1200249,1200343,1200549,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200762,1200806,1200807,1200809,1200810,1200813,1200820,1200821,1200822,1200829,1200868,1200869,1200870,1200871,1200872,1200873,1200925,1201050,1201080,1201251
CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-26341,CVE-2021-33061,CVE-2021-39711,CVE-2021-4157,CVE-2022-1012,CVE-2022-1184,CVE-2022-1652,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1836,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742
JIRA References: 
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.94.1, kernel-rt_debug-4.12.14-10.94.1, kernel-source-rt-4.12.14-10.94.1, kernel-syms-rt-4.12.14-10.94.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 60 Swamp Workflow Management 2022-08-09 16:28:09 UTC
SUSE-SU-2022:2722-1: An update that solves 5 vulnerabilities, contains 9 features and has 31 fixes is now available.

Category: security (important)
Bug References: 1190256,1190497,1198410,1198829,1199086,1199291,1199364,1199665,1199670,1200015,1200465,1200494,1200644,1200651,1201258,1201323,1201381,1201391,1201427,1201458,1201471,1201524,1201592,1201593,1201595,1201596,1201635,1201651,1201675,1201691,1201705,1201725,1201846,1201930,1201954,1201958
CVE References: CVE-2021-33655,CVE-2022-1462,CVE-2022-21505,CVE-2022-29581,CVE-2022-32250
JIRA References: SLE-18130,SLE-20183,SLE-21132,SLE-24569,SLE-24570,SLE-24571,SLE-24578,SLE-24635,SLE-24682
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 61 Swamp Workflow Management 2022-08-23 16:20:44 UTC
SUSE-SU-2022:2875-1: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.90.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.90.1, kernel-64kb-5.3.18-150300.59.90.1, kernel-debug-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-docs-5.3.18-150300.59.90.1, kernel-kvmsmall-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-obs-qa-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-livepatch-SLE15-SP3_Update_23-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 62 Swamp Workflow Management 2022-09-01 14:04:17 UTC
openSUSE-SU-2022:2173-1: An update that solves four vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 1177282,1199365,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200268,1200529
CVE References: CVE-2020-26541,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2
Comment 63 Swamp Workflow Management 2022-09-01 14:21:03 UTC
openSUSE-SU-2022:2177-1: An update that solves 20 vulnerabilities, contains three features and has 39 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1103269,1118212,1153274,1154353,1156395,1158266,1167773,1176447,1177282,1178134,1180100,1183405,1188885,1195826,1196426,1196478,1196570,1196840,1197446,1197472,1197601,1197675,1198438,1198577,1198971,1198989,1199035,1199052,1199063,1199114,1199314,1199365,1199505,1199507,1199564,1199626,1199631,1199650,1199670,1199839,1200015,1200019,1200045,1200046,1200143,1200144,1200192,1200206,1200207,1200216,1200249,1200259,1200263,1200529,1200549,1200604
CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-33061,CVE-2022-0168,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1975,CVE-2022-20008,CVE-2022-20141,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-30594,CVE-2022-32250
JIRA References: SLE-13521,SLE-16387,SLE-8371
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.93.1
Comment 64 Swamp Workflow Management 2022-09-01 15:22:48 UTC
SUSE-SU-2022:2875-2: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available.

Category: security (important)
Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154
CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 65 Marcus Meissner 2022-09-08 15:54:00 UTC
done