Statement on the recent CVE-2022-0185 vulnerability

author avatar
Cian Johnston
author avatar
Jonathan Yu
 on January 21st, 2022

Recently, a vulnerability (CVE-2022-0185) was discovered in the Linux kernel (versions 5.1 and above). This vulnerability allows a user with local access inside a non-privileged user namespace to gain root access by exploiting an integer underflow to gain the CAPSYSADMIN capability in a new user namespace, which is normally reserved for processes running as the root user.

This vulnerability affects users of Coder.

In order to exploit this vulnerability, a user must be logged into a Coder workspace.

Coder relies upon third-party components such as Docker, Sysbox, and Podman. These in turn rely heavily upon non-privileged user namespaces for security and isolation. The Nestybox team, for example, has confirmed that this issue affects downstream users.

One accepted mitigation strategy is to disable unprivileged user namespaces:

sysctl -w kernel.unprivileged_userns_clone=0

However, this mitigation strategy may interfere with core system functionality Coder needs to work. We therefore cannot recommend this. We instead recommend that you update the Linux kernel on all systems that run Coder workspaces as soon as possible.

We also recommend that if you have updated to Coder version 1.27 already, you may wish to enable workspace process logging, which will enable you monitor any attempts to exploit this vulnerability.

The Ubuntu and Red Hat kernel maintainers have released security bulletins for this issue:

If you are using a different Linux distribution to run Coder, please check the security bulletins for your distribution. We recommend that you check these periodically for new information on potential vulnerabilities, and install security patches as soon as they are available.

Back to blog