10

I have been informed about the CVE-2022-0847 vulnerability. I'm wondering what versions of Ubuntu are affected by such a bug.

tomodachi
  • 14,832
floatingpurr
  • 627
  • 9
    Why ask us? Canonical has a website for this https://ubuntu.com/security/CVE-2022-0847 "needs triage" so it is unclear at this moment – Rinzwind Mar 08 '22 at 11:13
  • Oh, I'm sorry! Thanx – floatingpurr Mar 08 '22 at 11:14
  • 1
    It might be worth commenting on the LTS release of Ubuntu 20.04. Ubuntu 20,04 shipped with kernel 5.4, which is old enough to not be affected by CVE-2022-0847. However, if you installed a point release update (an Ubuntu 20.04.x), or if you have installed a newer HWE kernel on Ubuntu 20.04, then your system may well be affected. – mpb Mar 08 '22 at 22:27
  • 3
    @Rinzwind - 'needs triage' doesn't answer the question. See my answer below. – drudru Mar 08 '22 at 22:38
  • The kernel patch released on 9/3/2022 does not handle this particular CVE, but it addresses 3 other ones: https://ubuntu.com/security/notices/USN-5318-1 – Artur Meinild Mar 09 '22 at 08:54

4 Answers4

9

I can confirm that kernel versions 5.13.0-28-generic and 5.11.0-40-generic for Ubuntu 20.04 are affected.

Carsten Agger
  • 752
5

Given the incredible severity of this CVE, I did a lot of research on this.

Yes, this has been patched and pushed (as of 2022-03-08) for 21.10 (Impish).

Update 2022-03-09:

A comment below (@fuzzydrawings), mentioned the fix was pushed to 20.04 (focal) as of 2022-03-08. I believe various versions of 18.04 (bionic) have been released as well. I have linked the commits for impish and bionic below.

Also:

https://ubuntu.com/security/notices can be helpful, and https://ubuntu.com/security/notices/USN-5317-1 is the notice for this CVE. However it only mentions 21.10 and 20.04 LTS. I linked below to the commits for bionic that contain the fix.

21.10 (impish)

After I did a sudo apt update, I did a sudo apt list --upgradable to see if the kernel was updated. It was.

The important line is here: linux-generic/impish-updates 5.13.0.35.44 amd64

Googling for the answer didn't come up with any clear answers. So I went to the ubuntu git repository at:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish

(this URL is specific to impish)

You can then see that this version contains the patch from Max Kellerman: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=181cbcef9f8c158189a3b1094c532b6686f14acf

The following commit tags it: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=b07bbb7a296b9be80e48973bba8b03fb1101547f

linux (5.13.0-35.40) impish; urgency=medium

20.04 (focal)

the two kernel versions have received the update (5.4 and 5.13 HWE). Here are the commits:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=114ece9d1f915886450030af5333287437bbf74b

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=438da6e5c849ffe553fc15379471bf331346c3d2

18.04 (bionic)

the two kernel versions have received the update (4.15 and 5.4 HWE). Here are the commits:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/commit/?id=aeae4fd15ccbf0012f84d792ea7aef08e299da30

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/commit/?id=10de766b07707fc67eb3e0a7ffcbaa27603d7c64

drudru
  • 171
  • @user535733 - good idea. I didn't check those. I will edit now. – drudru Mar 09 '22 at 06:04
  • 1
    I just received a patched kernel through Ubuntu focal 20.04 repository, so can confirm the update has been pushed for 20.04. – fuzzydrawrings Mar 09 '22 at 06:55
  • Your links are invalid - I dont' see anything except this error: Repository '%7Eubuntu-kernel/ubuntu/+source/linux/+git/impish/commit' not found. – Artur Meinild Mar 09 '22 at 08:52
  • @ArturMeinild - I just checked. The links work. – drudru Mar 09 '22 at 18:42
  • @fuzzydrawings - thanks, I will update the post. – drudru Mar 09 '22 at 18:43
  • According to the promoted comment at the bottom of this Ars Technica story, the vulnerability requires two separate bugs. The second bug (and, hence, the vulnerability itself) was introduced in kernel 5.8. The first bug was introduced sometime prior. If correct: This would seem to imply that kernels below 5.8 are not vulnerable. Updates to kernels below 5.8 are likely therefore fixing the first bug. But those kernels were not vulnerable. – mpb Mar 09 '22 at 20:19
2

It's very likely that all Ubuntu releases with 5.8 kernels or later are currently affected as no patches for this have been released at this moment.

Bill Lipa
  • 129
  • 1
    @marcelm - I believe you misread Bill Lipa's answer. Specifically, Lipa did not say what you quoted him as saying. I believe Lipa's answer is accurate as written. – mpb Mar 09 '22 at 20:07
  • @mpb You are right; It seems I misread the answer as "currently unaffected". My apologies! Bill, I downvoted your answer based on my misinterpretation, and now I can't undo that vote. If you edit your post (perhaps add some references or pointers to further information?) that restriction is lifted. Sorry :( – marcelm Mar 10 '22 at 09:50
1

All ubuntu versions without patch linux-generic-hwe-20.04 from version 5.13.0.35.40~20.04.20 are affected by CVE-2022-0847

How to check it:

  1. run terminal
  2. run command: apt list --installed | grep linux-generic

If you see message (command run on ubuntu 20.04) linux-generic-hwe-20.04/focal-updates,focal-security,now 5.13.0.35.40~20.04.20 amd64 [installed] it means, that patch is applied and is't affect on your ubuntu.

How to install it:

  1. run terminal
  2. run command: sudo apt-get install linux-generic-hwe-20.04
  3. confirm it by pressing Y key.
Lorenz Keel
  • 8,905
Igor-Potapov
  • 151
  • 1
  • 3
  • 11