{ "threat_severity" : "Moderate", "public_date" : "2021-04-18T00:00:00Z", "bugzilla" : { "description" : "kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory", "id" : "1951595", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1951595" }, "cvss3" : { "cvss3_base_score" : "4.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-205", "details" : [ "An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.", "A vulnerability was discovered in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation). In this flaw a local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory. This can be abused to extract contents of kernel memory via side-channel." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4140", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-348.rt7.130.el8" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-11-09T00:00:00Z", "advisory" : "RHSA-2021:4356", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-348.el8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-29155\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29155\nhttps://www.openwall.com/lists/oss-security/2021/04/18/4" ], "name" : "CVE-2021-29155", "mitigation" : { "value" : "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.\nFor the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:\n# cat /proc/sys/kernel/unprivileged_bpf_disabled\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.\nA kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.", "lang" : "en:us" }, "csaw" : false }