{"id":7051,"date":"2026-05-20T13:26:27","date_gmt":"2026-05-20T11:26:27","guid":{"rendered":"https:\/\/logmanager.com\/?p=7051"},"modified":"2026-05-20T14:55:27","modified_gmt":"2026-05-20T12:55:27","slug":"logmanager-a-aktualni-kernel-zranitelnosti","status":"publish","type":"post","link":"https:\/\/logmanager.com\/cs\/blog\/logmanager-a-aktualni-kernel-zranitelnosti\/","title":{"rendered":"Zranitelnosti DirtyFrag, Copyfail a Fragnesia nep\u0159edstavuj\u00ed pro Logmanager riziko"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">V uplynul\u00fdch t\u00fddnech vzbudilo v bezpe\u010dnostn\u00ed komunit\u011b zna\u010dnou pozornost n\u011bkolik zranitelnost\u00ed linuxov\u00e9ho j\u00e1dra, konkr\u00e9tn\u011b <strong>DirtyFrag, Copyfail a Fragnesia<\/strong>. Tyto hrozby jsme tedy prov\u011b\u0159ili v\u016f\u010di <strong>Logmanager 3 a Logmanager 4<\/strong> a m\u016f\u017eeme potvrdit, \u017ee \u017e\u00e1dn\u00e1 z nich nep\u0159edstavuje pro na\u0161i platformu hrozbu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co jsou DirtyFrag, Copyfail a Fragnesia?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DirtyFrag, Copyfail a Fragnesia p\u0159edstavuj\u00ed zranitelnosti typu <strong>Local Privilege Escalation (LPE)<\/strong> v linuxov\u00e9m j\u00e1d\u0159e. V nejhor\u0161\u00edm p\u0159\u00edpad\u011b mohou \u00fato\u010dn\u00edkovi, kter\u00fd u\u017e m\u00e1 na k dan\u00e9mu syst\u00e9mu n\u011bjak\u00fd p\u0159\u00edstup (nap\u0159\u00edklad prost\u0159ednictv\u00edm lok\u00e1ln\u00edho shell \u00fa\u010dtu nebo mo\u017enosti z\u00edskat p\u0159\u00edstup mimo dan\u00fd container) umo\u017enit z\u00edskat plnou kontrolu nad hostitelsk\u00fdm opera\u010dn\u00edm syst\u00e9mem.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Kl\u00ed\u010dov\u00e1 je zde formulace <strong>\u201eu\u017e m\u00e1 n\u011bjak\u00fd p\u0159\u00edstup\u201c<\/strong>. Nejde o zranitelnosti, kter\u00e9 by bylo mo\u017en\u00e9 zneu\u017e\u00edt vzd\u00e1len\u011b p\u0159es s\u00ed\u0165 extern\u00edm \u00fato\u010dn\u00edkem. \u00dato\u010dn\u00edk mus\u00ed b\u00fdt nejprve legitimn\u00edm lok\u00e1ln\u00edm u\u017eivatelem nebo ji\u017e d\u0159\u00edve kompromitovat proces b\u011b\u017e\u00edc\u00ed v syst\u00e9mu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d se tyto zranitelnosti Logmanageru net\u00fdkaj\u00ed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Logmanager nem\u00e1 lok\u00e1ln\u00ed u\u017eivatelsk\u00e9 \u00fa\u010dty<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logmanager je bezpe\u010dnostn\u00ed appliance, nikoliv univerz\u00e1ln\u00ed server pro obecn\u00e9 pou\u017eit\u00ed. V syst\u00e9mu neexistuj\u00ed \u017e\u00e1dn\u00e9 koncov\u00e9 u\u017eivatelsk\u00e9 \u00fa\u010dty. Z\u00e1kazn\u00edci nemaj\u00ed SSH p\u0159\u00edstup, oper\u00e1to\u0159i nemaj\u00ed k dispozici interaktivn\u00ed shell mimo definovan\u00e9 administra\u010dn\u00ed rozhran\u00ed a syst\u00e9m neobsahuje \u017e\u00e1dn\u00e9 sd\u00edlen\u00e9 ani guest \u00fa\u010dty.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Model \u00fatoku, na kter\u00e9m tyto zranitelnosti stoj\u00ed, tedy p\u0159\u00edtomnost neprivilegovan\u00e9ho lok\u00e1ln\u00edho u\u017eivatele, ve standardn\u00edm nasazen\u00ed Logmanageru jednodu\u0161e neexistuje.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Proto\u017ee prvn\u00ed krok ka\u017ed\u00e9ho \u00fato\u010dn\u00e9ho \u0159et\u011bzce popsan\u00e9ho v t\u011bchto CVE nen\u00ed v prost\u0159ed\u00ed Logmanageru realizovateln\u00fd, zbytek \u0159et\u011bzce je z pohledu exploatace irelevantn\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bezpe\u010dnost u n\u00e1s nekon\u010d\u00ed u \u201eto bude sta\u010dit\u201c<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">P\u0159esto\u017ee nep\u0159edpokl\u00e1d\u00e1me existenci lok\u00e1ln\u00edho \u00fato\u010dn\u00edka, v\u011b\u0159\u00edme, \u017ee i \u010d\u00e1ste\u010dn\u00e1 mitigace m\u00e1 smysl. Bezpe\u010dnost by m\u011bla fungovat ve vrstv\u00e1ch a i zranitelnosti, u nich\u017e je pravd\u011bpodobnost zneu\u017eit\u00ed n\u00edzk\u00e1, stoj\u00ed za \u0159e\u0161en\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">N\u00e1\u0161 p\u0159\u00edstup:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Blacklistov\u00e1n\u00ed kernel modul\u016f<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pokud zranitelnost vy\u017eaduje dynamick\u00e9 na\u010dten\u00ed konkr\u00e9tn\u00edho kernel modulu, m\u016f\u017eeme jeho na\u010dten\u00ed zcela zablokovat. Jde o jeden z n\u00e1stroj\u016f, kter\u00e9 vyu\u017e\u00edv\u00e1me v situac\u00edch, kdy je\u0161t\u011b nen\u00ed dostupn\u00e1 kernelov\u00e1 oprava nebo nen\u00ed dostate\u010dn\u00e1. V tomto p\u0159\u00edpad\u011b je ji\u017e oprava dostupn\u00e1, a proto jsme se rozhodli p\u0159\u00edslu\u0161n\u00fd modul v tuto chv\u00edli neblokovat. Do budoucna v\u0161ak tato mo\u017enost z\u016fst\u00e1v\u00e1 jednou z mo\u017enost\u00ed mitigace.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Nepovolujeme to, co nepou\u017e\u00edv\u00e1me<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Logmanager na samotn\u00e9 appliance nevyu\u017e\u00edv\u00e1 IPsec tunelov\u00e1n\u00ed. Kernelov\u00e9 subsyst\u00e9my pot\u0159ebn\u00e9 ke zneu\u017eit\u00ed DirtyFrag a Fragnesia se proto nikdy neaktivuj\u00ed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Omezen\u00ed capabilities kontejner\u016f<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Intern\u00ed slu\u017eby b\u011b\u017e\u00ed v kontejnerech s p\u0159\u00edsn\u011b omezenou sadou opr\u00e1vn\u011bn\u00ed. Zv\u00fd\u0161en\u00e9 capabilities pot\u0159ebn\u00e9 pro interakci s dot\u010den\u00fdmi kernelov\u00fdmi subsyst\u00e9my nejsou \u017e\u00e1dn\u00e9mu kontejneru standardn\u011b p\u0159id\u011bleny.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Bezpe\u010dnostn\u00ed aktualizace opera\u010dn\u00edho syst\u00e9mu<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pr\u016fb\u011b\u017en\u011b sledujeme bezpe\u010dnostn\u00ed kan\u00e1ly na\u0161eho dodavatele opera\u010dn\u00edho syst\u00e9mu a kernelov\u00e9 opravy zahrnujeme do jednotliv\u00fdch releas\u016f Logmanageru. Oprava na \u00farovni j\u00e1dra pro Copyfail (CVE-2026-31431) je od na\u0161eho dodavatele OS ji\u017e dostupn\u00e1 a bude sou\u010d\u00e1st\u00ed nadch\u00e1zej\u00edc\u00edch verz\u00ed obou produktov\u00fdch \u0159ad.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Shrnut\u00ed<\/h2>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Zranitelnost<\/strong><\/td><td><strong>CVE<\/strong><\/td><td><strong>Logmanager 3<\/strong><\/td><td><strong>Logmanager 4<\/strong><\/td><\/tr><tr><td>Copyfail<\/td><td>CVE-2026-31431<\/td><td>Nelze zneu\u017e\u00edt \u2014 architektonick\u00e1 opat\u0159en\u00ed exploataci znemo\u017e\u0148uj\u00ed; kernelov\u00e1 oprava bude sou\u010d\u00e1st\u00ed nadch\u00e1zej\u00edc\u00ed verze<\/td><td>Nelze zneu\u017e\u00edt \u2014 architektonick\u00e1 opat\u0159en\u00ed exploataci znemo\u017e\u0148uj\u00ed; kernelov\u00e1 oprava bude sou\u010d\u00e1st\u00ed nadch\u00e1zej\u00edc\u00ed verze<\/td><\/tr><tr><td>DirtyFrag<\/td><td>CVE-2026-43284, CVE-2026-43500<\/td><td>Nelze zneu\u017e\u00edt \u2014 zraniteln\u00e9 kernelov\u00e9 subsyst\u00e9my nejsou aktivn\u00ed; dot\u010den\u00e1 \u010d\u00e1st k\u00f3du nen\u00ed sou\u010d\u00e1st\u00ed buildu j\u00e1dra<\/td><td>Nelze zneu\u017e\u00edt \u2014 zraniteln\u00e9 kernelov\u00e9 subsyst\u00e9my nejsou aktivn\u00ed<\/td><\/tr><tr><td>Fragnesia<\/td><td>CVE-2026-31431<\/td><td>Nelze zneu\u017e\u00edt \u2014 plat\u00ed stejn\u00e9 podm\u00ednky jako u DirtyFrag<br><\/td><td>Nelze zneu\u017e\u00edt \u2014 plat\u00ed stejn\u00e9 podm\u00ednky jako u DirtyFrag<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">N\u00e1\u0161 t\u00fdm pr\u016fb\u011b\u017en\u011b sleduje relevantn\u00ed upozorn\u011bn\u00ed na bezpe\u010dnostn\u00ed hrozby a vyhodnocujeme jejich potenci\u00e1ln\u00ed dopad na na\u0161i platformu.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pokud m\u00e1te jak\u00e9koli dotazy, obra\u0165te se na n\u00e1\u0161 t\u00fdm podpory na <strong><a href=\"mailto:support@logmanager.com\">support@logmanager.com<\/a><\/strong>.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zjist\u011bte v\u00edce o tom, pro\u010d zranitelnosti linuxov\u00e9ho j\u00e1dra, konkr\u00e9tn\u011b DirtyFrag, Copyfail a Fragnesia, nep\u0159edstavuj\u00ed pro Logmanager re\u00e1ln\u00e9 riziko.<\/p>\n","protected":false},"author":7,"featured_media":7351,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[31],"tags":[],"class_list":["post-7051","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-novinky"],"acf":[],"_links":{"self":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/7051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/comments?post=7051"}],"version-history":[{"count":4,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/7051\/revisions"}],"predecessor-version":[{"id":7058,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/posts\/7051\/revisions\/7058"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media\/7351"}],"wp:attachment":[{"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/media?parent=7051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/categories?post=7051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/logmanager.com\/cs\/wp-json\/wp\/v2\/tags?post=7051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}