...
- A vulnerability of the linux kernel (CVE-2022-0185) that may allow unprivileged users to gain root access.
- A vulnerability of the polkit (CVE-2021-4034) - a local privilege escalation vulnerability was found on in polkit's pkexec utility
The actions required are listed below, divided according to the operating system used.
...
| Info |
|---|
|
The CVE-2021-4034 (polkit) affects all operating systems and the update, or mitigation, must be applied within 1 week.Note that the polkit update may cause problems on containerized applications. It is recommended that you stop the running containers before applying the update. Please carefully read and apply the steps detailed bellow. The CVE-2022-0185 (kernel) affects CentOS Stream 8, and derivativeshigher versions, and Ubuntu 20.04, and it is particulalry dangerous on multi-user instances on which the update must be applied within 1 week. Ubuntu 18. |
Instructions for CentOS Stream 8 and above
Instructions for Ubuntu 20.04
For the CVE-2021-4034 vulnerability check the installed version of the policykit package
| Code Block |
|---|
|
$ dpkg -s policykit-1 | grep -i version |
If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required.
In case containers are running on your system use the following commands: Please issue the command:
If the reported kernel version is less than XXX, then you are affected by this vulnerability.
docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
In case containers are NOT running on your system just update the policykit package:
| Code Block |
|---|
|
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
For the CVE-2022-0185 vulnerability check the kernel version in use:
If the reported kernel verssion lower than 5.4.0-96.109 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron ojb)
| Code Block |
|---|
|
$ sudo apt-get update && sudo apt-get install linux-generic |
To enable the use of the new kernel, a reboot of the machine is needed:
After the system restart, please use again the “uname -r” command to check the kernel version in use. New version should be at least "5.4.0-96-generic"
Instructions for Ubuntu 18.04
For the CVE-2021-4034 vulnerability check the installed version of the policykit package
| Code Block |
|---|
|
$ dpkg -s policykit-1 | grep -i version |
If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required.
In case containers are running on your system use the following commands:
| Code Block |
|---|
|
$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1
$ sudo reboot |
In case containers are NOT running on your system just update the policykit package:
| Code Block |
|---|
|
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
Instructions for CentOS Stream 8 and above
For the CVE-2021-4034 vulnerability check the installed version of the polkit package:
| Code Block |
|---|
|
$ rpm -qa polkit |
If the version returned by this command is less than 0.115-13.el8_5.1.x86_64, a package update is required.
In case containers are running on your system use the following commands:
| Code Block |
|---|
|
$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo yum clean all & yum -y update polkit |
In case containers are NOT running on your system just update the policykit package:
| Code Block |
|---|
|
$ sudo yum clean all & yum -y update polkit |
For the CVE-2022-0185 vulnerability check the kernel version in use:
If the reported kernel verssion lower than 4.18.0-348.12.2.el8_5 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron job)To update the kernel please issue the following command (don’t worry if the command doesn’t update any package: the newer kernel could have already been installed by an automatic update system):
| Code Block |
|---|
|
$ sudo XXXXXyum clean all && sudo yum update kernel* |
To enable the use of the new kernel, a reboot of the machine is needed:
After the system restart, please use again the “uname -a” r” command to check the kernel version in use. New version should be at least "4.18.0-348.12.2.el8_5"
Instructions for CentOS 7
For the CVE-2021-4034 vulnerability check the installed version of the polkit package:
| Code Block |
|---|
|
$ rpm -qa polkit |
If the version returned by this command is less than 0.115-13.el8_5.1.x86_64, a package update is required.
In case containers are running on your system use the following commands:
| Code Block |
|---|
|
$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo yum clean all & yum -y update polkit |
In case containers are NOT running on your system just update the policykit package:
| Code Block |
|---|
|
$ sudo yum clean all & yum -y update polkit |
References
[R1] https://access.redhat.com/security/cve/CVE-2022-0185
...