Impact
net/netfilter/nf_tables_api.c in the Linux kernel allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with privileged: true or having NET_ADMIN capability poses a risk.
Patches
The fix has been backported to 5.15.45 version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.1.0 is shipped with Linux Kernel 5.15.48 and Talos >= v1.0.6 is shipped with Linux kernel 5.15.45 fixing the above issue.
Workarounds
Audit kubernetes workloads running in the cluster with privileged: true set or having NET_ADMIN capability and assess the threat vector.
References
For more information
Impact
net/netfilter/nf_tables_api.c in the Linux kernel allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
Kubernetes workloads running in Talos are not affected since user namespaces are disabled in Talos kernel config. So an unprivileged user cannot obtain CAP_NET_ADMIN by unsharing. However untrusted workloads that run with
privileged: trueor havingNET_ADMINcapability poses a risk.Patches
The fix has been backported to 5.15.45 version of the upstream Linux kernel (5.15 is the upstream Kernel long term version Talos ships with). Talos >= v1.1.0 is shipped with Linux Kernel 5.15.48 and Talos >= v1.0.6 is shipped with Linux kernel 5.15.45 fixing the above issue.
Workarounds
Audit kubernetes workloads running in the cluster with
privileged: trueset or havingNET_ADMINcapability and assess the threat vector.References
For more information