DATE:
Two critical vulnerabilities have been reported:
The actions required are listed below, divided according to the operating system used.
The CVE-2021-4034 (polkit) affects all operating systems and the update, or mitigation, must be applied within 1 week. Note that the polkit update may cause problems on containerized applications. It is recommended that you stop the running containers before applying the update. The CVE-2022-0185 (kernel) affects CentOS Stream 8, and higher versions, and Ubuntu 20.04, and it is particulalry dangerous on multi-user instances on which the update must be applied within 1 week. Ubuntu 18.04 is not affected. Please carefully read and apply the steps detailed bellow. |
For the CVE-2021-4034 vulnerability check the installed version of the policykit package
$ dpkg -s policykit-1 | grep -i version |
If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required.
In case containers are running on your system use the following commands:
$ docker ps # get the list of running containers $ docker stop <running_containers> # or use "docker-compose down" $ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
In case containers are NOT running on your system just update the policykit package:
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
For the CVE-2022-0185 vulnerability check the kernel version in use:
$ uname -r |
If the reported kernel verssion lower than 5.4.0-96.109 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron ojb)
$ sudo apt-get update && sudo apt-get install linux-generic |
To enable the use of the new kernel, a reboot of the machine is needed:
$ sudo reboot |
After the system restart, please use again the “uname -r” command to check the kernel version in use. New version should be at least "5.4.0-96-generic"
For the CVE-2021-4034 vulnerability check the installed version of the policykit package
$ dpkg -s policykit-1 | grep -i version |
If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required.
In case containers are running on your system use the following commands:
$ docker ps # get the list of running containers $ docker stop <running_containers> # or use "docker-compose down" $ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 $ sudo reboot |
In case containers are NOT running on your system just update the policykit package:
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1 |
For the CVE-2021-4034 vulnerability check the installed version of the polkit package:
$ rpm -qa polkit |
If the version returned by this command is less than 0.115-13.el8_5.1.x86_64, a package update is required.
In case containers are running on your system use the following commands:
$ docker ps # get the list of running containers $ docker stop <running_containers> # or use "docker-compose down" $ sudo yum clean all & yum -y update polkit |
In case containers are NOT running on your system just update the policykit package:
$ sudo yum clean all & yum -y update polkit |
For the CVE-2022-0185 vulnerability check the kernel version in use:
$ uname -r |
If the reported kernel verssion lower than 4.18.0-348.12.2.el8_5 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron job)
$ sudo yum clean all && sudo yum update kernel* |
To enable the use of the new kernel, a reboot of the machine is needed:
$ sudo reboot |
After the system restart, please use again the “uname -r” command to check the kernel version in use. New version should be at least "4.18.0-348.12.2.el8_5"
For the CVE-2021-4034 vulnerability check the installed version of the polkit package:
$ rpm -qa polkit |
If the version returned by this command is less than 0.112-26.el7_9.1, a package update is required.
In case containers are running on your system use the following commands:
$ docker ps # get the list of running containers $ docker stop <running_containers> # or use "docker-compose down" $ sudo yum clean all & yum -y update polkit $ sudo reboot |
In case containers are NOT running on your system just update the policykit package:
$ sudo yum clean all & yum -y update polkit |
CVE-2022-0185
[R1] https://access.redhat.com/security/cve/CVE-2022-0185
[R2] https://access.redhat.com/errata/RHSA-2022:0188
[R3] https://www.openwall.com/lists/oss-security/2022/01/18/7
CVE-2021-4034
[R4] https://access.redhat.com/security/cve/CVE-2021-4034
[R5] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
[R6] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt