OSG-SEC-2021-09-10 Vulnerability in Linux Kernel Traffic Control Subsystem
Dear OSG Security Contacts,
A use-after-free vulnerability (CVE-2021-3715) has been identified in the Linux kernel Traffic Control networking subsystem. OSG Security Team considers this vulnerability to be of HIGH severity if unprivileged_network_namespaces are not disabled .
All systems running RHEL 7 and 8 or derivatives , Debian systems , and Ubuntu systems  may be vulnerable.
WHAT ARE THE VULNERABILITIES:
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system .
WHAT YOU SHOULD DO:
Sites and VOs should update their systems to a patched version as soon as it becomes available and disable unprivileged_network_namespaces if not specifically required.
Mitigation of this vulnerability is possible by disabling unprivileged_network_namespaces. In general unprivileged_network_namespaces should be disabled if they are not required .
Note that this mitigation is available for Singularity as enabling unprivileged_network_namespaces is not required for Singularity. However, they may be required for other software packages or system services on RHEL 8 and CentOS8, please see reference  below for more information.
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team