Security Advisory

Alibaba Cloud Statement on the Impact Assessment of Dirty Pipe Vulnerability (CVE-2022-0847)

Apr 11, 2022

Since March 7, 2022, Alibaba Cloud has been aware of the security issues related to the dirty pipe remote code execution (RCE) vulnerability (CVE-2022-0847) (the “Dirty Pipe”) in the Linux kernel. Alibaba Cloud has taken immediate action to mitigate security risks related to the Dirty Pipe. As confirmed by the Alibaba Cloud security team, except that Alibaba Cloud Linux 3 and a small portion of Container Service for Kubernetes (ACK) instances are affected, all the other internal systems and Apsara Stack product models of Alibaba Cloud have not been affected by the Dirty Pipe . Alibaba Cloud will continue monitoring the latest developments with respect to the Dirty Pipe and deploy countermeasures as soon as they become available to ensure the security of its cloud products and services which might be affected by the Dirty Pipe.

Last Updated on April 6, 2022

I.Affected Alibaba Cloud Services and Products and Corresponding Updates

Elastic Compute Service (ECS)
1. Impact scope: Alibaba Cloud Linux 3 operating system that runs on Linux kernel 5.10
2. Recovery plan: The Dirty Pipe was fixed in the kernel-5.10.84-10.3.al8 kernel version of the Alibaba Cloud Linux 3 operating system on March 9, 2022.

Alibaba Cloud Container Service for Kubernetes (ACK)
1. Impact scope: ACK instances deployed on hosts that run Alibaba Cloud Linux 3 operating system.
2. Recovery plan: The Dirty Pipe was fixed in the kernel-5.10.84-10.3.al8 kernel version of the Alibaba Cloud Linux 3 operating system on March 9, 2022. The YUM repository of Alibaba Cloud Linux 3 has been updated. It is recommended that you upgrade the operating systems of your ACK instances to use the latest Linux kernel version.

II.Details of the Dirty Pipe

1.Description

On March 7, 2022, an oversea security researcher disclosed a local privilege escalation vulnerability in Linux kernel and named it the Dirty Pipe (CVE-2022-0847). The Dirty Pipe elevates unprivileged users to enjoy root privileges by enabling such unprivileged users to overwrite any readable file. A proof of concept (PoC) tool that can exploit the Dirty Pipe is available online.

2.Severity level

CVSS score: 7.8 (High)

3.Affected Linux kernel versions

Kernel 5.8 and versions more advanced than Kernel 5.8, but less advanced than Kernel 5.16.11, 5.15.25, or 5.10.102.

4.Security Suggestions

1)It is highly recommended that customers closely track the update of relevant applications and systems related to the Dirty Pipe which use Linux Kernel, or open-source operating systems based on the Linux kernel, and ensure that these applications and systems have been upgraded to use the latest Linux kernel version (alternatively, enable automatic updates for these applications and systems).

2)With respect to the recovery plan of open-source operating system, please pay close attention to the recovery status announced by the developers of such open-source operating system.

3)Note that this recovery process may require you to restart your applications and systems, please ensure your data is securely backed up in advance.

5.References

Original disclosure article published by the security researcher: https://dirtypipe.cm4all.com/
Ubuntu's statement: https://ubuntu.com/security/CVE-2022-0847
Red Hat's statement: https://access.redhat.com/security/cve/cve-2022-0847
Debian's statement: https://security-tracker.debian.org/tracker/CVE-2022-0847

For more information or help, visit the Alibaba Cloud Customer Service page.