Bugzilla – Bug 1200015
VUL-0: CVE-2022-32250: kernel: use-after-free in the netfilter subsystem
Last modified: 2024-06-25 16:52:50 UTC
Date: Thu, 26 May 2022 08:46:48 +0000 Hello, We reported a security issue within the Linux kernel netfilter subsystem to security@kernel.org on the 24th of May. We are now sending a copy of the details to linux-distros to allow the distro's to determine if they are affected. I understand the issue can be embargod until the 31st of May (1 week after reporting) which also fits this list requirements. The netfilter maintainers have produced a patch and I believe it may be possible for this patch to make it into an networking fixes pull later this week. Have cc'd in security@kernel.org and Pablo Neira Ayuso from netfilter to comment if this will be appropriate. Can I also please request a CVE? A copy of what was sent to security.org is as follows (however, POC code inline at bottom of this email not attached): The attached poc code triggers a use-after-free write within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces. The issue has been confirmed on the latest linux master (commit 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be exploited for privilege escalation on Ubuntu 22.04 (Linux kernel 5.15.0-27-generic). # Technical Vulnerability Details The bug is related to the failure to remove an expression from a set's bindings list before destroying the expression. This specifically happens when specific expressions that are not marked with the NFT_EXPR_STATEFUL flag are supplied as a subexpression in a NFT_MSG_NEWSET command. We found that both the lookup and dynset expressions will be added to a sets binding linked list upon initialisation, but after the expression is detected as not being stateful, it is destroyed without properly calling a function like nf_tables_unbind_set(). We found that this affects multiple expressions, at least the lookup and dynset expressions. This creates a state where any subsequent use of the set binding list, such as expression addition or removal, will end up writing a link pointer address into a slab object that has already been freed, and possibly reallocated. ## KASAN Output ``` [ 85.431824] ================================================================== [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 [ 85.434756] [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 85.437228] Call Trace: [ 85.437594] <TASK> [ 85.437919] dump_stack_lvl+0x49/0x5f [ 85.438470] print_report.cold+0x5e/0x5cf [ 85.439073] ? __cpuidle_text_end+0x4/0x4 [ 85.439655] ? nf_tables_bind_set+0x81b/0xa20 [ 85.440286] kasan_report+0xaa/0x120 [ 85.440809] ? delay_halt_mwaitx+0x31/0x50 [ 85.441392] ? nf_tables_bind_set+0x81b/0xa20 [ 85.442022] __asan_report_store8_noabort+0x17/0x20 [ 85.442725] nf_tables_bind_set+0x81b/0xa20 [ 85.443338] ? nft_set_elem_expr_destroy+0x2a0/0x2a0 [ 85.444051] ? nla_strcmp+0xa8/0xe0 [ 85.444520] ? nft_set_lookup_global+0x88/0x360 [ 85.445157] nft_lookup_init+0x463/0x620 [ 85.445710] nft_expr_init+0x13a/0x2a0 [ 85.446242] ? nft_obj_del+0x210/0x210 [ 85.446778] ? __kasan_check_write+0x14/0x20 [ 85.447395] ? rhashtable_init+0x326/0x6d0 [ 85.447974] ? __rcu_read_unlock+0xde/0x100 [ 85.448565] ? nft_rhash_init+0x213/0x2f0 [ 85.449129] ? nft_rhash_gc_init+0xb0/0xb0 [ 85.449717] ? nf_tables_newset+0x1646/0x2e40 [ 85.450359] ? jhash+0x630/0x630 [ 85.450838] nft_set_elem_expr_alloc+0x24/0x210 [ 85.451507] nf_tables_newset+0x1b3f/0x2e40 [ 85.452124] ? rcu_preempt_deferred_qs_irqrestore+0x579/0xa70 [ 85.452948] ? nft_set_elem_expr_alloc+0x210/0x210 [ 85.453636] ? delay_tsc+0x94/0xc0 [ 85.454161] nfnetlink_rcv_batch+0xeb4/0x1fd0 [ 85.454808] ? nfnetlink_rcv_msg+0x980/0x980 [ 85.455444] ? stack_trace_save+0x94/0xc0 [ 85.456036] ? filter_irq_stacks+0x90/0x90 [ 85.456639] ? __const_udelay+0x62/0x80 [ 85.457206] ? _raw_spin_lock_irqsave+0x99/0xf0 [ 85.457864] ? nla_get_range_signed+0x350/0x350 [ 85.458528] ? security_capable+0x5f/0xa0 [ 85.459128] nfnetlink_rcv+0x2f0/0x3b0 [ 85.459669] ? nfnetlink_rcv_batch+0x1fd0/0x1fd0 [ 85.460327] ? rcu_read_unlock_special+0x52/0x3b0 [ 85.461000] netlink_unicast+0x5ec/0x890 [ 85.461563] ? netlink_attachskb+0x750/0x750 [ 85.462169] ? __kasan_check_read+0x11/0x20 [ 85.462766] ? __check_object_size+0x226/0x3a0 [ 85.463408] netlink_sendmsg+0x830/0xd10 [ 85.463968] ? netlink_unicast+0x890/0x890 [ 85.464552] ? apparmor_socket_sendmsg+0x3d/0x50 [ 85.465206] ? netlink_unicast+0x890/0x890 [ 85.465792] sock_sendmsg+0xec/0x120 [ 85.466303] __sys_sendto+0x1e2/0x2e0 [ 85.466821] ? __ia32_sys_getpeername+0xb0/0xb0 [ 85.467470] ? alloc_file_pseudo+0x184/0x270 [ 85.468070] ? perf_callchain_user+0x60/0xa60 [ 85.468683] ? preempt_count_add+0x7f/0x170 [ 85.469280] ? fd_install+0x14f/0x330 [ 85.469800] ? __sys_socket+0x166/0x200 [ 85.470342] ? __sys_socket_file+0x1c0/0x1c0 [ 85.470940] ? debug_smp_processor_id+0x17/0x20 [ 85.471583] ? fpregs_assert_state_consistent+0x4e/0xb0 [ 85.472308] __x64_sys_sendto+0xe0/0x1a0 [ 85.472854] ? do_syscall_64+0x69/0x80 [ 85.473379] do_syscall_64+0x5c/0x80 [ 85.473878] ? fpregs_restore_userregs+0xf3/0x200 [ 85.474532] ? switch_fpu_return+0xe/0x10 [ 85.475099] ? exit_to_user_mode_prepare+0x140/0x170 [ 85.475791] ? irqentry_exit_to_user_mode+0x9/0x20 [ 85.476465] ? irqentry_exit+0x33/0x40 [ 85.476991] ? exc_page_fault+0x72/0xe0 [ 85.477524] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 85.478219] RIP: 0033:0x45c66a [ 85.478648] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 85.481183] RSP: 002b:00007ffd091bfee8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 85.482214] RAX: ffffffffffffffda RBX: 0000000000000174 RCX: 000000000045c66a [ 85.483190] RDX: 0000000000000174 RSI: 00007ffd091bfef0 RDI: 0000000000000003 [ 85.484162] RBP: 00007ffd091c23b0 R08: 00000000004a94c8 R09: 000000000000000c [ 85.485128] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd091c1ef0 [ 85.486094] R13: 0000000000000004 R14: 0000000000002000 R15: 0000000000000000 [ 85.487076] </TASK> [ 85.487388] [ 85.487608] Allocated by task 776: [ 85.488082] kasan_save_stack+0x26/0x50 [ 85.488614] __kasan_kmalloc+0x88/0xa0 [ 85.489131] __kmalloc+0x1b9/0x370 [ 85.489602] nft_expr_init+0xcd/0x2a0 [ 85.490109] nft_set_elem_expr_alloc+0x24/0x210 [ 85.490731] nf_tables_newset+0x1b3f/0x2e40 [ 85.491314] nfnetlink_rcv_batch+0xeb4/0x1fd0 [ 85.491912] nfnetlink_rcv+0x2f0/0x3b0 [ 85.492429] netlink_unicast+0x5ec/0x890 [ 85.492985] netlink_sendmsg+0x830/0xd10 [ 85.493528] sock_sendmsg+0xec/0x120 [ 85.494035] __sys_sendto+0x1e2/0x2e0 [ 85.494545] __x64_sys_sendto+0xe0/0x1a0 [ 85.495109] do_syscall_64+0x5c/0x80 [ 85.495630] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 85.496292] [ 85.496479] Freed by task 776: [ 85.496846] kasan_save_stack+0x26/0x50 [ 85.497351] kasan_set_track+0x25/0x30 [ 85.497893] kasan_set_free_info+0x24/0x40 [ 85.498489] __kasan_slab_free+0x110/0x170 [ 85.499103] kfree+0xa7/0x310 [ 85.499548] nft_set_elem_expr_alloc+0x1b3/0x210 [ 85.500219] nf_tables_newset+0x1b3f/0x2e40 [ 85.500822] nfnetlink_rcv_batch+0xeb4/0x1fd0 [ 85.501449] nfnetlink_rcv+0x2f0/0x3b0 [ 85.501990] netlink_unicast+0x5ec/0x890 [ 85.502558] netlink_sendmsg+0x830/0xd10 [ 85.503133] sock_sendmsg+0xec/0x120 [ 85.503655] __sys_sendto+0x1e2/0x2e0 [ 85.504194] __x64_sys_sendto+0xe0/0x1a0 [ 85.504779] do_syscall_64+0x5c/0x80 [ 85.505330] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 85.506095] [ 85.506325] The buggy address belongs to the object at ffff8880286f0e80 [ 85.506325] which belongs to the cache kmalloc-cg-64 of size 64 [ 85.508152] The buggy address is located 24 bytes inside of [ 85.508152] 64-byte region [ffff8880286f0e80, ffff8880286f0ec0) [ 85.509845] [ 85.510095] The buggy address belongs to the physical page: [ 85.510962] page:000000008955c452 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880286f0080 pfn:0x286f0 [ 85.512566] memcg:ffff888054617c01 [ 85.513079] flags: 0xffe00000000200(slab|node=0|zone=1|lastcpupid=0x3ff) [ 85.514070] raw: 00ffe00000000200 0000000000000000 dead000000000122 ffff88801b842780 [ 85.515251] raw: ffff8880286f0080 000000008020001d 00000001ffffffff ffff888054617c01 [ 85.516421] page dumped because: kasan: bad access detected [ 85.517264] [ 85.517505] Memory state around the buggy address: [ 85.518231] ffff8880286f0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.519321] ffff8880286f0e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.520392] >ffff8880286f0e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.521456] ^ [ 85.522050] ffff8880286f0f00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 85.523125] ffff8880286f0f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 85.524200] ================================================================== [ 85.525364] Disabling lock debugging due to kernel taint [ 85.534106] ------------[ cut here ]------------ [ 85.534874] WARNING: CPU: 1 PID: 776 at net/netfilter/nf_tables_api.c:4592 nft_set_destroy+0x343/0x460 [ 85.536269] Modules linked in: [ 85.536741] CPU: 1 PID: 776 Comm: poc Tainted: G B W 5.18.0+ #2 [ 85.537792] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 85.539080] RIP: 0010:nft_set_destroy+0x343/0x460 [ 85.539774] Code: 3c 02 00 0f 85 26 01 00 00 49 8b 7c 24 30 e8 94 f0 ee f1 4c 89 e7 e8 ec b0 da f1 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 8b 7d b0 e8 [ 85.542475] RSP: 0018:ffff88805911f4f8 EFLAGS: 00010202 [ 85.543282] RAX: 0000000000000002 RBX: dead000000000122 RCX: ffff88805911f508 [ 85.544291] RDX: 0000000000000000 RSI: ffff888052ab1800 RDI: ffff888052ab1864 [ 85.545331] RBP: ffff88805911f550 R08: ffff8880286ce908 R09: 0000000000000000 [ 85.546371] R10: ffffed100b223e56 R11: 0000000000000001 R12: ffff888052ab1800 [ 85.547447] R13: ffff8880286ce900 R14: dffffc0000000000 R15: ffff8880286ce780 [ 85.548487] FS: 00000000018293c0(0000) GS:ffff88806a900000(0000) knlGS:0000000000000000 [ 85.549630] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.550470] CR2: 00007ffd091bfee8 CR3: 0000000052156000 CR4: 00000000000006e0 [ 85.551551] Call Trace: [ 85.551930] <TASK> [ 85.552245] ? rcu_read_unlock_special+0x52/0x3b0 [ 85.552971] __nf_tables_abort+0xd40/0x2f10 [ 85.553612] ? __udelay+0x15/0x20 [ 85.554133] ? __nft_release_basechain+0x5a0/0x5a0 [ 85.554878] ? rcu_read_unlock_special+0x52/0x3b0 [ 85.555592] nf_tables_abort+0x77/0xa0 [ 85.556153] nfnetlink_rcv_batch+0xb23/0x1fd0 [ 85.556820] ? nfnetlink_rcv_msg+0x980/0x980 [ 85.557467] ? stack_trace_save+0x94/0xc0 [ 85.558065] ? filter_irq_stacks+0x90/0x90 [ 85.558682] ? __const_udelay+0x62/0x80 [ 85.559321] ? _raw_spin_lock_irqsave+0x99/0xf0 [ 85.559997] ? nla_get_range_signed+0x350/0x350 [ 85.560683] ? security_capable+0x5f/0xa0 [ 85.561307] nfnetlink_rcv+0x2f0/0x3b0 [ 85.561863] ? nfnetlink_rcv_batch+0x1fd0/0x1fd0 [ 85.562555] ? rcu_read_unlock_special+0x52/0x3b0 [ 85.563303] netlink_unicast+0x5ec/0x890 [ 85.563896] ? netlink_attachskb+0x750/0x750 [ 85.564546] ? __kasan_check_read+0x11/0x20 [ 85.565165] ? __check_object_size+0x226/0x3a0 [ 85.565838] netlink_sendmsg+0x830/0xd10 [ 85.566407] ? netlink_unicast+0x890/0x890 [ 85.567044] ? apparmor_socket_sendmsg+0x3d/0x50 [ 85.567724] ? netlink_unicast+0x890/0x890 [ 85.568334] sock_sendmsg+0xec/0x120 [ 85.568874] __sys_sendto+0x1e2/0x2e0 [ 85.569417] ? __ia32_sys_getpeername+0xb0/0xb0 [ 85.570086] ? alloc_file_pseudo+0x184/0x270 [ 85.570757] ? perf_callchain_user+0x60/0xa60 [ 85.571431] ? preempt_count_add+0x7f/0x170 [ 85.572054] ? fd_install+0x14f/0x330 [ 85.572612] ? __sys_socket+0x166/0x200 [ 85.573190] ? __sys_socket_file+0x1c0/0x1c0 [ 85.573805] ? debug_smp_processor_id+0x17/0x20 [ 85.574452] ? fpregs_assert_state_consistent+0x4e/0xb0 [ 85.575242] __x64_sys_sendto+0xe0/0x1a0 [ 85.575804] ? do_syscall_64+0x69/0x80 [ 85.576367] do_syscall_64+0x5c/0x80 [ 85.576901] ? fpregs_restore_userregs+0xf3/0x200 [ 85.577591] ? switch_fpu_return+0xe/0x10 [ 85.578179] ? exit_to_user_mode_prepare+0x140/0x170 [ 85.578947] ? irqentry_exit_to_user_mode+0x9/0x20 [ 85.579676] ? irqentry_exit+0x33/0x40 [ 85.580245] ? exc_page_fault+0x72/0xe0 [ 85.580824] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 85.581577] RIP: 0033:0x45c66a [ 85.582059] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 85.584728] RSP: 002b:00007ffd091bfee8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 85.585784] RAX: ffffffffffffffda RBX: 0000000000000174 RCX: 000000000045c66a [ 85.586821] RDX: 0000000000000174 RSI: 00007ffd091bfef0 RDI: 0000000000000003 [ 85.587835] RBP: 00007ffd091c23b0 R08: 00000000004a94c8 R09: 000000000000000c [ 85.588832] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd091c1ef0 [ 85.589820] R13: 0000000000000004 R14: 0000000000002000 R15: 0000000000000000 [ 85.590899] </TASK> [ 85.591243] ---[ end trace 0000000000000000 ]--- ``` ## Details The vulnerability is due to a failure to properly clean up when a lookup or dynset expression is encountered as a subexpression of a `NFT_MSG_NEWSET` command. The `nf_tables_newset()` function is responsible for handling the `NFT_MSG_NEWSET` netlink message. From `nf_tables_api.c`: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4300 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, const struct nlattr * const nla[]) { u32 ktype, dtype, flags, policy, gc_int, objtype; struct netlink_ext_ack *extack = info->extack; u8 genmask = nft_genmask_next(info->net); u8 family = info->nfmsg->nfgen_family; const struct nft_set_ops *ops; struct nft_expr *expr = NULL; struct net *net = info->net; struct nft_set_desc desc; struct nft_table *table; unsigned char *udata; struct nft_set *set; struct nft_ctx ctx; size_t alloc_size; u64 timeout; char *name; int err, i; u16 udlen; u64 size; if (nla[NFTA_SET_TABLE] == NULL || nla[NFTA_SET_NAME] == NULL || nla[NFTA_SET_KEY_LEN] == NULL || nla[NFTA_SET_ID] == NULL) return -EINVAL; ``` Assuming all the set creation field prerequisites are met, this function will allocate `struct nft_set` structure to track the new set. ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4464 set = kvzalloc(alloc_size, GFP_KERNEL); if (!set) return -ENOMEM; [...] INIT_LIST_HEAD(&set->bindings); INIT_LIST_HEAD(&set->catchall_list); set->table = table; write_pnet(&set->net, net); set->ops = ops; set->ktype = ktype; set->klen = desc.klen; set->dtype = dtype; set->objtype = objtype; set->dlen = desc.dlen; set->flags = flags; set->size = desc.size; set->policy = policy; set->udlen = udlen; set->udata = udata; set->timeout = timeout; set->gc_int = gc_int; ``` We can see above that it initializes the `set->bindings` list, which will be say important later. After initialization the code will test whether or not there are any subexpressions associated with the set, if so it will try to handle the expression using a set-specific expression allocation handler: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4511 if (nla[NFTA_SET_EXPR]) { expr = nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]); if (IS_ERR(expr)) { err = PTR_ERR(expr); goto err_set_expr_alloc; } set->exprs[0] = expr; set->num_exprs++; } else if (nla[NFTA_SET_EXPRESSIONS]) { [...] } ``` If it encounters the `NFTA_SET_EXPR` we will call `nft_set_elem_expr_alloc(&ctx, set, nla[NFTA_SET_EXPR]);`, to handle whatever the subexpression type is. The set element expression allocation function is quite simple: From `nf_tables_api.c`: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L5404 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, const struct nft_set *set, const struct nlattr *attr) { struct nft_expr *expr; int err; expr = nft_expr_init(ctx, attr); if (IS_ERR(expr)) return expr; err = -EOPNOTSUPP; if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) goto err_set_elem_expr; if (expr->ops->type->flags & NFT_EXPR_GC) { if (set->flags & NFT_SET_TIMEOUT) goto err_set_elem_expr; if (!set->ops->gc_init) goto err_set_elem_expr; set->ops->gc_init(set); } return expr; err_set_elem_expr: nft_expr_destroy(ctx, expr); return ERR_PTR(err); } ``` The function above will first initialize an expression, and then only after that expression is initialized will check whether or not that expression type is actually of the type `NFT_EXPR_STATEFUL` that means it is allowed to be a subexpression of a set. When the expression is deemed bad and gets destroyed, the destruction looks like the following: From `nf_tables_api.c`: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2918 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) { nf_tables_expr_destroy(ctx, expr); kfree(expr); } ``` We will look at nft_lookup as the example, although dynset is affected identically. We see that a `struct nft_lookup` structure is associated with the expression, which looks like the following: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L18 struct nft_lookup { struct nft_set * set; u8 sreg; u8 dreg; bool invert; struct nft_set_binding binding; }; ``` and ```cpp //https://elixir.bootlin.com/linux/latest/source/include/net/netfilter/nf_tables.h#L576 /** * struct nft_set_binding - nf_tables set binding * * @list: set bindings list node * @chain: chain containing the rule bound to the set * @flags: set action flags * * A set binding contains all information necessary for validation * of new elements added to a bound set. */ struct nft_set_binding { struct list_head list; const struct nft_chain * chain; u32 flags; }; ``` IT `nft_lookup_init` function looks up a referenced set that must already exist, and if it is found then the lookup expression will be bound to that set: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L101 struct nft_set *set; u32 flags; int err; if (tb[NFTA_LOOKUP_SET] == NULL || tb[NFTA_LOOKUP_SREG] == NULL) return -EINVAL; set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET], tb[NFTA_LOOKUP_SET_ID], genmask); if (IS_ERR(set)) return PTR_ERR(set); [...] priv->binding.flags = set->flags & NFT_SET_MAP; err = nf_tables_bind_set(ctx, set, &priv->binding); if (err < 0) return err; priv->set = set; return 0; } ``` The main point above is that it ends up calling `nf_tables_bind_set`, and passing in the separate set that we just looked up, as well as the address of the `binding` member of the `nft_lookup`. From: `nft_tables_api.c` ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L4701 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, struct nft_set_binding *binding) { struct nft_set_binding *i; struct nft_set_iter iter; [...] if (binding->flags & NFT_SET_MAP) { [...] } bind: binding->chain = ctx->chain; list_add_tail_rcu(&binding->list, &set->bindings); nft_set_trans_bind(ctx, set); set->use++; return 0; } ``` Assuming everything is ok the lookup expression is then bound to the bindings list of the set with `list_add_tail_rcu(&binding->list, &set->bindings);`. This puts the `nft_lookup` structure on to this bindings list. If this structure ends up being subsequently destroyed, it should be removed from the `set->bindings` list to avoid a dangling free pointer. Recall it was shown earlier that if the expression is not NFT_EXPR_STATEFUL, it's going to be destroyed immediately. Revisiting the allocation function : ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L5404 struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, const struct nft_set *set, const struct nlattr *attr) { struct nft_expr *expr; int err; expr = nft_expr_init(ctx, attr); if (IS_ERR(expr)) return expr; err = -EOPNOTSUPP; if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) goto err_set_elem_expr; if (expr->ops->type->flags & NFT_EXPR_GC) { if (set->flags & NFT_SET_TIMEOUT) goto err_set_elem_expr; if (!set->ops->gc_init) goto err_set_elem_expr; set->ops->gc_init(set); } return expr; err_set_elem_expr: nft_expr_destroy(ctx, expr); return ERR_PTR(err); } ``` the `expr` variable will point to the `nft_lookup` structure that was just added to the `set->bindings` list, and that expression type does not have the `NFT_EXPR_STATEFUL` flag, so we hit: ```cpp err_set_elem_expr: nft_expr_destroy(ctx, expr); return ERR_PTR(err); } ``` Then the destruction: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2918 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) { nf_tables_expr_destroy(ctx, expr); kfree(expr); } ``` First the expression destructor is called before freeing the `nft_lookup` object: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_tables_api.c#L2856 static void nf_tables_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr) { const struct nft_expr_type *type = expr->ops->type; if (expr->ops->destroy) expr->ops->destroy(ctx, expr); module_put(type->owner); } ``` This corresponds to `nft_lookup_destroy` function as shown in `nft_lookup.c`: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L267 static const struct nft_expr_ops nft_lookup_ops = { [...] .destroy = nft_lookup_destroy, ``` It tries to call a destruction routine on the associated set that was bound: From: `nft_lookup.c`: ```cpp //https://elixir.bootlin.com/linux/latest/source/net/netfilter/nft_lookup.c#L173 static void nft_lookup_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr) { struct nft_lookup *priv = nft_expr_priv(expr); nf_tables_destroy_set(ctx, priv->set); } ``` Finally we see that the set destruction routine is actually not going to do anything because we never created an anonymous set, and the `bindings` list is not empty because our lookup is associated with the set already: ```cpp void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) { if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) nft_set_destroy(ctx, set); } ``` After returning back to 'nft_expr_destroy', the expression will be freed, but will have never been removed from 'set->bindings'. One solution is probably to test if the expression is bound and then call `nf_tables_unbind_set()` before the expression is freed. Thanks
Bug introduced in commit 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") Netdev patch: https://lore.kernel.org/netdev/20220526205411.315136-1-pablo@netfilter.org/T/#me63442c24b77995357c04a117eceeede13eb2f24 Branches cve/linux-4.12 and newer have stateful expressions, and include the incomplete cleanup, so they are affected.
(In reply to Carlos López from comment #3) > Branches cve/linux-4.12 and newer have stateful expressions cve/linux-4.4 and newer
Public: https://www.openwall.com/lists/oss-security/2022/05/31/1
The fix is mainline commit 520778042ccc ("netfilter: nf_tables: disallow non-stateful expression in sets earlier"), in mainline since 5.19-rc1. But the question when the issue was introduced is more tricky. The Fixes tag refers to commit 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") in 4.1-rc1 which is true in the sense that this commit introduced the nft_expr_init() helper function which does not bail out if NFT_STATEFUL_EXPR flag is not set. However, from the point of view of this CVE, the real problem starts with commit cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase") in 4.20-rc1 as it splits the destroy and unbind operations into two functions, allowing to call the former without the latter which results in use after free. So as a security fix, commit 520778042ccc is needed in cve/linux-5.3, SLE15-SP4 and stable (which already received a backport with 5.18.2 stable update). SLE12-SP5 should also get it via git-fixes workflow, not as a security fix.
The fix has been submitted to all relevant branches: stable 5.18.2 (merged) SLE15-SP4 382d5dc24196 (merged) cve/linux-5.3 41de48021d1d SLE12-SP5 1bb9b5bf248a (without the CVE reference) Reassigning back to security team.
*** Bug 1200494 has been marked as a duplicate of this bug. ***
SUSE-SU-2022:2080-1: An update that solves 18 vulnerabilities and has 27 fixes is now available. Category: security (important) Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1162338,1162369,1173871,1188885,1194124,1195612,1195651,1196426,1196570,1197219,1197601,1198438,1198577,1198899,1198989,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199505,1199507,1199526,1199602,1199605,1199606,1199631,1199650,1199671,1199839,1200015,1200045,1200057,1200143,1200144,1200173,1200249 CVE References: CVE-2019-19377,CVE-2021-33061,CVE-2021-39711,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-24448,CVE-2022-30594 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): kernel-azure-4.12.14-16.100.2, kernel-source-azure-4.12.14-16.100.1, kernel-syms-azure-4.12.14-16.100.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Michal Kubeček from comment #9) > The fix has been submitted to all relevant branches: > > stable 5.18.2 (merged) > SLE15-SP4 382d5dc24196 (merged) > cve/linux-5.3 41de48021d1d > SLE12-SP5 1bb9b5bf248a (without the CVE reference) What about SLE15-SP3, is this not a "relevant branch"? The kernel updates released yesterday don't contain any reference to CVE-2022-1966 or bsc#1200015. Disabling usernamespaces killed docker and chromium for our users, so a fixed kernel for 15-SP3 is relally urgent.
Yet another update for SLE15-SP3 kernel is already on its way. Stay tuned.
(In reply to Frank Steiner from comment #23) > What about SLE15-SP3, is this not a "relevant branch"? cve/linux-5.3 gets merged into SLE15-SP3, there is no need to list all target branches the fix ends up in eventually.
(In reply to Michal Kubeček from comment #25) > (In reply to Frank Steiner from comment #23) > > What about SLE15-SP3, is this not a "relevant branch"? > > cve/linux-5.3 gets merged into SLE15-SP3, there is no need to list all target > branches the fix ends up in eventually. Michal do you have a reproducer of this issue? It would help us to test the livepatch more properly. Thanks!
SUSE-SU-2022:2104-1: An update that solves 23 vulnerabilities, contains one feature and has 19 fixes is now available. Category: security (important) Bug References: 1028340,1065729,1071995,1158266,1177282,1191647,1195651,1195926,1196114,1196367,1196426,1196433,1196514,1196570,1196942,1197157,1197343,1197472,1197656,1197660,1197895,1198330,1198400,1198484,1198516,1198577,1198660,1198687,1198778,1198825,1199012,1199063,1199314,1199505,1199507,1199605,1199650,1199918,1200015,1200143,1200144,1200249 CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-20321,CVE-2021-33061,CVE-2022-0168,CVE-2022-1011,CVE-2022-1158,CVE-2022-1184,CVE-2022-1353,CVE-2022-1516,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-28893,CVE-2022-30594 JIRA References: SLE-18234 Sources used: SUSE Manager Server 4.1 (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Manager Retail Branch Server 4.1 (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Manager Proxy 4.1 (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise Module for Live Patching 15-SP2 (src): kernel-default-5.3.18-150200.24.115.1, kernel-livepatch-SLE15-SP2_Update_27-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 SUSE Linux Enterprise High Availability 15-SP2 (src): kernel-default-5.3.18-150200.24.115.1 SUSE Enterprise Storage 7 (src): kernel-default-5.3.18-150200.24.115.1, kernel-default-base-5.3.18-150200.24.115.1.150200.9.54.1, kernel-docs-5.3.18-150200.24.115.1, kernel-obs-build-5.3.18-150200.24.115.1, kernel-preempt-5.3.18-150200.24.115.1, kernel-source-5.3.18-150200.24.115.1, kernel-syms-5.3.18-150200.24.115.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2116-1: An update that solves 17 vulnerabilities and has 26 fixes is now available. Category: security (important) Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1162338,1162369,1173871,1188885,1194124,1195651,1196426,1196570,1197219,1197601,1198438,1198577,1198899,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199505,1199507,1199526,1199602,1199605,1199606,1199631,1199650,1199671,1199839,1200015,1200045,1200057,1200143,1200144,1200173,1200249 CVE References: CVE-2019-19377,CVE-2021-33061,CVE-2021-39711,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-30594 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): kernel-default-4.12.14-122.124.3 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): kernel-docs-4.12.14-122.124.2, kernel-obs-build-4.12.14-122.124.3 SUSE Linux Enterprise Server 12-SP5 (src): kernel-default-4.12.14-122.124.3, kernel-source-4.12.14-122.124.2, kernel-syms-4.12.14-122.124.2 SUSE Linux Enterprise Live Patching 12-SP5 (src): kernel-default-4.12.14-122.124.3, kgraft-patch-SLE12-SP5_Update_32-1-8.3.3 SUSE Linux Enterprise High Availability 12-SP5 (src): kernel-default-4.12.14-122.124.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Takashi Iwai from comment #24) > Yet another update for SLE15-SP3 kernel is already on its way. Stay tuned. Any idea how long this will take? It's more than 2 weeks that the patch was added to the kernel branches, and given the impact of the mitigation (docker/podman/chromium not working) it was desirable if the QA process for 15 SP3 (which surely is the most-used SP for SLE given that SP4 has just arrived) was given a higher priority...
CVE-2022-1966 has been rejected [0] in favor of CVE-2022-32250. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966
(In reply to Marcos de Souza from comment #27) > Michal do you have a reproducer of this issue? It would help us to test the > livepatch more properly. Thanks! Not at hand. It should be possible to create one based on the issue description but it may be tricky to detect if the use after free actually happened without having to rebuild the kernel with some debug config option(s) enabled.
(In reply to Gianluca Gabrielli from comment #36) > CVE-2022-1966 has been rejected [0] in favor of CVE-2022-32250. > > [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966 Should I add the new CVE id to the patches or replace the old one with it?
add additionally.... (so we have both)
SUSE-SU-2022:2172-1: An update that solves 7 vulnerabilities and has 10 fixes is now available. Category: security (important) Bug References: 1177282,1184924,1198924,1199365,1199482,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200343,1200494,1200529,1200604 CVE References: CVE-2020-26541,CVE-2022-1012,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-20141,CVE-2022-32250 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-azure-5.3.18-150300.38.62.1, kernel-source-azure-5.3.18-150300.38.62.1, kernel-syms-azure-5.3.18-150300.38.62.1 SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): kernel-azure-5.3.18-150300.38.62.1, kernel-source-azure-5.3.18-150300.38.62.1, kernel-syms-azure-5.3.18-150300.38.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2173-1: An update that solves four vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 1177282,1199365,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200268,1200529 CVE References: CVE-2020-26541,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975 JIRA References: Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1 openSUSE Leap 15.3 (src): dtb-aarch64-5.3.18-150300.59.76.1, kernel-64kb-5.3.18-150300.59.76.1, kernel-debug-5.3.18-150300.59.76.1, kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2, kernel-docs-5.3.18-150300.59.76.1, kernel-kvmsmall-5.3.18-150300.59.76.1, kernel-obs-build-5.3.18-150300.59.76.1, kernel-obs-qa-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-syms-5.3.18-150300.59.76.1, kernel-zfcpdump-5.3.18-150300.59.76.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.76.1, kernel-livepatch-SLE15-SP3_Update_20-1-150300.7.5.1 SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src): kernel-default-5.3.18-150300.59.76.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): kernel-docs-5.3.18-150300.59.76.1, kernel-obs-build-5.3.18-150300.59.76.1, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-syms-5.3.18-150300.59.76.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): kernel-64kb-5.3.18-150300.59.76.1, kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2, kernel-preempt-5.3.18-150300.59.76.1, kernel-source-5.3.18-150300.59.76.1, kernel-zfcpdump-5.3.18-150300.59.76.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.76.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2177-1: An update that solves 20 vulnerabilities, contains three features and has 39 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1103269,1118212,1153274,1154353,1156395,1158266,1167773,1176447,1177282,1178134,1180100,1183405,1188885,1195826,1196426,1196478,1196570,1196840,1197446,1197472,1197601,1197675,1198438,1198577,1198971,1198989,1199035,1199052,1199063,1199114,1199314,1199365,1199505,1199507,1199564,1199626,1199631,1199650,1199670,1199839,1200015,1200019,1200045,1200046,1200143,1200144,1200192,1200206,1200207,1200216,1200249,1200259,1200263,1200529,1200549,1200604 CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-33061,CVE-2022-0168,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1975,CVE-2022-20008,CVE-2022-20141,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-30594,CVE-2022-32250 JIRA References: SLE-13521,SLE-16387,SLE-8371 Sources used: SUSE Linux Enterprise Module for Realtime 15-SP3 (src): kernel-rt-5.3.18-150300.93.1, kernel-rt_debug-5.3.18-150300.93.1, kernel-source-rt-5.3.18-150300.93.1, kernel-syms-rt-5.3.18-150300.93.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-rt-5.3.18-150300.93.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-rt-5.3.18-150300.93.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Has the default policy be changed so that user.max_user_namespaces is set to 0 by default now? When I boot our SP3 with 5.3.18-150300.59.76 user.max_user_namespaces is 0. With 5.3.18-150300.59.71 it is 256166. And I flip-flop-booted the kernels several times to make sure it's not sth. else changing the values. Setting user.max_user_namespaces to 0 was the mitigation for the buggy kernel 150300.59.71. Given that this has been fixed with 150300.59.76, why should user.max_user_namespaces now default to 0? chromium and podman are disabled by default with this new default, so I guess it's not a good idea...
Posting in case someone else steps on this. It turned out that the sysctl file we had created for setting namespaces to 0 was transferred into the initrd when upgrading the kernel package so it was executed on every reboot even after removing it from /etc/sysctl.d. I'm not sure it makes sense to put all sysctl config files into the initrd (one wouldn't need systemd-sysctl.service then anymore), but that's not related to this bug.
SUSE-SU-2022:2520-1: An update that solves 49 vulnerabilities, contains 26 features and has 207 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198410,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198829,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200813,1200815,1200816,1200820,1200821,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201080,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,1201381,1201471,1201524 CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1462,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918 JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549 Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.14.21-150400.24.11.1, kernel-64kb-5.14.21-150400.24.11.1, kernel-debug-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-docs-5.14.21-150400.24.11.1, kernel-kvmsmall-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-obs-qa-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1, kernel-livepatch-SLE15-SP4_Update_1-1-150400.9.5.3 SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): kernel-docs-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): kernel-64kb-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-source-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1 SUSE Linux Enterprise High Availability 15-SP4 (src): kernel-default-5.14.21-150400.24.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2615-1: An update that solves 48 vulnerabilities, contains 26 features and has 202 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200572,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200815,1200816,1200820,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,150300 CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918 JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549 Sources used: openSUSE Leap 15.4 (src): kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2629-1: An update that solves 33 vulnerabilities and has 41 fixes is now available. Category: security (important) Bug References: 1024718,1055117,1061840,1065729,1129770,1158266,1177282,1188885,1194013,1194124,1196426,1196570,1196901,1196964,1197170,1197219,1197601,1198438,1198577,1198866,1198899,1199035,1199063,1199237,1199239,1199314,1199399,1199426,1199482,1199487,1199505,1199507,1199526,1199605,1199631,1199650,1199657,1199671,1199839,1200015,1200045,1200143,1200144,1200173,1200249,1200343,1200549,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200762,1200806,1200807,1200809,1200810,1200813,1200820,1200821,1200822,1200829,1200868,1200869,1200870,1200871,1200872,1200873,1200925,1201050,1201080,1201251 CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-26341,CVE-2021-33061,CVE-2021-39711,CVE-2021-4157,CVE-2022-1012,CVE-2022-1184,CVE-2022-1652,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1836,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 JIRA References: Sources used: SUSE Linux Enterprise Real Time Extension 12-SP5 (src): kernel-rt-4.12.14-10.94.1, kernel-rt_debug-4.12.14-10.94.1, kernel-source-rt-4.12.14-10.94.1, kernel-syms-rt-4.12.14-10.94.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2722-1: An update that solves 5 vulnerabilities, contains 9 features and has 31 fixes is now available. Category: security (important) Bug References: 1190256,1190497,1198410,1198829,1199086,1199291,1199364,1199665,1199670,1200015,1200465,1200494,1200644,1200651,1201258,1201323,1201381,1201391,1201427,1201458,1201471,1201524,1201592,1201593,1201595,1201596,1201635,1201651,1201675,1201691,1201705,1201725,1201846,1201930,1201954,1201958 CVE References: CVE-2021-33655,CVE-2022-1462,CVE-2022-21505,CVE-2022-29581,CVE-2022-32250 JIRA References: SLE-18130,SLE-20183,SLE-21132,SLE-24569,SLE-24570,SLE-24571,SLE-24578,SLE-24635,SLE-24682 Sources used: openSUSE Leap 15.4 (src): kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): kernel-azure-5.14.21-150400.14.10.1, kernel-source-azure-5.14.21-150400.14.10.1, kernel-syms-azure-5.14.21-150400.14.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2875-1: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available. Category: security (important) Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154 CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946 JIRA References: SLE-24559 Sources used: openSUSE Leap 15.4 (src): dtb-aarch64-5.3.18-150300.59.90.1 openSUSE Leap 15.3 (src): dtb-aarch64-5.3.18-150300.59.90.1, kernel-64kb-5.3.18-150300.59.90.1, kernel-debug-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-docs-5.3.18-150300.59.90.1, kernel-kvmsmall-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-obs-qa-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1 SUSE Linux Enterprise Workstation Extension 15-SP3 (src): kernel-default-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-150300.59.90.1, kernel-livepatch-SLE15-SP3_Update_23-1-150300.7.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src): kernel-default-5.3.18-150300.59.90.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): kernel-docs-5.3.18-150300.59.90.1, kernel-obs-build-5.3.18-150300.59.90.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-syms-5.3.18-150300.59.90.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): kernel-64kb-5.3.18-150300.59.90.1, kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1, kernel-preempt-5.3.18-150300.59.90.1, kernel-source-5.3.18-150300.59.90.1, kernel-zfcpdump-5.3.18-150300.59.90.1 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-150300.59.90.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:2173-1: An update that solves four vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 1177282,1199365,1200015,1200143,1200144,1200206,1200207,1200249,1200259,1200263,1200268,1200529 CVE References: CVE-2020-26541,CVE-2022-1966,CVE-2022-1974,CVE-2022-1975 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): kernel-default-5.3.18-150300.59.76.1, kernel-default-base-5.3.18-150300.59.76.1.150300.18.45.2
openSUSE-SU-2022:2177-1: An update that solves 20 vulnerabilities, contains three features and has 39 fixes is now available. Category: security (important) Bug References: 1055117,1061840,1065729,1103269,1118212,1153274,1154353,1156395,1158266,1167773,1176447,1177282,1178134,1180100,1183405,1188885,1195826,1196426,1196478,1196570,1196840,1197446,1197472,1197601,1197675,1198438,1198577,1198971,1198989,1199035,1199052,1199063,1199114,1199314,1199365,1199505,1199507,1199564,1199626,1199631,1199650,1199670,1199839,1200015,1200019,1200045,1200046,1200143,1200144,1200192,1200206,1200207,1200216,1200249,1200259,1200263,1200529,1200549,1200604 CVE References: CVE-2019-19377,CVE-2020-26541,CVE-2021-33061,CVE-2022-0168,CVE-2022-1184,CVE-2022-1652,CVE-2022-1729,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1975,CVE-2022-20008,CVE-2022-20141,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-30594,CVE-2022-32250 JIRA References: SLE-13521,SLE-16387,SLE-8371 Sources used: openSUSE Leap Micro 5.2 (src): kernel-rt-5.3.18-150300.93.1
SUSE-SU-2022:2875-2: An update that solves 18 vulnerabilities, contains one feature and has 18 fixes is now available. Category: security (important) Bug References: 1178134,1196616,1198829,1199364,1199647,1199665,1199670,1200015,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201442,1201458,1201635,1201636,1201644,1201645,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958,1202154 CVE References: CVE-2020-36516,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-2639,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946 JIRA References: SLE-24559 Sources used: openSUSE Leap Micro 5.2 (src): kernel-default-5.3.18-150300.59.90.1, kernel-default-base-5.3.18-150300.59.90.1.150300.18.52.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
SUSE-SU-2022:4617-1: An update that solves 96 vulnerabilities, contains 50 features and has 246 fixes is now available. Category: security (important) Bug References: 1023051,1032323,1065729,1071995,1152472,1152489,1156395,1164051,1177471,1184350,1185032,1188238,1189297,1189999,1190256,1190497,1190969,1192968,1193629,1194023,1194592,1194869,1194904,1195480,1195917,1196018,1196444,1196616,1196632,1196867,1196869,1197158,1197391,1197659,1197755,1197756,1197757,1197763,1198189,1198410,1198577,1198702,1198971,1199086,1199364,1199515,1199670,1199904,1200015,1200058,1200268,1200288,1200301,1200313,1200431,1200465,1200494,1200544,1200567,1200622,1200644,1200651,1200692,1200788,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201308,1201309,1201310,1201361,1201427,1201442,1201455,1201489,1201610,1201675,1201725,1201726,1201768,1201865,1201940,1201941,1201948,1201954,1201956,1201958,1202095,1202096,1202097,1202113,1202131,1202154,1202187,1202262,1202265,1202312,1202341,1202346,1202347,1202385,1202393,1202447,1202471,1202558,1202623,1202636,1202672,1202681,1202685,1202686,1202700,1202710,1202711,1202712,1202713,1202715,1202716,1202757,1202758,1202759,1202761,1202762,1202763,1202764,1202765,1202766,1202767,1202768,1202769,1202770,1202771,1202773,1202774,1202775,1202776,1202778,1202779,1202780,1202781,1202782,1202783,1202822,1202823,1202824,1202860,1202867,1202872,1202874,1202898,1202914,1202960,1202989,1202992,1202993,1203002,1203008,1203036,1203039,1203041,1203063,1203066,1203067,1203098,1203101,1203107,1203116,1203117,1203138,1203139,1203159,1203183,1203197,1203208,1203229,1203263,1203290,1203338,1203360,1203361,1203389,1203391,1203410,1203435,1203505,1203511,1203514,1203552,1203606,1203664,1203693,1203699,1203767,1203769,1203770,1203794,1203798,1203802,1203829,1203893,1203902,1203906,1203908,1203922,1203935,1203939,1203960,1203969,1203987,1203992,1203994,1204017,1204051,1204059,1204060,1204092,1204125,1204132,1204142,1204166,1204168,1204170,1204171,1204183,1204228,1204241,1204289,1204290,1204291,1204292,1204353,1204354,1204355,1204402,1204405,1204413,1204414,1204415,1204417,1204424,1204428,1204431,1204432,1204439,1204470,1204479,1204486,1204498,1204533,1204569,1204574,1204575,1204576,1204619,1204624,1204631,1204635,1204636,1204637,1204646,1204647,1204650,1204653,1204693,1204705,1204719,1204728,1204745,1204753,1204780,1204810,1204850,1204868,1204926,1204933,1204934,1204947,1204957,1204963,1204970,1205007,1205100,1205111,1205113,1205128,1205130,1205149,1205153,1205220,1205257,1205264,1205282,1205313,1205331,1205332,1205427,1205428,1205473,1205496,1205507,1205514,1205521,1205567,1205616,1205617,1205653,1205671,1205679,1205683,1205700,1205705,1205709,1205711,1205744,1205764,1205796,1205882,1205993,1206035,1206036,1206037,1206045,1206046,1206047,1206048,1206049,1206050,1206051,1206056,1206057,1206113,1206114,1206147,1206149,1206207,1206273,1206391 CVE References: CVE-2016-3695,CVE-2020-16119,CVE-2020-36516,CVE-2021-33135,CVE-2021-4037,CVE-2022-1184,CVE-2022-1263,CVE-2022-1882,CVE-2022-20368,CVE-2022-20369,CVE-2022-2153,CVE-2022-2586,CVE-2022-2588,CVE-2022-2602,CVE-2022-26373,CVE-2022-2639,CVE-2022-2663,CVE-2022-28356,CVE-2022-28693,CVE-2022-2873,CVE-2022-28748,CVE-2022-2905,CVE-2022-2938,CVE-2022-2959,CVE-2022-2964,CVE-2022-2977,CVE-2022-2978,CVE-2022-3028,CVE-2022-3078,CVE-2022-3114,CVE-2022-3169,CVE-2022-3176,CVE-2022-3202,CVE-2022-32250,CVE-2022-32296,CVE-2022-3239,CVE-2022-3303,CVE-2022-33981,CVE-2022-3424,CVE-2022-3435,CVE-2022-3521,CVE-2022-3524,CVE-2022-3526,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3566,CVE-2022-3567,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3619,CVE-2022-3621,CVE-2022-3625,CVE-2022-3628,CVE-2022-3629,CVE-2022-3633,CVE-2022-3635,CVE-2022-3640,CVE-2022-3643,CVE-2022-3646,CVE-2022-3649,CVE-2022-36879,CVE-2022-36946,CVE-2022-3707,CVE-2022-3903,CVE-2022-39188,CVE-2022-39189,CVE-2022-39190,CVE-2022-40476,CVE-2022-40768,CVE-2022-4095,CVE-2022-41218,CVE-2022-4129,CVE-2022-4139,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-41850,CVE-2022-41858,CVE-2022-42328,CVE-2022-42329,CVE-2022-42703,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722,CVE-2022-42895,CVE-2022-42896,CVE-2022-43750,CVE-2022-4378,CVE-2022-43945,CVE-2022-45869,CVE-2022-45888,CVE-2022-45934 JIRA References: PED-1082,PED-1084,PED-1085,PED-1096,PED-1211,PED-1573,PED-1649,PED-1706,PED-1936,PED-2684,PED-387,PED-529,PED-611,PED-634,PED-652,PED-664,PED-676,PED-678,PED-679,PED-682,PED-688,PED-707,PED-720,PED-729,PED-732,PED-755,PED-763,PED-813,PED-817,PED-822,PED-824,PED-825,PED-833,PED-842,PED-846,PED-849,PED-850,PED-851,PED-856,PED-857,SLE-13847,SLE-18130,SLE-19359,SLE-19924,SLE-20183,SLE-23766,SLE-24572,SLE-24682,SLE-24814,SLE-9246 Sources used: openSUSE Leap Micro 5.3 (src): kernel-rt-5.14.21-150400.15.5.1 openSUSE Leap 15.4 (src): kernel-rt-5.14.21-150400.15.5.1, kernel-rt_debug-5.14.21-150400.15.5.1, kernel-source-rt-5.14.21-150400.15.5.1, kernel-syms-rt-5.14.21-150400.15.5.1 SUSE Linux Enterprise Module for Realtime 15-SP4 (src): kernel-rt-5.14.21-150400.15.5.1, kernel-rt_debug-5.14.21-150400.15.5.1, kernel-source-rt-5.14.21-150400.15.5.1, kernel-syms-rt-5.14.21-150400.15.5.1 SUSE Linux Enterprise Module for Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_1-1-150400.1.3.1 SUSE Linux Enterprise Micro 5.3 (src): kernel-rt-5.14.21-150400.15.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.