Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2220892 (CVE-2023-35001, ZDI-CAN-20721)

Summary: CVE-2023-35001 kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval()
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, fwestpha, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jkastnin, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, rhandlin, rkeshri, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in the Netfilter module in the Linux kernel's nft_byteorder_eval in net/netfilter/nft_byteorder.c. A bound check failure allows a local attacker with CAP_NET_ADMIN access to cause a local privilege escalation issue due to incorrect data alignment.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2221046, 2221047, 2221717, 2221718, 2221719, 2221720, 2221721, 2221722, 2221723, 2221724, 2221725, 2221726, 2221727, 2221729, 2221730, 2221731, 2221732, 2221733, 2221734, 2221735, 2221736, 2221737, 2221744, 2221745, 2221746, 2221747, 2221748, 2221749, 2221750, 2221751, 2221752, 2221753, 2221754, 2221755, 2221756, 2221759    
Bug Blocks:    

Description TEJ RATHI 2023-07-06 13:01:31 UTC
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

https://lore.kernel.org/netfilter-devel/20230705121515.747251-1-cascardo@canonical.com/T/
https://www.openwall.com/lists/oss-security/2023/07/05/3

Comment 9 Rohit Keshri 2023-07-10 17:01:39 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2221759]

Comment 16 errata-xmlrpc 2023-09-05 08:58:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961

Comment 17 errata-xmlrpc 2023-09-05 09:06:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962

Comment 18 errata-xmlrpc 2023-09-05 09:06:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4967 https://access.redhat.com/errata/RHSA-2023:4967

Comment 19 errata-xmlrpc 2023-09-12 09:50:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091

Comment 20 errata-xmlrpc 2023-09-12 09:52:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093

Comment 21 errata-xmlrpc 2023-09-12 10:14:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069

Comment 22 errata-xmlrpc 2023-09-19 08:00:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221

Comment 23 errata-xmlrpc 2023-09-19 12:37:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5238 https://access.redhat.com/errata/RHSA-2023:5238

Comment 24 errata-xmlrpc 2023-09-19 12:39:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5235 https://access.redhat.com/errata/RHSA-2023:5235

Comment 25 errata-xmlrpc 2023-09-19 14:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255

Comment 26 errata-xmlrpc 2023-09-19 14:35:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244

Comment 27 errata-xmlrpc 2023-10-03 07:13:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:5414 https://access.redhat.com/errata/RHSA-2023:5414

Comment 28 errata-xmlrpc 2023-10-10 09:40:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5548 https://access.redhat.com/errata/RHSA-2023:5548

Comment 29 errata-xmlrpc 2023-10-10 10:13:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5575 https://access.redhat.com/errata/RHSA-2023:5575

Comment 30 errata-xmlrpc 2023-10-10 10:24:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5574 https://access.redhat.com/errata/RHSA-2023:5574

Comment 31 errata-xmlrpc 2023-10-10 15:25:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5603 https://access.redhat.com/errata/RHSA-2023:5603

Comment 32 errata-xmlrpc 2023-10-10 15:33:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5604 https://access.redhat.com/errata/RHSA-2023:5604

Comment 33 errata-xmlrpc 2023-10-10 15:50:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5621 https://access.redhat.com/errata/RHSA-2023:5621

Comment 34 errata-xmlrpc 2023-10-10 16:14:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5622 https://access.redhat.com/errata/RHSA-2023:5622

Comment 35 errata-xmlrpc 2023-10-10 16:26:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627

Comment 37 errata-xmlrpc 2023-11-15 17:41:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2023:7243 https://access.redhat.com/errata/RHSA-2023:7243

Comment 38 errata-xmlrpc 2024-03-12 11:43:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268

Comment 39 errata-xmlrpc 2024-03-12 11:45:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269

Comment 40 errata-xmlrpc 2024-03-12 15:00:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278