Privilege Escalation Vulnerability in Linux Kernel openvswitch Module (CVE-2022-2639)
Description
Details about the privilege escalation vulnerability in the Linux Kernel openvswitch module (CVE-2022-2639) are disclosed. The reserve_sfa_size() function in this module has a defect. As a result, a local user can exploit this vulnerability to escalate their privileges on the system. The POC of this vulnerability has been disclosed, and the risk is high.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Privilege escalation |
High |
2022-09-01 |
Impact
1. CCE clusters that use the container tunnel network model; node OS images that use EulerOS 2.9;
2. Node OS images that use Ubuntu
Cluster nodes running EulerOS 2.5 and CentOS 7.6 are not affected by this vulnerability.
Solution
- If a process in a container is started by a non-root user, you can configure seccomp, the security computing mode, for the workload. You are advised to use the RuntimeDefault mode or disable system calls such as unshare. For details about the configuration, see Restrict a Container's Syscalls with seccomp.
- Ubuntu images are embedded with the openvswitch kernel module. You can disable the loading of this module to avoid this problem. The procedure is as follows:
echo "blacklist openvswitch" >>/etc/modprobe.d/blacklist.conf
Then, restart the node for the settings to take effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.