Versions Affected : All verisons prior to FreeNAS 11.3-U2
A missing NUL-termination check for the jail_set(2) configration option “osrelease” may return more bytes when reading the jail configuration back with jail_get(2) than were originally set.
For jails with a non-default setting of children.max > 0 (“nested jails”) a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.
No workaround is available. Systems not altering the default settings of the jail configuration option children.max=0 are not affected as a root on the base system has ccess to kernel memory by other means and a super user inside a jail cannot create further jails.
- Upgrade to FreeNAS 11.3-U2 or later.