Note: This issue did not affect the Linux kernel before 3.19.10. It might also occur with other kernel versions and other operating systems. Red Hat also released an updated kernel for RHEL 7.5, which includes this fix. End-users should avoid making root passwordless accounts for system administration. If the system is using such accounts, end-users should consider disabling them when making root passwordless. Alternatively, end-users can make secure password-less user accounts for system administration. These user accounts do not have to have root permissions. Additionally, Red Hat recommends disabling remote login via SSH if it is not required. CVE-2018-15588 Red Hat Enterprise Linux 7 was updated to kernel version 4.18.18, which fixes a race condition in the Linux kernel. A local user could exploit this to gain elevated privileges, if the system was running with a user account that was passwordless and enabled root login via SSH. CVE-2018-13405 Red Hat Enterprise Linux was updated to kernel version 4.18.16, which fixes a vulnerability in the task_show_regs() function in the Linux kernel. A remote attacker could exploit this vulnerability by sending a series of signal task registration requests to a target system. If a user on a target system executed a signal task, the attacker could execute arbitrary code with the privileges of the user running the task.
CVE-2018-14533 Red Hat Enterprise Linux 7 was updated to kernel version 4.
Red Hat Enterprise Linux 6.2 and 6.3
Red Hat Enterprise Linux 6.2 and 6.3 are updated to kernel versions 4.18.17 and 4.19.21 respectively, which fix a number of memory corruption issues in the Linux kernel that could allow a local user to gain elevated privileges, if the system was running with a user account that was passwordless and enabled root login via SSH.
Red Hat Enterprise Linux 6 was updated to kernel version 4.
Timeline
Published on: 01/14/2022 08:15:00 UTC
Last modified on: 06/07/2022 12:15:00 UTC
References
- https://www.openwall.com/lists/oss-security/2022/01/13/1
- http://www.openwall.com/lists/oss-security/2022/01/14/1
- http://www.openwall.com/lists/oss-security/2022/01/18/2
- https://www.debian.org/security/2022/dsa-5050
- https://security.netapp.com/advisory/ntap-20220217-0002/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCR3LIRUEXR7CA63W5M2HT3K63MZGKBR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z5VTIZZUPC73IEJNZX66BY2YCBRZAELB/
- http://www.openwall.com/lists/oss-security/2022/06/01/1
- http://www.openwall.com/lists/oss-security/2022/06/04/3
- http://www.openwall.com/lists/oss-security/2022/06/07/3
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23222