Headline
RHSA-2022:7187: Red Hat Security Advisory: device-mapper-multipath security update
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-10-25
Updated:
2022-10-25
RHSA-2022:7187 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: device-mapper-multipath security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices.
Security Fix(es):
- device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket (CVE-2022-41974)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1 x86_64
Fixes
- BZ - 2133988 - CVE-2022-41974 device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1
SRPM
device-mapper-multipath-0.8.0-5.el8_1.1.src.rpm
SHA-256: a351f9594b53be387e3240f379afeb6e5cffcc30f1fdc9fc5633d4443add0a38
ppc64le
device-mapper-multipath-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 8c3e2b637f9b9bddc1de5672edb13a7922619675dd6d43064485b42324b19c56
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 48178a17225ee8e4c53b54f5b340e1e94bfef1cdda0c23ee6f543fe7c4c2cdbe
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: e9b48d1895e0742c47b14f3493da73a34ac312b94ae86dd2f98f12d1e5ce5df3
device-mapper-multipath-libs-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: cd357ce916a37403b9c73e2cbf6b6e91b3ba9583764f2b09b8584b5725f71738
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 182e599fb80302033c8b137f91ab2f205b4361919adf0bf5efa6b5d6ab314331
kpartx-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 38f1ffc64cdbb476d3144806beec83a350fb158cf1b6d6b7f61bcf2e8a6427cc
kpartx-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 5d94a189ebd76782cd703b0c1acd85703c9eb82c51d3b60902f6887fd9dcf7da
libdmmp-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: 272971ee197b7cda187846b5daea4f902d9ce46781034d11170539a71cf140ed
libdmmp-debuginfo-0.8.0-5.el8_1.1.ppc64le.rpm
SHA-256: f658da2cc66fea7f6275c615b00ef7687e8d71108a8802ab551f9bc9f8e39196
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1
SRPM
device-mapper-multipath-0.8.0-5.el8_1.1.src.rpm
SHA-256: a351f9594b53be387e3240f379afeb6e5cffcc30f1fdc9fc5633d4443add0a38
x86_64
device-mapper-multipath-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 8161d99dd8883b5befcdf575c2761ac603b12553d1f2d2ad1f7c3de4079499d8
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 769d26677799b286ebf5bcecd7f80a92602ac9f9233d652fa6ab0932557fbf06
device-mapper-multipath-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 94649e5d9cdac78138f35c1297901ee67964bb769faffa3c0512adeebc03e60b
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 0f2c8757a85d7373346531b64cac71778b6b0a05fc37e4e7380bd7b89da5e054
device-mapper-multipath-debugsource-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 5eaffddf9e4940903d70344ad3fc556679c6ec969dc1ce51177b49c5101c0bae
device-mapper-multipath-libs-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 02233f6e088d75784131c5f96941f02cbf9d3a3563a1e296d67d479531f2ae64
device-mapper-multipath-libs-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: ffb9365d3b3ec8ce0d4b1ede58d2b87d6db11494d9ace3dd0850d47becf594de
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.i686.rpm
SHA-256: d15ded201b7c9a5193aea486ffb8b1ccc796301e420712ea5d00036e31783314
device-mapper-multipath-libs-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: a122fd74c2f786850a9fd25f44f4ff7dc6b84df83bb541e47de3a32ae385a605
kpartx-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 84c9b9792e8bf7ea8568f6bfa88f2863fc12592085e2dee2e847aaf0944add46
kpartx-debuginfo-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 8083ad1434f43ab790cde2cddec4d750eea72886244bf5344baf6fffde4563dd
kpartx-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 37e4c08d2f34d412a9679c76e571004e6d79b7ee52af1257c4db84a762246c80
libdmmp-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 6382d860af55ed9519aebf66a607cda731f5a10f19ed4b0d320242080d815ba5
libdmmp-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 19267c7bb9a6e3c13f9f855fb015b981ed688591f739d448f637aceb46f59a51
libdmmp-debuginfo-0.8.0-5.el8_1.1.i686.rpm
SHA-256: 0bfd5fd3ec0294e098d7c5b55489108880e69ae112d2c81c2fa72de9a80b2f1f
libdmmp-debuginfo-0.8.0-5.el8_1.1.x86_64.rpm
SHA-256: 9b2d19a3caac3ab16e5460f4beeaa11d1fe574172915c94b7bc38ad3118f1f60
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202311-6 - Multiple vulnerabilities have been discovered in multipath-tools, the worst of which can lead to root privilege escalation. Versions greater than or equal to 0.9.3 are affected.
IBM Security Guardium 11.3, 11.4, and 11.5 could allow a local user to obtain elevated privileges due to incorrect authorization checks. IBM X-Force ID: 216753.
Red Hat Security Advisory 2023-0795-01 - Submariner 0.13.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.6.
Qualys discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory,they tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how they exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973).
The maintainers of the FreeBSD operating system have released updates to remediate a security vulnerability impacting the ping module that could be potentially exploited to crash the program or trigger remote code execution. The issue, assigned the identifier CVE-2022-23093, impacts all supported versions of FreeBSD and concerns a stack-based buffer overflow vulnerability in the ping service. "
Red Hat Security Advisory 2022-8609-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.9.7 images. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7874-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.8.53. Issues addressed include a code execution vulnerability.
Ubuntu Security Notice 5731-1 - It was discovered that multipath-tools incorrectly handled symlinks. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that multipath-tools incorrectly handled access controls. A local attacker could possibly use this issue, in combination with other issues, to escalate privileges.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3787: device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3787: device-mapper-multipath: Regression of CVE-2022-41974 fix in Red Hat Enterprise Linux
Red Hat Security Advisory 2022-7276-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service, server-side request forgery, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
The Qualys Research Team has discovered authorization bypass and symlink vulnerabilities in multipathd. The authorization bypass was introduced in version 0.7.0 and the symlink vulnerability was introduced in version 0.7.7.
Red Hat Security Advisory 2022-7191-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
Red Hat Security Advisory 2022-7186-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7185-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7192-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7187-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-7188-01 - The device-mapper-multipath packages provide tools that use the device-mapper multipath kernel module to manage multipath devices. Issues addressed include a bypass vulnerability.
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
An update for device-mapper-multipath is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket