Описание
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
Меры по смягчению последствий
A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-alt | Will not fix | ||
| Red Hat Enterprise Linux 8 | kernel | Affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Affected | ||
| Red Hat Enterprise MRG 2 | kernel-rt | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Fixed | RHSA-2021:0857 | 16.03.2021 |
| Red Hat Enterprise Linux 7 | kernel | Fixed | RHSA-2021:0856 | 16.03.2021 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traff ...
Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3)
7.5 High
CVSS3