A lot more Kernel Vulnerabilities (Spectre V2, DoS of Hypervisor from KVMs, etc.)

Hi,

Note that the Debian Bullseye uses the 5.10 LTS Kernel and Buster the 4.19 LTS, the security advisories cannot be applied 1:1 on Proxmox VE kernels, I'd rather go for the Ubuntu Security details in that regard.

FYI, there are the following new and relevant that Ubuntu, and we checked the last days/week having a potential realistic impact:

Arm issue, not relevant for Proxmox Projects: https://ubuntu.com/security/CVE-2022-23960

Dirty Pipe: https://ubuntu.com/security/CVE-2022-0847

Specter stories continues:
https://ubuntu.com/security/CVE-2022-0001
https://ubuntu.com/security/CVE-2022-25636


The Dirty Pipe one is the most problematic of those, especially if you provide Containers to external and/or untrusted parties, a fixed kernel for that issue was released at start of week and is now available through all repositories.
Specter will continue to haunt us for years, hence the name, so there'll always be new discoveries in certain areas. This new variant can get easily mitigated by turning off eBPF for unpriviledged user, the authors think that there may be possible other ways to leverage it, but they are yet unknown and less likely to have the same inpact as eBPF, which as the single virtual machine in the kernel has more attack surface for instruction side effects.

Anyhow, the specter one is also fixed in the following kernel packages:
Proxmox VE 6.4 et al.: pve-kernel-5.4.174-2-pve version 5.4.174-2
Proxmox VE 7.x et al.: pve-kernel-5.13.19-6-pve version 5.13.19-14

Available on pve-no-subscription at time of writing.
 
Last edited:
And what is a status of CVE-2022-0492 (cgroup-v1 escape)? Is it patched in pve-kernel-5.13.19-6-pve ? Thank you
 
that one was fixed a while ago already in 5.13.19-5-pve version 5.13.19-10
 
Tested the pve-no-subscription repo on our staging cluster, no issues so far.
Is there an ETA for it arriving in the enterprise repos so we can schedule our maintenance?
 
is CVE-2022-25636 also fixed by the patches you told?
Yes, its fix is in all our kernels, albeit for the still opt-in 5.15 series its only available via the pvetest repository, while the respective default 5.13 and 5.4 series updates are already available on all repositories.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!