We receive some questions regarding the "Dirty Frag" root exploit.
U7 was never exploitable that way. This is because the kernel version of CentOS 7 is older than the version that introduced the kernel bug in the first place. (And not to leave a false impression: We are paying for TuxCare's "Endless Lifecycle Support" which means we still receive security updates for critical bugs.)
U8 runs a kernel version that is technically exploitable (as no fixed kernel version exists upstream as of now), but the conditions aren't met:
The xfrm-ESP Page-Cache Write exploit needs the privilege to create a user namespace. We specifically block unprivileged user namespaces on U8 due to general security concerns. (This is the reason why we can't support running containers like Docker/Podman on U8 as of now: They rely on unprivileged user namespaces. On a throwaway host, we could confirm that enabling unprivileged user namespaces would indeed enable the exploit to work.)
The RxRPC Page-Cache Write exploit needs a kernel with the rxrpc module. While Arch Linux ships this module, it's not loaded by default, and we can confirm it wasn't loaded on any of our hosts.
As a safety measure, we implemented the suggested mitigation (blocking the problematic esp4, esp6 and rxrpc modules from being loaded) on all systems.