This issue does not affect the default compatibility implementation in the Linux kernel.
Impact: A remote attacker may be able to cause a denial of service via a flood of NDRs on any server that does not validate the length of the hostname argument.
Workaround: Validating the length of hostname arguments in clnt_create calls.
Red Hat would like to thank Eli Bendersky and Levente Tamassia for reporting this issue.
Red Hat would like to caution administrators against using the SunRPC code with the clnt_create compatibility function (or any other function that copies data on the stack) in any production settings until the glibc team issues a fix.
Red Hat would also like to warn users not to use the glibc SunRPC compatibility function until the glibc team issues a fix.
References: https://access.redhat.com/security/cve/CVE-2022-23219
This issue does not affect the default compatibility implementation in the Linux kernel.
It affects applications that use clnt_create compatibility function and calls to clnt_create.
A remote attacker may be able to cause a denial of service via a flood of NDRs on any server that does not validate the length of the hostname argument.
There is no workaround for this issue at present.
Background
The Linux kernel supports the clnt_create function, which is used to create a new connection to a remote server. The clnt_create function accepts a hostname argument that is copied on the stack and then passed via argument vector to the SunRPC-based RPC library. A remote attacker may be able to cause a denial of service by flooding the RPC library with malformed NDRs (no data records) that span multiple pages.
Timeline
Published on: 01/14/2022 07:15:00 UTC
Last modified on: 08/19/2022 10:56:00 UTC