OSG-SEC-2021-09-10 Vulnerability in Linux Kernel Traffic Control Subsystem

Dear OSG Security Contacts,

A use-after-free vulnerability (CVE-2021-3715) has been identified in the Linux kernel Traffic Control networking subsystem. OSG Security Team considers this vulnerability to be of HIGH severity if unprivileged_network_namespaces are not disabled [4].

IMPACTED VERSIONS:

All systems running RHEL 7 and 8 or derivatives [1], Debian systems [2], and Ubuntu systems [3] may be vulnerable.

WHAT ARE THE VULNERABILITIES:

A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. This flaw allows unprivileged local users to escalate their privileges on the system [1].

WHAT YOU SHOULD DO:

Sites and VOs should update their systems to a patched version as soon as it becomes available and disable unprivileged_network_namespaces if not specifically required.

Mitigation of this vulnerability is possible by disabling unprivileged_network_namespaces. In general unprivileged_network_namespaces should be disabled if they are not required [4].

Note that this mitigation is available for Singularity as enabling unprivileged_network_namespaces is not required for Singularity. However, they may be required for other software packages or system services on RHEL 8 and CentOS8, please see reference [4] below for more information.

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2021-3715

[2] https://security-tracker.debian.org/tracker/CVE-2021-3715

[3] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3715

[4] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team