Alibaba Cloud Statement on the Impact Assessment of Dirty Pipe Vulnerability (CVE-2022-0847)
Last Updated on April 6, 2022
I.Affected Alibaba Cloud Services and Products and Corresponding Updates
Elastic Compute Service (ECS)
1. Impact scope: Alibaba Cloud Linux 3 operating system that runs on Linux kernel 5.10
2. Recovery plan: The Dirty Pipe was fixed in the kernel-5.10.84-10.3.al8 kernel version of the Alibaba Cloud Linux 3 operating system on March 9, 2022.
Alibaba Cloud Container Service for Kubernetes (ACK)
1. Impact scope: ACK instances deployed on hosts that run Alibaba Cloud Linux 3 operating system.
2. Recovery plan: The Dirty Pipe was fixed in the kernel-5.10.84-10.3.al8 kernel version of the Alibaba Cloud Linux 3 operating system on March 9, 2022. The YUM repository of Alibaba Cloud Linux 3 has been updated. It is recommended that you upgrade the operating systems of your ACK instances to use the latest Linux kernel version.
II.Details of the Dirty Pipe
On March 7, 2022, an oversea security researcher disclosed a local privilege escalation vulnerability in Linux kernel and named it the Dirty Pipe (CVE-2022-0847). The Dirty Pipe elevates unprivileged users to enjoy root privileges by enabling such unprivileged users to overwrite any readable file. A proof of concept (PoC) tool that can exploit the Dirty Pipe is available online.
CVSS score: 7.8 (High)
3.Affected Linux kernel versions
Kernel 5.8 and versions more advanced than Kernel 5.8, but less advanced than Kernel 5.16.11, 5.15.25, or 5.10.102.
1)It is highly recommended that customers closely track the update of relevant applications and systems related to the Dirty Pipe which use Linux Kernel, or open-source operating systems based on the Linux kernel, and ensure that these applications and systems have been upgraded to use the latest Linux kernel version (alternatively, enable automatic updates for these applications and systems).
2)With respect to the recovery plan of open-source operating system, please pay close attention to the recovery status announced by the developers of such open-source operating system.
3)Note that this recovery process may require you to restart your applications and systems, please ensure your data is securely backed up in advance.
Original disclosure article published by the security researcher: https://dirtypipe.cm4all.com/
Ubuntu's statement: https://ubuntu.com/security/CVE-2022-0847
Red Hat's statement: https://access.redhat.com/security/cve/cve-2022-0847
Debian's statement: https://security-tracker.debian.org/tracker/CVE-2022-0847
For more information or help, visit the Alibaba Cloud Customer Service page.