CVE-2022-21123

medium

Published 2022-11-15 · Modified 2022-11-18

CVSS v3

—

VIR risk

5.5

Description

Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR) Red Hat statement Red Hat has very limited to no visibility and control over binary blobs provided by third-party vendors. Red Hat relies heavily on the vendors to provide timely updates and information about included changes for this content and in most cases merely acts as a release vehicle between the third-party…

Description

hw: cpu: incomplete clean-up of multi-core shared buffers (aka SBDR)

Red Hat statement

Red Hat has very limited to no visibility and control over binary blobs provided by third-party vendors. Red Hat relies heavily on the vendors to provide timely updates and information about included changes for this content and in most cases merely acts as a release vehicle between the third-party vendor and Red Hat customers with no possibility of influencing or even documenting the changes. Unless explicitly stated, the level of insight, oversight, and control Red Hat has does not meet the criteria required (in terms of Red Hat ownership of development processes, QA, and documentation) for releasing this content as RHSA. For more information please contact the binary content vendor.

CVSS v3: 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 7	`kernel-rt-0:3.10.0-1160.76.1.rt56.1220.el7`	RHSA-2022:5939	2022-08-09T00:00:00Z
Red Hat Enterprise Linux 7	`kernel-0:3.10.0-1160.76.1.el7`	RHSA-2022:5937	2022-08-09T00:00:00Z
Red Hat Enterprise Linux 8	`kernel-rt-0:4.18.0-372.26.1.rt7.183.el8_6`	RHSA-2022:6437	2022-09-13T00:00:00Z
Red Hat Enterprise Linux 8	`kernel-0:4.18.0-372.26.1.el8_6`	RHSA-2022:6460	2022-09-13T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions	`kernel-0:4.18.0-147.76.1.el8_1`	RHSA-2022:6872	2022-10-11T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support	`kernel-0:4.18.0-193.93.1.el8_2`	RHSA-2022:7279	2022-11-01T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	`kernel-rt-0:4.18.0-193.93.1.rt13.143.el8_2`	RHSA-2022:7280	2022-11-01T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	`kernel-0:4.18.0-193.93.1.el8_2`	RHSA-2022:7279	2022-11-01T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	`kernel-0:4.18.0-193.93.1.el8_2`	RHSA-2022:7279	2022-11-01T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support	`kernel-rt-0:4.18.0-305.65.1.rt7.137.el8_4`	RHSA-2022:6991	2022-10-18T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support	`kernel-0:4.18.0-305.65.1.el8_4`	RHSA-2022:6983	2022-10-18T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-162.6.1.el9_1`	RHSA-2022:8267	2022-11-15T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-rt-0:5.14.0-162.6.1.rt21.168.el9_1`	RHSA-2022:7933	2022-11-15T00:00:00Z
Red Hat Enterprise Linux 9	`kernel-0:5.14.0-162.6.1.el9_1`	RHSA-2022:8267	2022-11-15T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support	`kernel-0:5.14.0-70.36.1.el9_0`	RHSA-2022:8973	2022-12-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support	`kernel-rt-0:5.14.0-70.36.1.rt21.108.el9_0`	RHSA-2022:8974	2022-12-13T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8	`kernel-0:4.18.0-372.26.1.el8_6`	RHSA-2022:6460	2022-09-13T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`kernel`	Affected
Red Hat Enterprise Linux 6	`microcode_ctl`	Affected
Red Hat Enterprise Linux 7	`microcode_ctl`	Affected
Red Hat Enterprise Linux 8	`microcode_ctl`	Affected
Red Hat Enterprise Linux 9	`microcode_ctl`	Affected

Apply commands

bash fix

Apply RHSA-2022:5939 for Red Hat Enterprise Linux 7

yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rt

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 6	`Affected`
redhat	Red Hat Enterprise Linux 6	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

OS	Version	Status	Fixed in
almalinux	9	fixed	`kernel-rt-debug-core-5.14.0-162.6.1.rt21.168.el9_1.x86_64.rpm`
rhel	9	fixed
sles		affected
rocky	8	fixed
debian	bookworm	fixed	`3.20220510.1`
debian	bullseye	fixed	`3.20220510.1~deb11u1`
debian	forky	fixed	`3.20220510.1`
debian	sid	fixed	`3.20220510.1`
debian	trixie	fixed	`3.20220510.1`
rocky	9	fixed
almalinux	8	fixed	`kernel-rt-debug-4.18.0-372.26.1.rt7.183.el8_6.x86_64.rpm`

References

💬 Discuss CVE-2022-21123 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.