OSG-SEC-2022-08-10 HIGH Linux kernel perf use-after-free flaw

Dear OSG Security Contacts,

Vulnerabilities have been found concerning the Linux kernel perf subsystem's perf_event_open() which may lead to local privilege escalation or system crash.[1][2]

IMPACTED VERSIONS:

All major Linux distribution kernels

WHAT ARE THE VULNERABILITIES:

A use-after-free flaw was found in the Linux kernel's performance events functionality. A user triggers a race condition in setting up performance monitoring between the leading PERF_TYPE_TRACEPOINT and sub PERF_EVENT_HARDWARE plus the PERF_EVENT_SOFTWARE using the perf_event_open() function with these three types. This flaw allows a local user to crash the system. The exploit can be used by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc.

WHAT YOU SHOULD DO:

Update your Linux systems with the available patches and restart them. [4][5][6].

Sites running RHEL should see [2]

Sites running CentOS should also see [2]

Sites running Scientific Linux should see [3]

Sites running Debian should see [4]

Sites running Ubuntu should see [5]

Sites running RockyLinux should see [6]

Sites running Almalinux should see [7]

REFERENCES

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2086753

[2] https://access.redhat.com/security/cve/CVE-2022-1729

[3] https://www.scientificlinux.org/category/sl-errata/

[4] https://security-tracker.debian.org/tracker/CVE-2022-1729

[5] http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2022-1729.html

[6] https://errata.rockylinux.org/

[7] https://errata.almalinux.org/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team