Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Privilege Escalation Vulnerability in Linux Kernel openvswitch Module (CVE-2022-2639)
Updated on 2023-08-02 GMT+08:00

Privilege Escalation Vulnerability in Linux Kernel openvswitch Module (CVE-2022-2639)

Description

Details about the privilege escalation vulnerability in the Linux Kernel openvswitch module (CVE-2022-2639) are disclosed. The reserve_sfa_size() function in this module has a defect. As a result, a local user can exploit this vulnerability to escalate their privileges on the system. The POC of this vulnerability has been disclosed, and the risk is high.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Privilege escalation

CVE-2022-2639

High

2022-09-01

Impact

1. CCE clusters that use the container tunnel network model; node OS images that use EulerOS 2.8 (Arm) or EulerOS 2.9;

2. Node OS images that use Ubuntu

Cluster nodes running EulerOS 2.5 and CentOS 7.6 are not affected by this vulnerability.

Solution

  1. If a process in a container is started by a non-root user, you can configure seccomp, the security computing mode, for the workload. You are advised to use the RuntimeDefault mode or disable system calls such as unshare. For details about the configuration, see Restrict a Container's Syscalls with seccomp.
  2. Ubuntu images are embedded with the openvswitch kernel module. You can disable the loading of this module to avoid this problem. The procedure is as follows:
    echo "blacklist openvswitch" >>/etc/modprobe.d/blacklist.conf

    Then, restart the node for the settings to take effect.