Privilege Escalation Vulnerability in Linux openvswitch Kernel Module (CVE-2022-2639)
A privilege escalation vulnerability (CVE-2022-2639) was found in the Linux openvswitch kernel module. The reserve_sfa_size() function in this module has a defect. As a result, a local user can exploit this vulnerability to escalate their privileges on the system Currently, the POC of this vulnerability have been disclosed and the risk is high.
Vulnerability Details
Vulnerability Type |
CVE-ID |
Discovered |
|---|---|---|
Privilege escalation |
2022-09-01 |
Threat Severity
Critical
Affected Products
1. CCE clusters that use the container tunnel network model; node OS images that use EulerOS 2.9;
2. Node OS images that use Ubuntu
Cluster nodes running EulerOS 2.5 and CentOS 7.6 are not affected by this vulnerability.
Workarounds and Mitigation Measures
- If a process in a container is started by a non-root user, you can configure seccomp, the security computing mode, for the workload. You are advised to use the RuntimeDefault mode or disable system calls such as unshare. For details about the configuration, see the community documentation Restrict a Container's Syscalls with seccomp.
- Ubuntu images are embedded with the openvswitch kernel module. You can disable the loading of this module to avoid this problem. The procedure is as follows:
echo "blacklist openvswitch" >>/etc/modprobe.d/blacklist.conf
Then, restart the node for the settings to take effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
