vulnerability
Ubuntu: (CVE-2023-49298): zfs-linux vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Nov 24, 2023 | Nov 19, 2024 | Oct 30, 2025 |
Description
OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions.
Solution
References
- CVE-2023-49298
- https://attackerkb.com/topics/CVE-2023-49298
- CWE-639
- URL-https://gist.github.com/rincebrain/e23b4a39aba3fadc04db18574d30dc73
- URL-https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
- URL-https://news.ycombinator.com/item?id=38405731
- URL-https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files
- URL-https://www.cve.org/CVERecord?id=CVE-2023-49298
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.