On September 4, the Linux community disclosed a kernel vulnerability, identified as CVE-2020-14386. The vulnerability is in the Linux kernel file net/packet/af_packet.c. An attacker can exploit this vulnerability to perform an out-of-bounds write, which could lead to privilege escalation or a container escape.
Vulnerability information
CVE identifier: CVE-2020-14386
Vulnerability severity: High
Affected versions:
This vulnerability affects Linux distributions that use a kernel version later than 4.6.
Affected ECS images include:
Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903)
CentOS 8
Red Hat Enterprise Linux 8
Debian 9/10
OpenSUSE 15
SUSE Linux Enterprise Server 12/15
Ubuntu 18.04/20.04
Description
CVE-2020-14386 is a memory overflow vulnerability in a kernel module. On Linux systems with a kernel version later than 4.6, non-privileged users, including those in Kubernetes (K8s) or Docker containers, can trigger an out-of-bounds write that may lead to privilege escalation or a container escape.
Security suggestion
Apply the latest official patches as soon as possible.
Solution
Fixes for Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903):
To upgrade the kernel, use one of the following methods.
Run the following command to upgrade the kernel to the patched version.
yum -y install kernel-4.19.91-21.2.al7Run the following command to upgrade the kernel to the latest version.
yum -y update kernel
Run the following command to restart the system.
reboot
NoteFor more information about security fixes for Alibaba Cloud Linux 2.1903, see Alibaba Cloud Linux 2 CVE Update Record.
To upgrade other public images, see the advisories for SUSE Linux Enterprise Server, Ubuntu, and Debian.
Announced by
Alibaba Cloud Computing Co., Ltd.