OpenShift must enable poisoning of SLUB/SLAB objects.

STIG ID: CNTR-OS-000580  |  SRG: SRG-APP-000243-CTR-000600 | Severity: medium |  CCI: CCI-001090

Vulnerability Discussion

By enabling poisoning of SLUB/SLAB objects, OpenShift can detect and identify use-after-free scenarios more effectively. The poisoned objects are marked as invalid or inaccessible, causing crashes or triggering alerts when an application attempts to access them. This helps identify and mitigate potential security vulnerabilities before they can be exploited.

Check

Verify that Red Hat Enterprise Linux CoreOS (RHCOS) is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; grep slub_debug /boot/loader/entries/*.conf ' 2>/dev/null; done

If "slub_debug" is not set to "P" or is missing, this is a finding.

Fix

Apply the machine config to enable poisoning of SLUB/SLAB objects by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 05-kernelarg-slub-debug-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
kernelArguments:
- slub_debug=P
" | oc apply -f -
done
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.