Service Notices

All Notices > Security Notices > Linux Kernel Vulnerability Causing Container Escape and Privilege Escalation (CVE-2022-0185)

Linux Kernel Vulnerability Causing Container Escape and Privilege Escalation (CVE-2022-0185)

Feb 07, 2022 GMT+08:00

I. Overview

Linux maintainers and vendors disclosed a heap overflow vulnerability (CVE-2022-0185) in the way that the legacy_parse_param() function in the Filesystem Context functionality of the Linux kernel verifies parameters size. An unprivileged user can exploit this vulnerability to obtain the root permission and escape containers such as Docker and K8S. The POC/EXP has been disclosed, and the risk is high.

If you are a Linux kernel user, check your system and implement timely security hardening.

Reference: https://blog.aquasec.com/cve-2022-0185-linux-kernel-container-escape-in-kubernetes

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

5.1-rc1 <= Linux kernel < 5.16.2

Secure versions:

Linux kernel 5.4.174

Linux kernel 5.10.94

Linux kernel 5.15.17

Linux kernel 5.16.2, Linux kernel 5.16.3

IV. Vulnerability Handling

Non-container scenario (local privilege escalation risk):

1. This vulnerability has been fixed in the newly released official versions. If your service version falls into the affected range, upgrade it to a latest secure version. Link: https://www.kernel.org/

2. According to Red Hat official suggestions, perform the following operations to forbid non-privileged users from executing CLONE_NEWUSERand CLONE_NEWNET:

echo 0 > /proc/sys/user/max_user_namespaces

Container scenario (container escape risk)

1. Upgrade the kernel to a secure version.

2. Run echo 0 > /proc/sys/user/max_user_namespaces.

3. Enable the seccompfunction of the container to avoid container escapes. (Before enabling this function, evaluate the possible impact on performance and services.)

To obtain the fixed versions provided by Linux vendors, see the security advisories of Red HatUbuntuSUSE, and Debian.

HUAWEI CLOUD CCE and EulerOS are not affected by this vulnerability.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.