Symptoms
The kernel is vulnerable to CVE-2022-32250.
Description
Vulnerability CVE-2022-32250 was addressed back in August 2022 for many servers. Unfortunately, it is tricky to confirm the server is patched due to some inconsistency. The kernel vulnerability was resolved in CVE-2022-32250. The changelog for this vulnerability doesn't match CVE ID CVE-2022-32250 on many servers, though. Many servers still show in the kernel changelogs the issue as resolved in the duplicate CVE-2022-1966. The entry which appears in the changelog depends on the server's operating system and which version of the kernel packages are installed.
Workaround
To verify if the server is patched, follow the below procedures.
For servers with Kernelcare, follow the below guidance.
- If the server is running Kernelcare, the kernel patch can be verified with the following commands:
/usr/bin/kcarectl --patch-info | grep CVE-2022-32250
The output will look similar to the comment below, confirming the server IS patched.
/usr/bin/kcarectl --patch-info | grep CVE-2022-32250
kpatch-name: 3.10.0/CVE-2022-32250-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
kpatch-cve: CVE-2022-32250
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2022-32250
- Kernelcare updates patches automatically, but if you need to update because the patch is not installed, the below command will perform a manual update.
/usr/bin/kcarectl --update
Note: Kernelcare requires an active license to maintain updates.
For servers without Kernelcare, follow the below guidance.
- Identify the running kernel: ( method works for CentOS, CloudLinux, and AlmaLinux but not servers with KernelCare )
uname -a
Returns similar information; your system may differ depending on which kernel version is installed and the hostname.
uname -a
Linux servername.hosting.com 4.18.0-425.3.1.el8.x86_64 #1 SMP Tue Nov 8 14:08:25 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
- We've identified the running kernel as 4.18.0-425.3.1.el8.x86_64. Next, check the changelog entries for the following message with the rpm command
rpm -q kernel-4.18.0-425.3.1.el8.x86_64 --changelog |grep -E '2022-1966|2022-32250'
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2092986 2092987] {CVE-2022-32250}
- netfilter: nf_tables: disallow non-stateful expression in sets earlier (Phil Sutter) [2092987] {CVE-2022-1966}
Note: Depending on the server's operating system, it may show one or two changelog lines indicating the patch is installed.
The kernel is already patched against this CVE if the message appears. If not, you will need to update the kernel and reboot the server.
- To update the kernel, do the following if necessary.
yum update kernel
Schedule a time to reboot the server. It would be best if you did it as soon as possible. New kernels load only after a reboot is performed after the update has been installed.
Note: Updating the kernel should be performed by the server administrator.