Lucene search
K

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989721)

🗓️ 05 Nov 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 3 Views

Security update fixes NULL pointer dereference in ixgbe XDP setup on some machines.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(272884);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/05");

  script_cve_id("CVE-2021-47399");

  script_name(english:"Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989721)");

  script_set_attribute(attribute:"synopsis", value:
"The Unity Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the
UTSA-2025-989721 advisory.

    In the Linux kernel, the following vulnerability has been resolved:

    ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup

    The ixgbe driver currently generates a NULL pointer dereference with
    some machine (online cpus < 63). This is due to the fact that the
    maximum value of num_xdp_queues is nr_cpu_ids. Code is in
    ixgbe_set_rss_queues.

    Here's how the problem repeats itself:
    Some machine (online cpus < 63), And user set num_queues to 63 through
    ethtool. Code is in the ixgbe_set_channels,
            adapter->ring_feature[RING_F_FDIR].limit = count;

    It becomes 63.

    When user use xdp, ixgbe_set_rss_queues will set queues num.
            adapter->num_rx_queues = rss_i;
            adapter->num_tx_queues = rss_i;
            adapter->num_xdp_queues = ixgbe_xdp_queues(adapter);

    And rss_i's value is from
            f = &adapter->ring_feature[RING_F_FDIR];
            rss_i = f->indices = f->limit;

    So num_rx_queues > num_xdp_queues, when run to ixgbe_xdp_setup,
            for (i = 0; i < adapter->num_rx_queues; i++)
                    if (adapter->xdp_ring[i]->xsk_umem)

    It leads to panic.

    Call trace:
    [exception RIP: ixgbe_xdp+368]
    RIP: ffffffffc02a76a0  RSP: ffff9fe16202f8d0  RFLAGS: 00010297
    RAX: 0000000000000000  RBX: 0000000000000020  RCX: 0000000000000000
    RDX: 0000000000000000  RSI: 000000000000001c  RDI: ffffffffa94ead90
    RBP: ffff92f8f24c0c18   R8: 0000000000000000   R9: 0000000000000000
    R10: ffff9fe16202f830  R11: 0000000000000000  R12: ffff92f8f24c0000
    R13: ffff9fe16202fc01  R14: 000000000000000a  R15: ffffffffc02a7530
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
     7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc
     8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808
     9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235
    10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384
    11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd
    12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb
    13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88
    14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319
    15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290
    16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8
    17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64
    18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9
    19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c

    So I fix ixgbe_max_channels so that it will not allow a setting of queues
    to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,
    take the smaller value of num_rx_queues and num_xdp_queues.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://src.uniontech.com/#/security_advisory_detail?utsa_id=UTSA-2025-989721
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?99dd0647");
  # https://lore.kernel.org/linux-cve-announce/2024052148-CVE-2021-47399-3b96@gregkh
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f5bcbe0f");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2021-47399");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-47399");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Unity Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/UOS-Server/release", "Host/UOS-Server/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'UOS Server' >!< os_product) audit(AUDIT_OS_NOT, 'UOS Server');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'UOS Server');
if (! preg(pattern:"^20.1070a([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'UOS Server 20.1070a', 'UOS Server ' + os_version);

if (!get_kb_item('Host/UOS-Server/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'amd64' >!< cpu && 'loongarch64' >!< cpu && 'x86_64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'UOS Server', cpu);


var constraints = [
  {
    'release': '20',
    'sp': '1070a',
    'pkgs': [
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'amd64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'loongarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'kernel-5.10.0-79.4.2', 'sp':'1070a', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}


if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Nov 2025 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.15.5
EPSS0.00239
SSVC
3