DATE:  


Two critical vulnerabilities have been reported:

  • A vulnerability of the linux kernel (CVE-2022-0185) that may allow unprivileged users to gain root access.
  • A vulnerability of the polkit (CVE-2021-4034) - a local privilege escalation vulnerability in polkit's pkexec utility


The actions required are listed below, divided according to the operating system used.

Actions required/recommended


IMPORTANT

The CVE-2021-4034 (polkit) affects all operating systems and the update, or mitigation, must be applied within 1 week. Note that the polkit update may cause problems on containerized applications. It is recommended that you stop the running containers before applying the update

The CVE-2022-0185 (kernel) affects CentOS Stream 8, and higher versions, and Ubuntu 20.04, and it is particulalry dangerous on multi-user instances on which the update must be applied within 1 week. Ubuntu 18.04 is not affected.

Please carefully read and apply the steps detailed bellow. 


Instructions for Ubuntu 20.04

For the CVE-2021-4034 vulnerability check the installed version of the policykit package

$ dpkg -s policykit-1 | grep -i version

If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required. 

In case containers are running on your system use the following commands: 

$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1

In case containers are NOT running on your system just update the policykit package: 

$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1


For the CVE-2022-0185 vulnerability check the kernel version in use:

$ uname -r

If the reported kernel verssion  lower than 5.4.0-96.109 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron ojb) 

$ sudo apt-get update && sudo apt-get install linux-generic

To enable the use of the new kernel, a reboot of the machine is needed:

$ sudo reboot

After the system restart, please use again the “uname -r” command to check the kernel version in use. New version should be at least "5.4.0-96-generic"


Instructions for Ubuntu 18.04

For the CVE-2021-4034 vulnerability check the installed version of the policykit package

$ dpkg -s policykit-1 | grep -i version


If the version returned by this command is less than 0.105-26ubuntu1.2, a package update is required. 

In case containers are running on your system use the following commands: 

$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1
$ sudo reboot

In case containers are NOT running on your system just update the policykit package: 

$ sudo apt-get update && sudo apt-get --only-upgrade install policykit-1

Instructions for CentOS Stream 8 and above


For the CVE-2021-4034 vulnerability check the installed version of the polkit package:

$ rpm -qa polkit

If the version returned by this command is less than 0.115-13.el8_5.1.x86_64, a package update is required. 

In case containers are running on your system use the following commands: 

$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo yum clean all & yum -y update polkit

In case containers are NOT running on your system just update the policykit package: 

$ sudo yum clean all & yum -y update polkit


For the CVE-2022-0185 vulnerability check the kernel version in use:

$ uname -r

If the reported kernel verssion  lower than 4.18.0-348.12.2.el8_5 is reported, a kernel update is required and can be done using the following command (the command may not update any packages if the new kernel has already been installed by an automatic system (autoupdate or a cron job) 

$ sudo yum clean all && sudo yum update kernel*

To enable the use of the new kernel, a reboot of the machine is needed:

$ sudo reboot

After the system restart, please use again the “uname -r” command to check the kernel version in use. New version should be at least "4.18.0-348.12.2.el8_5"


Instructions for CentOS 7


For the CVE-2021-4034 vulnerability check the installed version of the polkit package:

$ rpm -qa polkit

If the version returned by this command is less than 0.112-26.el7_9.1, a package update is required. 

In case containers are running on your system use the following commands: 

$ docker ps # get the list of running containers
$ docker stop <running_containers> # or use "docker-compose down"
$ sudo yum clean all & yum -y update polkit
$ sudo reboot

In case containers are NOT running on your system just update the policykit package: 

$ sudo yum clean all & yum -y update polkit



References

CVE-2022-0185

[R1] https://access.redhat.com/security/cve/CVE-2022-0185 

[R2] https://access.redhat.com/errata/RHSA-2022:0188 

[R3] https://www.openwall.com/lists/oss-security/2022/01/18/7 

CVE-2021-4034

[R4] https://access.redhat.com/security/cve/CVE-2021-4034 

[R5] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 

[R6] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt 

  • No labels