10

I have been informed about the CVE-2022-0847 vulnerability. I'm wondering what versions of Ubuntu are affected by such a bug.

tomodachi
  • 14,542
  • 4
  • 31
  • 50
floatingpurr
  • 607
  • 2
  • 7
  • 15
  • 9
    Why ask us? Canonical has a website for this https://ubuntu.com/security/CVE-2022-0847 "needs triage" so it is unclear at this moment – Rinzwind Mar 08 '22 at 11:13
  • Oh, I'm sorry! Thanx – floatingpurr Mar 08 '22 at 11:14
  • 1
    It might be worth commenting on the LTS release of Ubuntu 20.04. Ubuntu 20,04 shipped with kernel 5.4, which is old enough to not be affected by CVE-2022-0847. However, if you installed a point release update (an Ubuntu 20.04.x), or if you have installed a newer HWE kernel on Ubuntu 20.04, then your system may well be affected. – mpb Mar 08 '22 at 22:27
  • 3
    @Rinzwind - 'needs triage' doesn't answer the question. See my answer below. – drudru Mar 08 '22 at 22:38
  • The kernel patch released on 9/3/2022 *does not* handle this particular CVE, but it addresses 3 other ones: https://ubuntu.com/security/notices/USN-5318-1 – Artur Meinild Mar 09 '22 at 08:54

4 Answers4

9

I can confirm that kernel versions 5.13.0-28-generic and 5.11.0-40-generic for Ubuntu 20.04 are affected.

Carsten Agger
  • 742
  • 1
  • 6
  • 18
5

Given the incredible severity of this CVE, I did a lot of research on this.

Yes, this has been patched and pushed (as of 2022-03-08) for 21.10 (Impish).

Update 2022-03-09:

A comment below (@fuzzydrawings), mentioned the fix was pushed to 20.04 (focal) as of 2022-03-08. I believe various versions of 18.04 (bionic) have been released as well. I have linked the commits for impish and bionic below.

Also:

https://ubuntu.com/security/notices can be helpful, and https://ubuntu.com/security/notices/USN-5317-1 is the notice for this CVE. However it only mentions 21.10 and 20.04 LTS. I linked below to the commits for bionic that contain the fix.

21.10 (impish)

After I did a sudo apt update, I did a sudo apt list --upgradable to see if the kernel was updated. It was.

The important line is here: linux-generic/impish-updates 5.13.0.35.44 amd64

Googling for the answer didn't come up with any clear answers. So I went to the ubuntu git repository at:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish

(this URL is specific to impish)

You can then see that this version contains the patch from Max Kellerman: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=181cbcef9f8c158189a3b1094c532b6686f14acf

The following commit tags it: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/impish/commit/?id=b07bbb7a296b9be80e48973bba8b03fb1101547f

linux (5.13.0-35.40) impish; urgency=medium

20.04 (focal)

the two kernel versions have received the update (5.4 and 5.13 HWE). Here are the commits:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=114ece9d1f915886450030af5333287437bbf74b

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=438da6e5c849ffe553fc15379471bf331346c3d2

18.04 (bionic)

the two kernel versions have received the update (4.15 and 5.4 HWE). Here are the commits:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/commit/?id=aeae4fd15ccbf0012f84d792ea7aef08e299da30

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/commit/?id=10de766b07707fc67eb3e0a7ffcbaa27603d7c64

drudru
  • 171
  • 6
  • @user535733 - good idea. I didn't check those. I will edit now. – drudru Mar 09 '22 at 06:04
  • 1
    I just received a patched kernel through Ubuntu focal 20.04 repository, so can confirm the update has been pushed for 20.04. – fuzzydrawrings Mar 09 '22 at 06:55
  • Your links are invalid - I dont' see anything except this error: `Repository '%7Eubuntu-kernel/ubuntu/+source/linux/+git/impish/commit' not found.` – Artur Meinild Mar 09 '22 at 08:52
  • @ArturMeinild - I just checked. The links work. – drudru Mar 09 '22 at 18:42
  • @fuzzydrawings - thanks, I will update the post. – drudru Mar 09 '22 at 18:43
  • According to the promoted comment at the bottom of [this Ars Technica story](https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/), the vulnerability requires two separate bugs. The second bug (and, hence, the vulnerability itself) was introduced in kernel 5.8. The first bug was introduced sometime prior. If correct: This would seem to imply that kernels below 5.8 are not vulnerable. Updates to kernels below 5.8 are likely therefore fixing the first bug. But those kernels were not vulnerable. – mpb Mar 09 '22 at 20:19
2

It's very likely that all Ubuntu releases with 5.8 kernels or later are currently affected as no patches for this have been released at this moment.

Bill Lipa
  • 129
  • 1
  • 1
    @marcelm - I believe you misread Bill Lipa's answer. Specifically, Lipa did not say what you quoted him as saying. I believe Lipa's answer is accurate as written. – mpb Mar 09 '22 at 20:07
  • @mpb You are right; It seems I misread the answer as _"currently unaffected"_. My apologies! Bill, I downvoted your answer based on my misinterpretation, and now I [can't undo that vote](https://meta.stackexchange.com/questions/80762/why-do-votes-get-locked). If you edit your post (perhaps add some references or pointers to further information?) that restriction is lifted. Sorry :( – marcelm Mar 10 '22 at 09:50
1

All ubuntu versions without patch linux-generic-hwe-20.04 from version 5.13.0.35.40~20.04.20 are affected by CVE-2022-0847

How to check it:

  1. run terminal
  2. run command: apt list --installed | grep linux-generic

If you see message (command run on ubuntu 20.04) linux-generic-hwe-20.04/focal-updates,focal-security,now 5.13.0.35.40~20.04.20 amd64 [installed] it means, that patch is applied and is't affect on your ubuntu.

How to install it:

  1. run terminal
  2. run command: sudo apt-get install linux-generic-hwe-20.04
  3. confirm it by pressing Y key.
Lorenz Keel
  • 8,362
  • 8
  • 36
  • 49
Igor-Potapov
  • 121
  • 1
  • 2
  • 10