[SOLVED] CVE-2022-0847 patch?

C

Curt Hall

Well-Known Member
Jan 30, 2019
126
5
58
53
We have a Proxmox cluster (version 6.4-13) and our nodes have the
following kernels
(5.4.162-1-pve, 5.4.101-1-pve, 5.4.128-1-pve, 5.4.103-1-pve, and a
backup server 5.13.19-4-pve) after reading articles about the
CVE-2022-0847 i was not able to find a confirmation that these kernels are fixed
or vulnerable (though the CVE-2022-0847 states that 5.8 and lower are effected)
would we need to upgrade to Proxmox 7 to get the fixed kernel?
 
Curt hall said:
CVE-2022-0847 i was not able to find a confirmation that these kernels are fixed
or vulnerable (though the CVE-2022-0847 states that 5.8 and lower are effected)
Click to expand...
The CVE clearly states that the vulnerability was only introduced in 5.8:
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 [...]
Click to expand...
-- https://dirtypipe.cm4all.com/

When the CVE got out we also actively checked our 5.4.x based kernels with the available reproducer to confirm that the issue wasn't backported in some way (note, the official reproducer will always output "it worked", no matter what, one needs to actively check the effets on a file content to see if the system is vulnerable or not), and we could confirm that it doesn't affect our 5.4 based kernel series at all.

FYI: A valid reproducing procedere would look like:
Bash: 
# compile reproducer
gcc -O2 -o dirty-pipe-write-anything dirty-pipe-write-anything.c
# write some test data as root
dd if=/dev/urandom bs=256 count=1 | base64 | sudo tee /run/foo
# use the reproducer as unpriv. user, shouldn't be able to modify the file
sudo -u www-data ./dirty-pipe-write-anything /run/foo 1 $'\nvulnerable!\n'
# check if our bad test string is now in the file, if not we're OK
grep 'vulnerable!' /run/foo

If the last command outputs something the system would be vulnerable, else not.
 
  • Like
Reactions: Curt Hall
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back