CVE-2022-32250 - kpatch-patch security update

TheITGuy · August 15, 2022, 5:44pm

Our vulnerability scanner is giving us the following results when scanning NethServer.

CVE-2022-32250: Important: kpatch-patch security update (Multiple Advisories)

Vulnerable OS: CentOS Linux 7.9.2009

Vulnerable software installed: Linux kernel 3.10.0-1160.59.1.el7

Required patch [CVE-2022-32250] is not installed, no patches discovered.

Related Links for CVE-2022-32250
https://nvd.nist.gov/vuln/detail/CVE-2022-32250#vulnCurrentDescriptionTitle

Remediation:
Upgrade kernel

Configuration remediation steps

Update kernel to the latest version available from CentOS, using tools like yum or up2date.

Our Nethserver details
NethServer release 7.9.2009 (final)
The only update seen in the software center at this moment within cockpit is: perl-Net-Server@2.007-3.el7 from epel

When can we expect to see a patch come down via the Software Center in NethServer’s GUI?

thanks

pike · August 15, 2022, 6:08pm

If this is the source of the issue

my answer is “update and reboot”.
According with a fully updated installation, this should be the latest kernel available for CentOS7 and NethServer 7.9

This also

is the list of kernel into that system. There are at least three fresher kernels installed.

dnutan · August 15, 2022, 6:54pm

it seems CVE-2022-32250 was referenced as CVE-2022-1966 in the CentOS 7 kernel changelog:

rpm -q --changelog kernel |grep CVE-2022-1966
rpm -q --changelog kernel-3.10.0-1160.71.1.el7 |grep CVE-2022-1966
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2093000] {CVE-2022-1966}

Fixed in kernel-3.10.0-1160.71.1.el7
So as @pike mentions you just need to run updates as usual (and better to reboot the system as it is a kernel update).
But the vulnerability scanner might still complain if it expects a higher kernel version even though the patch is effectively applied.

https://lists.centos.org/pipermail/centos-announce/2022-August/073620.html
https://access.redhat.com/errata/RHSA-2022:5232
https://patches.kernelcare.com/?distro=centos7-plus%2Ccentos7%2Ccentos7-elrepo%2Ccentos7-elrepo-5.4&cve=CVE-2022-1966

Andy_Wismer · August 15, 2022, 7:32pm

RedHat does backporting - but keeping the Kernel version for compatibility reasons.

My 2 cents
Andy

pike · August 16, 2022, 5:06am

I’m sorry, i were wrong.
Seems that 3.10.0-1160.76.1.el7 just kicked in.
This leads to 5 kernel fresher than 3.10.0-1160.59.1.el7. Update and reboot still seem the right jam to me.

TheITGuy · August 16, 2022, 8:12pm

Thanks for the replies on this. Turns out, a previous software update that was recently done in the software center actually did cover the kernel update but we were missing the reboot with it. So our vulnerability scanner was seeing the down level kernel until that pesky reboot was completed. Thanks again for the tips.