Vulnerability announcement | Linux kernel vulnerability (CVE-2020-14386)

更新时间:
复制 MD 格式

On September 4, the Linux community disclosed a kernel vulnerability, identified as CVE-2020-14386. The vulnerability is in the Linux kernel file net/packet/af_packet.c. An attacker can exploit this vulnerability to perform an out-of-bounds write, which could lead to privilege escalation or a container escape.

Vulnerability information

  • CVE identifier: CVE-2020-14386

  • Vulnerability severity: High

  • Affected versions:

    • This vulnerability affects Linux distributions that use a kernel version later than 4.6.

    • Affected ECS images include:

      • Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903)

      • CentOS 8

      • Red Hat Enterprise Linux 8

      • Debian 9/10

      • OpenSUSE 15

      • SUSE Linux Enterprise Server 12/15

      • Ubuntu 18.04/20.04

Description

CVE-2020-14386 is a memory overflow vulnerability in a kernel module. On Linux systems with a kernel version later than 4.6, non-privileged users, including those in Kubernetes (K8s) or Docker containers, can trigger an out-of-bounds write that may lead to privilege escalation or a container escape.

Security suggestion

Apply the latest official patches as soon as possible.

Solution

  • Fixes for Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903):

    1. To upgrade the kernel, use one of the following methods.

      • Run the following command to upgrade the kernel to the patched version.

        yum -y install kernel-4.19.91-21.2.al7
      • Run the following command to upgrade the kernel to the latest version.

        yum -y update kernel
    2. Run the following command to restart the system.

      reboot
    Note

    For more information about security fixes for Alibaba Cloud Linux 2.1903, see Alibaba Cloud Linux 2 CVE Update Record.

  • To upgrade other public images, see the advisories for SUSE Linux Enterprise Server, Ubuntu, and Debian.

Announced by

Alibaba Cloud Computing Co., Ltd.