{ "threat_severity" : "Important", "public_date" : "2023-07-29T00:00:00Z", "bugzilla" : { "description" : "kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route", "id" : "2225511", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2225511" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.\nWhen u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.\nWe recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.", "There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. \nA local user could use any of these flaws to crash the system or potentially escalate their privileges on the system.\nSimilar CVE-2023-4128 was rejected as a duplicate." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7424", "cpe" : "cpe:/a:redhat:rhel_extras_rt:7", "package" : "kernel-rt-0:3.10.0-1160.105.1.rt56.1256.el7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7419", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7423", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "kernel-0:3.10.0-1160.105.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)", "release_date" : "2024-01-16T00:00:00Z", "advisory" : "RHSA-2024:0261", "cpe" : "cpe:/o:redhat:rhel_aus:7.6", "package" : "kernel-0:3.10.0-957.109.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date" : "2024-01-16T00:00:00Z", "advisory" : "RHSA-2024:0262", "cpe" : "cpe:/o:redhat:rhel_aus:7.7", "package" : "kernel-0:3.10.0-1062.82.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:6901", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-513.5.1.rt7.307.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-11-28T00:00:00Z", "advisory" : "RHSA-2023:7539", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kernel-0:4.18.0-477.36.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-11-28T00:00:00Z", "advisory" : "RHSA-2023:7558", "cpe" : "cpe:/o:redhat:rhel_eus:8.8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7370", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.40.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7379", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.40.1.rt14.325.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2023-11-21T00:00:00Z", "advisory" : "RHSA-2023:7418", "cpe" : "cpe:/o:redhat:rhel_eus:9.2", "package" : "kpatch-patch" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-4208\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4208\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8\nhttps://lore.kernel.org/netdev/193d6cdf-d6c9-f9be-c36a-b2a7551d5fb6@mojatatu.com/" ], "name" : "CVE-2023-4208", "mitigation" : { "value" : "To mitigate this issue, prevent the module cls_u32 from being loaded by blacklisting the module to prevent it from loading automatically. \n~~~\nhttps://access.redhat.com/solutions/41278 \n~~~", "lang" : "en:us" }, "csaw" : false }