Submitted 3 years ago by CHEFKOCH@lemmy.ml to linux@lemmy.ml
https://blog.accuknox.com/how-to-protect-from-cve-2022-0185-using-accuknox-opensource-tools/
CVE-2022-0185
From the Ubuntu security team
~Published:18hJanuaryh2022~
Mitigation
Disable unprivileged user namespaces:
sysctl -w kernel.unprivileged_userns_clone=0
Nick Haflinger is, here again, 100% right.
Sorry @CHEFKOCH@lemmy.ml I read your link up to the end.
The title does not mention anything near - Mitigation.
You workaround is Ubuntu or more precise Kernel specific because most newer kernel already do this which can according to my link even cause issues.
Nice try...
I understand that I didn't understand enough. I will leave this topic.
cypherpunks@lemmy.ml 3 years ago
"Fixing the Linux Kernel Vulnerability CVE-2022-0185" is an inaccurate title. The post says nothing about fixing that Linux vulnerability. Rather, the post is about how kubernetes users can use AccuKnox's products to mitigate the vulnerability.
CHEFKOCH@lemmy.ml 3 years ago
Authors choice of title - Protect from CVE-2022-0185 - I say it is a permanent fix, so my title is more accurate.
cypherpunks@lemmy.ml 3 years ago
Does it fix anything for Linux users who don't use kubernetes? The vast majority of don't. The obvious way everyone should fix CVE-2022-0185 today is by upgrading their kernel. If your distro hasn't shipped an update with the fix yet, you should find a new distro.
I was hoping that this link would tell me about the process of writing the Linux kernel patch (which I of course upgraded to already) which fixed the bug.
Instead I found an advertisement for a kubernetes-related product. I have no idea if "AccuKnox" is any good, but I do know that at this point in time nobody should be "fixing" CVE-2022-0185 by installing it - the correct fix is to upgrade Linux.
Perhaps this product is a good idea for kubernetes users to mitigate the next unprivileged user namespace related vulnerability; I stopped reading when I realized it was all about kubernetes.
Another good mitigation for Linux users in general is to simply disable unprivileged user namespaces altogether :)