CVE-2022-21385 Overview
A flaw exists in the net_rds_alloc_sgs() function within Oracle Linux kernels that allows unprivileged local users to crash the system. This kernel vulnerability affects the Reliable Datagram Sockets (RDS) subsystem, which is used for high-performance, low-latency messaging between nodes in a cluster environment. When exploited, this vulnerability can cause a denial of service condition, rendering the affected system unavailable.
Critical Impact
Unprivileged local users can trigger a system crash, causing complete denial of service on Oracle Linux systems without requiring any user interaction.
Affected Products
- Oracle Linux (all versions using vulnerable kernel)
Discovery Timeline
- 2022-08-29 - CVE CVE-2022-21385 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21385
Vulnerability Analysis
The vulnerability resides in the net_rds_alloc_sgs() function within the Linux kernel's RDS (Reliable Datagram Sockets) implementation. RDS is a high-speed, reliable, connection-oriented protocol designed for Oracle's cluster interconnect requirements.
The flaw allows an unprivileged local user to trigger a condition that leads to a system crash. The attack can be executed locally without requiring any privileges or user interaction, making it relatively easy to exploit once an attacker has local access to the system. The impact is limited to availability—there is no compromise of confidentiality or integrity, but the denial of service can disrupt critical business operations running on affected Oracle Linux systems.
Root Cause
The root cause lies in improper handling within the net_rds_alloc_sgs() function in the RDS protocol implementation. The function fails to properly validate or handle certain conditions, allowing an attacker to trigger a crash scenario. This represents an input validation or resource handling issue in kernel-level code that processes RDS socket operations.
Attack Vector
The attack vector is local, meaning an attacker must have local access to the target system. The attack requires:
- Local access to an Oracle Linux system with a vulnerable kernel
- The ability to execute code (no special privileges required)
- No user interaction is necessary
An attacker can craft specific RDS socket operations that trigger the flaw in net_rds_alloc_sgs(), causing the kernel to crash and the system to become unavailable. The vulnerability manifests when the kernel processes certain RDS-related operations that invoke the flawed function. Detailed technical information about the specific exploitation mechanism can be found in the Linux Kernel Commit that addresses this issue.
Detection Methods for CVE-2022-21385
Indicators of Compromise
- Unexpected system crashes or kernel panics on Oracle Linux systems
- System logs showing RDS-related errors or crashes in net_rds_alloc_sgs()
- Unusual activity involving RDS socket operations from non-privileged users
- Repeated reboots or system instability without apparent cause
Detection Strategies
- Monitor kernel logs for crash signatures related to RDS subsystem or net_rds_alloc_sgs() function
- Implement system call auditing to track RDS socket operations performed by unprivileged users
- Deploy endpoint detection solutions that can identify kernel-level anomalies and crash patterns
- Use SentinelOne's behavioral analysis to detect unusual local user activity targeting kernel subsystems
Monitoring Recommendations
- Enable comprehensive kernel logging to capture crash details and stack traces
- Configure alerting for unexpected system reboots or kernel panic events
- Monitor for processes attempting to interact with RDS sockets, especially from non-root users
- Implement file integrity monitoring on kernel modules and system binaries
How to Mitigate CVE-2022-21385
Immediate Actions Required
- Apply the latest Oracle Linux kernel updates that contain the fix for CVE-2022-21385
- Restrict local system access to only trusted and necessary users
- Monitor systems for signs of exploitation attempts targeting the RDS subsystem
- Consider disabling the RDS kernel module if not required for cluster operations
Patch Information
Oracle has addressed this vulnerability through kernel updates. The fix has been committed to the upstream Linux kernel with commit ID ea010070d0a7497253d5a6f919f6dd107450b31a. Organizations running Oracle Linux should apply the latest available kernel packages that include this fix. Refer to the Linux Kernel Commit for technical details on the patch.
Workarounds
- Disable the RDS kernel module if it is not required for your environment using modprobe -r rds or by blacklisting it
- Restrict local user access to minimize the attack surface
- Implement network segmentation to limit exposure of affected systems
- Use containerization or virtualization to isolate critical workloads from potentially compromised systems
# Disable RDS kernel module (if not needed)
modprobe -r rds
# Blacklist RDS module to prevent loading at boot
echo "blacklist rds" >> /etc/modprobe.d/blacklist.conf
# Verify RDS module is not loaded
lsmod | grep rds
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
