CVE-2023-49298 – OpenZFS vulnerability where file contents can b... (How to Fix)

Q: What is the severity of CVE-2023-49298?

CVE-2023-49298 has a CVSS score of 7.5 (HIGH). OpenZFS vulnerability where file contents can be replaced with zero-valued bytes during certain copy operations, potentially disabling security mechanisms like access control rules. Affects OpenZFS versions through 2.1.13 and 2.2.x through 2.2.1. This can impact systems using tools like GNU cp to manage security configuration files.

📋 TL;DR

OpenZFS vulnerability where file contents can be replaced with zero-valued bytes during certain copy operations, potentially disabling security mechanisms like access control rules. Affects OpenZFS versions through 2.1.13 and 2.2.x through 2.2.1. This can impact systems using tools like GNU cp to manage security configuration files.

💻 Affected Systems

Products:

OpenZFS

Versions: OpenZFS through 2.1.13 and 2.2.x through 2.2.1

Operating Systems: Linux, FreeBSD, Other Unix-like systems with OpenZFS

Default Config Vulnerable: ⚠️ Yes

Notes: Occurs less often in version 2.2.1 and versions before 2.1.4 due to default configuration differences. Requires specific scenarios involving applications that rely on efficient file data copying.

📦 What is this software?

Openzfs by Openzfs

View all CVEs affecting Openzfs →

Openzfs by Openzfs

View all CVEs affecting Openzfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Security configuration files (like /etc/hosts.deny) are corrupted with zeros, disabling access controls and allowing unauthorized network access or privilege escalation.

🟠

Likely Case

Security configuration files become corrupted during administrative copy operations, temporarily disabling security mechanisms until manually corrected.

🟢

If Mitigated

Minimal impact if proper change control procedures and file integrity monitoring are in place to detect and correct corrupted files.

🌐 Internet-Facing: MEDIUM - Could allow bypass of network access controls if security configuration files are corrupted.

🏢 Internal Only: MEDIUM - Could impact internal security controls and access management systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions: vulnerable OpenZFS version, applications using certain copy operations, and targeting of security configuration files. Not a direct remote code execution vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenZFS 2.1.14 and later

Vendor Advisory: https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14

Restart Required: Yes

Instructions:

1. Backup all ZFS datasets. 2. Update OpenZFS to version 2.1.14 or later. 3. Reboot the system to load the patched kernel module. 4. Verify the fix by checking the OpenZFS version.

🔧 Temporary Workarounds

Avoid using GNU cp with security-sensitive files

linux

Use alternative copy methods like rsync or cat for security configuration files

# Use rsync instead of cp for security files
rsync -a /path/to/source /path/to/destination
# Or use cat
cat /path/to/source > /path/to/destination

Implement file integrity monitoring

linux

Monitor critical security files for unexpected changes using tools like AIDE or Tripwire

# Install and configure AIDE
apt-get install aide
aideinit
aide --check

🧯 If You Can't Patch

Implement strict change control procedures for security configuration files
Regularly audit and verify integrity of security configuration files

🔍 How to Verify

Check if Vulnerable:

Check OpenZFS version with: modinfo zfs | grep version

Check Version:

modinfo zfs | grep version

Verify Fix Applied:

Verify OpenZFS version is 2.1.14 or higher: modinfo zfs | grep version

📡 Detection & Monitoring

Log Indicators:

Sudden changes in file sizes for security configuration files
Access control failures in application logs
File integrity monitoring alerts

Network Indicators:

Unexpected network connections that should be blocked
Failed authentication attempts from previously blocked IPs

SIEM Query:

source="*syslog*" AND ("hosts.deny" OR "access control" OR "file corruption") AND ("zero" OR "corrupt" OR "failed")

📊 Metadata

CVE ID: CVE-2023-49298

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-639

Published: November 24, 2023

Last Updated: November 3, 2025

🔗 References

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 Issue Tracking,Patch
https://bugs.gentoo.org/917224
https://github.com/openzfs/zfs/issues/15526 Exploit,Issue Tracking,Patch,Vendor Advisory
https://github.com/openzfs/zfs/pull/15571 Exploit,Patch,Vendor Advisory
https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html
https://news.ycombinator.com/item?id=38405731 Patch,Third Party Advisory
https://news.ycombinator.com/item?id=38770168
https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files Third Party Advisory
https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275308 Issue Tracking,Patch
https://bugs.gentoo.org/917224
https://github.com/openzfs/zfs/issues/15526 Exploit,Issue Tracking,Patch,Vendor Advisory
https://github.com/openzfs/zfs/pull/15571 Exploit,Patch,Vendor Advisory
https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14
https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2
https://lists.debian.org/debian-lts-announce/2024/03/msg00019.html
https://lists.debian.org/debian-lts-announce/2025/04/msg00009.html
https://news.ycombinator.com/item?id=38405731 Patch,Third Party Advisory
https://news.ycombinator.com/item?id=38770168
https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files Third Party Advisory
https://www.theregister.com/2023/12/04/two_new_versions_of_openzfs/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49298, you might also want to check these: