6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.3%
A use-after-free flaw was found in the packet processing context in net/netfilter/x_tables.c in netfilter in the Linux Kernel. This issue occurs when the per-CPU sequence count is mishandled during concurrent iptables rules replacement and can be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace.
In order to trigger the issue, it requires the ability to create user/net namespaces.
On non-containerized deployments of Red Hat Enterprise Linux 8, you can disable user namespaces by setting user.max_user_namespaces to 0:
On containerized deployments such as Red Hat OpenShift Container Platform, do not use this mitigation as the functionality is needed to be enabled.
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
5.3%