A high-severity vulnerability in the Linux Kernel, CVE-2022-0185, was announced this week. The vulnerability allows a local attacker to cause a denial of service (system crash) or execute arbitrary code.
The kernel fix was released on Jan 18th, and is available in the latest Ubuntu AMIs released on January 18th.
If you are a Fairwinds Insights user, you can check for the kernel versions in your cluster with an OPA Policy. Note that this will require adding additional access for the OPA job to be able to get and list nodes. If you are not yet a Fairwinds Insights user, you can sign up for free here. We can get you using the software to help with this high-severity vulnerability.
package fairwinds
allowedKernelVersion(elem) {
v := elem.parameters.kernelVersions[_]
elem.status.nodeInfo.kernelVersion == v
}
unsupportedKernel[actionItem] {
not allowedKernelVersion(input)
actionItem := {
"title": "Kernel Version is Unsupported ",
"description": sprintf("kernel version %s is unsupported", [input.status.nodeInfo.kernelVersion]),
"severity": 0.5,
"remediation": "Update the base image version.",
"category": "Security"
}
}
In your YAML, put a list of versions that you will be supporting. For example, if using an Ubuntu AMI in AWS, this kernel version is reported by the nodes using the AMI: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220118
parameters:
kernelVersions:
- 5.11.0-1027-aws
targets:
- apiGroups:
- ''
kinds:
- Node
You can check what version of the kernel is reported in the node status using:
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\n"}{end}'