Dirty Pipe Vulnerability (CVE-2022-0847) in CoreOS

There is a new big privilege escalation vulnerability in the Linux kernel:

Dirty Pipe Vulnerability

https://dirtypipe.cm4all.com/

It’s fixed in kernel v5.15.25, however, as of 2022-03-09 all CoreOS streams are still using a kernel version of 5.15.18…

Given it is very easy to exploit and has severe consequences (root privilege escalation), should not you push an emergency update here? Or at least somewhat fasten the process?

It is worth noting that although this vulnerability is easier to exploit than Dirty Cows vulnerability, it is only a matter of time before it is exploited by hackers on a large scale.

CVE-2022-0847: Linux Kernel Privilege Escalation Vulnerability Alert

Other Fedora products AFAIK already did so…

1 Like

Amazon, RedHat and others also consider this vulnerability quite critical:

https://access.redhat.com/security/cve/CVE-2022-0847
https://alas.aws.amazon.com/cve/html/CVE-2022-0847.html#score-breakdown

1 Like

You can follow the status of the CoreOS work here → CVE-2022-0847 (The Dirty Pipe Vulnerability) · Issue #1118 · coreos/fedora-coreos-tracker · GitHub

2 Likes

Fixes are in testing and next. Should land in stable next week. See CVE-2022-0847 (The Dirty Pipe Vulnerability) · Issue #1118 · coreos/fedora-coreos-tracker · GitHub

1 Like