CVE-2022-32250 - kpatch-patch security update

Our vulnerability scanner is giving us the following results when scanning NethServer.

CVE-2022-32250: Important: kpatch-patch security update (Multiple Advisories)

Vulnerable OS: CentOS Linux 7.9.2009

Vulnerable software installed: Linux kernel 3.10.0-1160.59.1.el7

  • Required patch [CVE-2022-32250] is not installed, no patches discovered.

Related Links for CVE-2022-32250

Upgrade kernel

Configuration remediation steps

Update kernel to the latest version available from CentOS, using tools like yum or up2date.

Our Nethserver details
NethServer release 7.9.2009 (final)
The only update seen in the software center at this moment within cockpit is: perl-Net-Server@2.007-3.el7 from epel

When can we expect to see a patch come down via the Software Center in NethServer’s GUI?


If this is the source of the issue

my answer is “update and reboot”.
According with a fully updated installation, this should be the latest kernel available for CentOS7 and NethServer 7.9
This also

is the list of kernel into that system. There are at least three fresher kernels installed. :slight_smile:

1 Like

it seems CVE-2022-32250 was referenced as CVE-2022-1966 in the CentOS 7 kernel changelog:

rpm -q --changelog kernel |grep CVE-2022-1966
rpm -q --changelog kernel-3.10.0-1160.71.1.el7 |grep CVE-2022-1966
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2093000] {CVE-2022-1966}

Fixed in kernel-3.10.0-1160.71.1.el7
So as @pike mentions you just need to run updates as usual (and better to reboot the system as it is a kernel update).
But the vulnerability scanner might still complain if it expects a higher kernel version even though the patch is effectively applied.

1 Like

RedHat does backporting - but keeping the Kernel version for compatibility reasons.

My 2 cents

I’m sorry, i were wrong.
Seems that 3.10.0-1160.76.1.el7 just kicked in.
This leads to 5 kernel fresher than 3.10.0-1160.59.1.el7. Update and reboot still seem the right jam to me.

Thanks for the replies on this. Turns out, a previous software update that was recently done in the software center actually did cover the kernel update but we were missing the reboot with it. So our vulnerability scanner was seeing the down level kernel until that pesky reboot was completed. Thanks again for the tips.

1 Like