A new vulnerability was discovered in the Netfilter subsystem in the Linux kernel identified as CVE-2024-1086. The CloudLinux team is actively working to address and mitigate the security issue within our software.


*Please note: An update for April 3, 2024, has been added to the end of this post

Details on Vulnerability 

A vulnerability has been discovered in the Netfilter subsystem of the Linux kernel. This flaw is found in the nft_verdict_init() function, which allows positive values to be interpreted as drop errors in the hook verdict. As a result, the nf_hook_slow() function could trigger a double-free vulnerability when NF_DROP is issued with a drop error similar to NF_ACCEPT. Exploiting this issue in the nf_tables component could result in local privilege escalation. Find more information here.

Mitigation for CloudLinux OS Servers

Use the following commands to update the system to the latest kernel:

for cl8: yum install kernel-4.18.0-513.18.1.lve.2.el8.x86_64for cl7h: yum install kernel-4.18.0-513.18.1.lve.2.el7h.x86_64

If a rollout slot is not available, you can perform an immediate update using the following commands:

for cl8: yum install kernel-4.18.0-513.18.1.lve.2.el8.x86_64 --enablerepo=cloudlinux-rollout-3-bypassfor CL7h: yum install kernel-4.18.0-513.18.1.lve.2.el7h.x86_64 --enablerepo=cloudlinux-rollout-3-bypass

Update for April 3, 2024!

The patch for this CVE was also released for CL7 today; the version is kernel-3.10.0-962.3.2.lve1.5.84.el7.

Additionally, the patch for Alma9/CloudLinux9 was released today. You can find more information in the separate article:
https://almalinux.org/blog/2024-04-02-xz-and-cve-2024-1086/.

To update CL7 kernel:
yum install kernel-3.10.0-962.3.2.lve1.5.84.el7--enablerepo=cloudlinux-updates-testing

To update CL6 hybrid:
yum install kernel-3.10.0-962.3.2.lve1.5.84.el6h--enablerepo=cloudlinux-hybrid-testing