CVE-2022-42919

Published: 2 November 2022

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

Priority

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package	Release	Status
python2.7 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Not vulnerable
	jammy	Not vulnerable
	kinetic	Not vulnerable
	trusty	Not vulnerable
	upstream	Not vulnerable
	xenial	Not vulnerable
	lunar	Does not exist
	mantic	Does not exist
python3.5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable
	trusty	Not vulnerable
python3.6 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist
python3.9 Launchpad, Ubuntu, Debian	focal	Released (3.9.5-3ubuntu0~20.04.1+esm1) Available with Ubuntu Pro
	bionic	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Patches: upstream: https://github.com/python/cpython/commit/b43496c01a554cf41ae654a0379efae18609ad39
python3.10 Launchpad, Ubuntu, Debian	jammy	Released (3.10.6-1~22.04.1)
	kinetic	Released (3.10.7-1ubuntu0.1)
	bionic	Does not exist
	focal	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	Patches: upstream: https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2
python3.4 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	trusty	Not vulnerable
	upstream	Needs triage
	xenial	Does not exist
python3.7 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist
python3.8 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Not vulnerable
	jammy	Does not exist
	trusty	Does not exist
	upstream	Not vulnerable
	xenial	Does not exist
	kinetic	Does not exist
python3.11 Launchpad, Ubuntu, Debian	kinetic	Ignored (end of life, was needed)
	bionic	Does not exist
	focal	Does not exist
	jammy	Needed
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	lunar	Not vulnerable (3.11.0-3)
	mantic	Not vulnerable (3.11.0-3)

Severity score breakdown

Parameter	Value
Base score	7.8
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Bugs

https://github.com/python/cpython/issues/97514

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›