CVE-2022-3564

[vvprasadj]

Fix for CVE-2022-3564 (kernel is Vulnerable) has been released for RHEL 7 on 19 July 2023.
This is not yet available for CentOS.
Does next batch of updates for CentOS 7 contains fix for this?

[TrevorH]

kernel 3.10.0-1160.95.1.el7.x86_64 is indeed one of the updates that is pending release. Currently stuck on failing CI tests I think.

[TrevorH]

Just released.

[vvprasadj]

Thank you for the update TrevorH.

[pmalenfant]

I just updated my kernel to 3.10.0-1160.95.1.el7.x86_64, but our security scanner (Kenna) still flags it as containing this CVE.
Could someone please confirm that this kernel contains the patch for the CVE?
Or, is there something different that I need to apply?

Thanks in advance

[TrevorH]

rpm -q --changelog kernel-$(uname -r) on a system running that kernel says

* Mon Jun 05 2023 Rado Vrbovsky <rvrbovsk@redhat.com> [3.10.0-1160.93.1.el7]
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu (Wander Lairson Costa) [2152941] {CVE-2022-3564}

What does uname -r say on your machine?

[jlehtone]

Does Kenna belong to the group of "some tools" that Red Hat mentions in: https://access.redhat.com/solutions/57665

[pmalenfant]

uname output for my system:

# uname -r
3.10.0-1160.95.1.el7.x86_64

[pmalenfant]

I ran the rpm -q -changelog kernel-$(uname -r) | grep "CVE-2022-3564"
it returns
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu (Wander Lairson Costa) [2152941] {CVE-2022-3564}

I can't attach the entire file -- says too large.

That makes me think this vulnerability should be fixed

[TrevorH]

Sounds like a problem with the security scanner then.