• Arthur BesseMA
    link
    fedilink
    arrow-up
    3
    ·
    3 years ago

    “Fixing the Linux Kernel Vulnerability CVE-2022-0185” is an inaccurate title. The post says nothing about fixing that Linux vulnerability. Rather, the post is about how kubernetes users can use AccuKnox’s products to mitigate the vulnerability.

    • CHEF-KOCHOP
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      edit-2
      3 years ago

      Authors choice of title - Protect from CVE-2022-0185 - I say it is a permanent fix, so my title is more accurate. The CVE itself is part of Linux Kernel to some kernels and therefore the title is correct.

      • Arthur BesseMA
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        3 years ago

        Does it fix anything for Linux users who don’t use kubernetes? The vast majority don’t. The obvious way everyone should fix CVE-2022-0185 today is by upgrading their kernel. If your distro hasn’t shipped an update with the fix yet, you should find a new distro.

        I was hoping that this link would tell me about the process of writing the Linux kernel patch (which I of course upgraded to already) which fixed the bug.

        Instead I found an advertisement for a kubernetes-related product. I have no idea if “AccuKnox” is any good, but I do know that at this point in time nobody should be “fixing” CVE-2022-0185 by installing it - the correct fix is to upgrade Linux.

        Perhaps this product is a good idea for kubernetes users to mitigate the next unprivileged user namespace related vulnerability; I stopped reading when I realized it was all about kubernetes.

        Another good mitigation for Linux users in general is to simply disable unprivileged user namespaces altogether :)

        • CHEF-KOCHOP
          link
          fedilink
          arrow-up
          1
          arrow-down
          4
          ·
          3 years ago
          • You can apply the method to other solutions too, it is mentioned at the bottom. Other product work similar, they usually apply a template.
          • What you hope and what it says can differ.
          • I doubt you even read it because you answered after 2-3 minutes of posting this guidance.
          • It is not an advertisement for Kubernetes. It is an example how to deal with the CVE using AccuKnox. If you want to complain about something then maybe that the Templates that they offer do not work on every Kernel, configuration, cluster etc.
          • The example is a fix to avoid getting compromised for that specific CVE. Whenever you like it or not it is a fix.
          • CVE-2022-0185, was discovered and patched before malicious attackers released an exploit publically. If this would be a guidance for home users I would have written something like - the Linux Kernel got an update to address CVE-2022-0185.
    • CHEF-KOCHOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      edit-2
      3 years ago

      The title does not mention anything near - Mitigation.

      Your mentioned workaround is Ubuntu or more precise Kernel specific because most newer kernel already do this which can according to my link even cause issues.

      Nice try

      To be able to exploit this vulnerability, the attacker needs to be able to run code in the container and the container must have CAP_SYS_ADMIN privileges. Linux kernel and all major distro maintainers have released patches.

      This is not desktop user specific issue, more for those who work with container, and then even have CAP_SYS_ADMIN privileges. A normal desktop does not run containers nor has such privileges that someone can exploit actively. Server or for those who work in such environment usually use mentioned products.

      The vulnerability was introduced in kernel 5.1 and patched in 5.16.2. You can mitigate completely the problem by patching to the latest version. Note, all major distributions released patches.

      The guide is designed for those who for example use an older 4.x LTS kernel, run such processes, under specific circumstances and are vulnerable. So it is a fix.

      People speculate that desktops are meant here, when real target always was servers and people who work with lots of file-system related stuff but that is mostly also server only target. Some exceptions aside.

      • a_Ha
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 years ago

        i adjusted my previous comment.
        i understand that I didn’t understand enough. i will leave this topic.