On 7th March 2022, we became aware of CVE-2022-0847, also known as "Dirty Pipe", where an unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Our Security and Operations teams have investigated the potential impact on the Aiven platform and are currently working on a fix to be deployed across our fleet.
An optional maintenance update will be made available to all customers which will patch them against this issue and can be implemented using the normal maintenance application functions already in use. Over the next 30 days, the optional update will be made mandatory and rolled out to all customers.
Impact to Aiven Services
The Aiven platform does not allow direct interaction with the underlying operating system. Additionally, Aiven’s architecture prevents cross-tenant impact from vulnerabilities such as this.
Our product and infrastructure security teams have reviewed our existing mitigations in context with this particular vulnerability. Furthermore, internal monitoring has been extended to help identify any exploitation attempts.
For more information about the vulnerability, see CVE-2022-0847