CVE-2019-3874

Impact:
Moderate
Public Date:
2019-03-19
CWE:
CWE-400
Bugzilla:
1686373: CVE-2019-3874 kernel: SCTP socket buffer memory leak leading to denial of service
The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack.

Find out more about CVE-2019-3874 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

While this issue affects the Linux Kernel in Red Hat Enterprise Linux, and not OpenShift Container Platform (OCP) 3 code directly. OCP 3 makes use of CGroups in the Kernel to measure and report on the amount of system resources used by an end user application.

The default Security Context Constraints (SCC) in OpenShift Container Platform 3.x disallow an end user from running a container as root. Also a check is performed by the OCP 3 Installer to ensure SELinux is enabled, [1].

[1] https://github.com/openshift/openshift-ansible/blob/006fb14e9a28df9bd1a58ac376bbdf3eba50fa51/roles/openshift_node/tasks/main.yml#L3

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Adjacent Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 kernel Affected
Red Hat Enterprise Linux 7 kernel Affected
Red Hat Enterprise Linux 7 kernel-rt Affected
Red Hat Enterprise Linux 7 kernel-alt Affected

Acknowledgements

This issue was discovered by Matteo Croce (Red Hat), Natale Vinto (Red Hat), and Andrea Spagnolo (Red Hat).

Mitigation

SELinux prevents a bind of the SCTP socket by a non-root user.

To mitigate this issue if not using SELinux, or if a Security Context Constraint allows running pods as the root user the 'sctp' module should be blacklisted. Please this this Knowledge Base article for more information on how to blacklist a kernel module. https://access.redhat.com/solutions/41278

External References

Last Modified