{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42142", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-29T15:50:41.189Z", "datePublished": "2024-07-30T07:46:35.929Z", "dateUpdated": "2024-12-19T09:13:56.999Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:13:56.999Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-switch, Create ingress ACL when needed\n\nCurrently, ingress acl is used for three features. It is created only\nwhen vport metadata match and prio tag are enabled. But active-backup\nlag mode also uses it. It is independent of vport metadata match and\nprio tag. And vport metadata match can be disabled using the\nfollowing devlink command:\n\n # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\\n\tvalue false cmode runtime\n\nIf ingress acl is not created, will hit panic when creating drop rule\nfor active-backup lag mode. If always create it, there will be about\n5% performance degradation.\n\nFix it by creating ingress acl when needed. If esw_port_metadata is\ntrue, ingress acl exists, then create drop rule using existing\ningress acl. If esw_port_metadata is false, create ingress acl and\nthen create drop rule."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c"], "versions": [{"version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "bc3ff8d3c05044de57865ebbb78cca8f7da3e595", "status": "affected", "versionType": "git"}, {"version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "3e3551f8702978cd2221d2614ca6d6727e785324", "status": "affected", "versionType": "git"}, {"version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "83bc1a129f7fd0d7d05036ceb7ee69102624e320", "status": "affected", "versionType": "git"}, {"version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "b20c2fb45470d0c7a603613c9cfa5d45720e17f2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.98", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.39", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.9", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595"}, {"url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324"}, {"url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320"}, {"url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2"}], "title": "net/mlx5: E-switch, Create ingress ACL when needed", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.562Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:15:50.447438Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:35.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.562Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42142", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:15:50.447438Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:24.627Z"}}], "cna": {"title": "net/mlx5: E-switch, Create ingress ACL when needed", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "bc3ff8d3c05044de57865ebbb78cca8f7da3e595", "versionType": "git"}, {"status": "affected", "version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "3e3551f8702978cd2221d2614ca6d6727e785324", "versionType": "git"}, {"status": "affected", "version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "83bc1a129f7fd0d7d05036ceb7ee69102624e320", "versionType": "git"}, {"status": "affected", "version": "1749c4c51c16e3e078faae0a876d01bafb187a74", "lessThan": "b20c2fb45470d0c7a603613c9cfa5d45720e17f2", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.18"}, {"status": "unaffected", "version": "0", "lessThan": "5.18", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.98", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.39", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.9", "versionType": "semver", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595"}, {"url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324"}, {"url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320"}, {"url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-switch, Create ingress ACL when needed\n\nCurrently, ingress acl is used for three features. It is created only\nwhen vport metadata match and prio tag are enabled. But active-backup\nlag mode also uses it. It is independent of vport metadata match and\nprio tag. And vport metadata match can be disabled using the\nfollowing devlink command:\n\n # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\\n\tvalue false cmode runtime\n\nIf ingress acl is not created, will hit panic when creating drop rule\nfor active-backup lag mode. If always create it, there will be about\n5% performance degradation.\n\nFix it by creating ingress acl when needed. If esw_port_metadata is\ntrue, ingress acl exists, then create drop rule using existing\ningress acl. If esw_port_metadata is false, create ingress acl and\nthen create drop rule."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:13:56.999Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42142", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:13:56.999Z", "dateReserved": "2024-07-29T15:50:41.189Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-30T07:46:35.929Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3456516-7A6B-40C7-891C-0802FF927B9D", "versionEndExcluding": "6.1.98", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "29E894E4-668F-4DB0-81F7-4FB5F698E970", "versionEndExcluding": "6.6.39", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ADCC1407-0CB3-4C8F-B4C5-07F682CD7085", "versionEndExcluding": "6.9.9", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "79F18AFA-40F7-43F0-BA30-7BDB65F918B9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*", "matchCriteriaId": "BD973AA4-A789-49BD-8D57-B2846935D3C7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*", "matchCriteriaId": "8F3E9E0C-AC3E-4967-AF80-6483E8AB0078", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-switch, Create ingress ACL when needed\n\nCurrently, ingress acl is used for three features. It is created only\nwhen vport metadata match and prio tag are enabled. But active-backup\nlag mode also uses it. It is independent of vport metadata match and\nprio tag. And vport metadata match can be disabled using the\nfollowing devlink command:\n\n # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\\n\tvalue false cmode runtime\n\nIf ingress acl is not created, will hit panic when creating drop rule\nfor active-backup lag mode. If always create it, there will be about\n5% performance degradation.\n\nFix it by creating ingress acl when needed. If esw_port_metadata is\ntrue, ingress acl exists, then create drop rule using existing\ningress acl. If esw_port_metadata is false, create ingress acl and\nthen create drop rule."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: E-switch, crea ACL de entrada cuando sea necesario Actualmente, la acl de entrada se utiliza para tres funciones. Se crea solo cuando la coincidencia de metadatos de vport y la etiqueta prio est\u00e1n habilitadas. Pero el modo de retraso de respaldo activo tambi\u00e9n lo usa. Es independiente de la coincidencia de metadatos de vport y de la etiqueta prio. Y la coincidencia de metadatos de vport se puede desactivar usando el siguiente comando devlink: # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\ value false cmode runtime Si no se crea la acl de entrada, entrar\u00e1 en p\u00e1nico al crear una regla de eliminaci\u00f3n para la copia de seguridad activa modo de retraso. Si lo crea siempre, habr\u00e1 una degradaci\u00f3n del rendimiento de aproximadamente un 5 %. Solucionarlo creando una acl de entrada cuando sea necesario. Si esw_port_metadata es verdadero, la acl de entrada existe, luego cree una regla de eliminaci\u00f3n utilizando la acl de entrada existente. Si esw_port_metadata es falso, cree una acl de entrada y luego cree una regla de eliminaci\u00f3n."}], "id": "CVE-2024-42142", "lastModified": "2024-12-11T15:18:21.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-30T08:15:05.993", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e3551f8702978cd2221d2614ca6d6727e785324"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/83bc1a129f7fd0d7d05036ceb7ee69102624e320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b20c2fb45470d0c7a603613c9cfa5d45720e17f2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bc3ff8d3c05044de57865ebbb78cca8f7da3e595"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net/mlx5: E-switch, Create ingress ACL when needed", "id": "2301507", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301507"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-456", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: E-switch, Create ingress ACL when needed\nCurrently, ingress acl is used for three features. It is created only\nwhen vport metadata match and prio tag are enabled. But active-backup\nlag mode also uses it. It is independent of vport metadata match and\nprio tag. And vport metadata match can be disabled using the\nfollowing devlink command:\n# devlink dev param set pci/0000:08:00.0 name esw_port_metadata \\\nvalue false cmode runtime\nIf ingress acl is not created, will hit panic when creating drop rule\nfor active-backup lag mode. If always create it, there will be about\n5% performance degradation.\nFix it by creating ingress acl when needed. If esw_port_metadata is\ntrue, ingress acl exists, then create drop rule using existing\ningress acl. If esw_port_metadata is false, create ingress acl and\nthen create drop rule."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-42142", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-42142\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42142\nhttps://lore.kernel.org/linux-cve-announce/2024073031-CVE-2024-42142-a3a2@gregkh/T"], "statement": "Red Hat Enterprise Linux is not impacted by this CVE, as the vulnerability in question does not affect the specific versions or configurations of the Linux kernel used in its distributions. This ensures that users of Red Hat Enterprise Linux are not exposed to the potential risks associated with this issue, and no further action or mitigation is necessary for systems running this operating system.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.98, kernel 6.6.39, kernel 6.9.9, kernel 6.10"}