http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=621b5060e823301d0cba4cb52a7ee3491922d291

57436

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7

[oss-security] 20140330 Re: CVE request: Linux Kernel, two security issues

66477

linux-kernel-cve20142673-dos(92113)

https://github.com/torvalds/linux/commit/621b5060e823301d0cba4cb52a7ee3491922d291

https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.15

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A memory corruption flaw was found in the way the USB     ConnectTech WhiteHEAT serial driver processed     completion commands sent via USB Request Blocks     buffers. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3185i1/4%0

  - Use-after-free vulnerability in the msm_set_crop     function in drivers/media/video/msm/msm_camera.c in the     MSM-Camera driver for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, allows attackers to     gain privileges or cause a denial of service (memory     corruption) via an application that makes a crafted     ioctl call.(CVE-2015-0568i1/4%0

  - The vivid_fb_ioctl function in     drivers/media/platform/vivid/vivid-osd.c in the Linux     kernel through 4.3.3 does not initialize a certain     structure member, which allows local users to obtain     sensitive information from kernel memory via a crafted     application.(CVE-2015-7884i1/4%0

  - The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel can allow     a local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16535i1/4%0

  - The ACPI parsing functionality in the Linux kernel does     not flush the node and node_ext caches which causes a     kernel stack dump. This allows local users to obtain     sensitive information from kernel memory and use this     information to bypass the KASLR protection mechanism by     creating and applying crafted ACPI     table.(CVE-2017-13694i1/4%0

  - The is_ashmem_file function in     drivers/staging/android/ashmem.c in a certain Qualcomm     Innovation Center (QuIC) Android patch for the Linux     kernel 3.x mishandles pointer validation within the     KGSL Linux Graphics Module, which allows attackers to     bypass intended access restrictions by using the     /ashmem string as the dentry name.(CVE-2016-5340i1/4%0

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the     system.(CVE-2013-4312i1/4%0

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this     flaw to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although it is unlikely.(CVE-2017-7541i1/4%0

  - A flaw in the netback module allowed frontends to     control mapping of requests to request queues. An     attacker can change this mapping by requesting invalid     mapping requests allowing the (usually privileged)     backend to access out-of-bounds memory access for     reading and writing.(CVE-2018-15471i1/4%0

  - A buffer overflow vulnerability due to a lack of input     filtering of incoming fragmented datagrams was found in     the IP-over-1394 driver firewire-net in a fragment     handling code in the Linux kernel. The vulnerability     exists since firewire supported IPv4, i.e. since     version 2.6.31 (year 2009) till version v4.9-rc4. A     maliciously formed fragment with a respectively large     datagram offset would cause a memcpy() past the     datagram buffer, which would cause a system panic or     possible arbitrary code execution.The flaw requires     firewire-net module to be loaded and is remotely     exploitable from connected firewire devices, but not     over a local network.(CVE-2016-8633i1/4%0

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741i1/4%0

  - A vulnerability was found in the Linux kernel. The     pointer to the netlink socket attribute is not checked,     which could cause a null pointer dereference when     parsing the nested attributes in function     tipc_nl_publ_dump(). This allows local users to cause a     DoS.(CVE-2016-4951i1/4%0

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986i1/4%0

  - The kvm_vm_ioctl_check_extension function in     arch/powerpc/kvm/powerpc.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) via a     KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to     /dev/kvm.(CVE-2017-15306i1/4%0

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830i1/4%0

  - A flaw was found in the way the Linux kernel's SCTP     implementation validated INIT chunks when performing     Address Configuration Change (ASCONF). A remote     attacker could use this flaw to crash the system by     sending a specially crafted SCTP packet to trigger a     NULL pointer dereference on the     system.(CVE-2014-7841i1/4%0

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - A flaw was found in the way the Linux kernel performed     forking inside of a transaction. A local, unprivileged     user on a PowerPC system that supports transactional     memory could use this flaw to crash the     system.(CVE-2014-2673i1/4%0

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348i1/4%0

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The n_tty_write function in drivers/tty/n_tty.c in the     Linux kernel through 3.14.3 does not properly manage     tty driver access in the 'LECHO i1/4+ !OPOST' case, which     allows local users to cause a denial of service (memory     corruption and system crash) or gain privileges by     triggering a race condition involving read and write     operations with long strings.(CVE-2014-0196)

  - Array index error in the aio_read_events_ring function     in fs/aio.c in the Linux kernel through 3.15.1 allows     local users to obtain sensitive information from kernel     memory via a large head value.(CVE-2014-0206)

  - The fst_get_iface function in drivers/net/wan/farsync.c     in the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory by leveraging the CAP_NET_ADMIN capability for     an SIOCWANDEV ioctl call.(CVE-2014-1444)

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in     the Linux kernel before 3.11.7 does not properly     initialize a certain data structure, which allows local     users to obtain sensitive information from kernel     memory via an ioctl call.(CVE-2014-1445)

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446)

  - The help function in net/netfilter/nf_nat_irc.c in the     Linux kernel before 3.12.8 allows remote attackers to     obtain sensitive information from kernel memory by     establishing an IRC DCC session in which incorrect     packet data is transmitted during use of the NAT mangle     feature.(CVE-2014-1690)

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)

  - It was found that the Linux kernel's floppy driver     leaked internal kernel memory addresses to user space     during the processing of the FDRAWCMD IOCTL command. A     local user with write access to /dev/fdX could use this     flaw to obtain information about the kernel heap     arrangement. (CVE-2014-1738, Low)

  - Note: A local user with write access to /dev/fdX could     use these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1737)

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)

  - It was found that the Linux kernel's floppy driver     leaked internal kernel memory addresses to user space     during the processing of the FDRAWCMD IOCTL command. A     local user with write access to /dev/fdX could use this     flaw to obtain information about the kernel heap     arrangement. (CVE-2014-1738, Low)

  - Note: A local user with write access to /dev/fdX could     use these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1738)

  - An information leak flaw was found in the way the Linux     kernel handled media device enumerate entities IOCTL     requests. A local user able to access the /dev/media0     device file could use this flaw to leak kernel memory     bytes.(CVE-2014-1739)

  - The security_context_to_sid_core function in     security/selinux/ss/services.c in the Linux kernel     before 3.13.4 allows local users to cause a denial of     service (system crash) by leveraging the CAP_MAC_ADMIN     capability to set a zero-length security     context.(CVE-2014-1874)

  - The nfs_can_extend_write function in fs/nfs/write.c in     the Linux kernel before 3.13.3 relies on a write     delegation to extend a write operation without a     certain up-to-date verification, which allows local     users to obtain sensitive information from kernel     memory in opportunistic circumstances by writing to a     file in an NFS filesystem and then reading the same     file.(CVE-2014-2038)

  - The ip6_route_add function in net/ipv6/route.c in the     Linux kernel through 3.13.6 does not properly count the     addition of routes, which allows remote attackers to     cause a denial of service (memory consumption) via a     flood of ICMPv6 Router Advertisement     packets.(CVE-2014-2309)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux     kernel through 3.13.6 uses a DCCP header pointer     incorrectly, which allows remote attackers to cause a     denial of service (system crash) or possibly execute     arbitrary code via a DCCP packet that triggers a call     to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error     function.(CVE-2014-2523)

  - Use-after-free vulnerability in the nfqnl_zcopy     function in net/netfilter/nfnetlink_queue_core.c in the     Linux kernel through 3.13.6 allows attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation. NOTE: the     affected code was moved to the skb_zerocopy function in     net/core/skbuff.c before the vulnerability was     announced.(CVE-2014-2568)

  - It was found that a remote attacker could use a race     condition flaw in the ath_tx_aggr_sleep() function to     crash the system by creating large network traffic on     the system's Atheros 9k wireless network     adapter.(CVE-2014-2672)

  - A flaw was found in the way the Linux kernel performed     forking inside of a transaction. A local, unprivileged     user on a PowerPC system that supports transactional     memory could use this flaw to crash the     system.(CVE-2014-2673)

  - A race condition flaw was found in the way the Linux     kernel's mac80211 subsystem implementation handled     synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the     system.(CVE-2014-2706)

  - A use-after-free flaw was found in the way the     ping_init_sock() function of the Linux kernel handled     the group_info reference counter. A local, unprivileged     user could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-2851)

  - It was found that the try_to_unmap_cluster() function     in the Linux kernel's Memory Managment subsystem did     not properly handle page locking in certain cases,     which could potentially trigger the BUG_ON() macro in     the mlock_vma_page() function. A local, unprivileged     user could use this flaw to crash the     system.(CVE-2014-3122)

  - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST     extension implementations in the sk_run_filter function     in net/core/filter.c in the Linux kernel through 3.14.3     do not check whether a certain length value is     sufficiently large, which allows local users to cause a     denial of service (integer underflow and system crash)     via crafted BPF instructions. NOTE: the affected code     was moved to the __skb_get_nlattr and
    __skb_get_nlattr_nest functions before the     vulnerability was announced.(CVE-2014-3144)

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-0290 advisory.

  - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not     ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS     users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm     access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU. (CVE-2014-3690)

  - The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows     local users to cause a denial of service (memory corruption or system crash) by accessing certain memory     locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage     migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. (CVE-2014-3940)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall     numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-     bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. (CVE-2014-7825)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall     numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial     of service (invalid pointer dereference) via a crafted application. (CVE-2014-7826)

  - Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17     allows local users to cause a denial of service (file unavailability) via a combination of a write action     and an F_SETFL fcntl operation for the O_DIRECT flag. (CVE-2014-8086)

  - net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack     entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,     which allows remote attackers to bypass intended access restrictions via packets with disallowed port     numbers. (CVE-2014-8160)

  - The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of     files with an inappropriate locking approach, which allows local users to cause a denial of service (soft     lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations. (CVE-2014-8172)

  - The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel     before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a     transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED     madvise system call that leverages the absence of a page-table lock. (CVE-2014-8173)

  - The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly     maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information     by reading packets. (CVE-2014-8709)

  - Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in     drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a     denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.
    (CVE-2014-8884)

  - The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote     attribute replacement, which allows local users to cause a denial of service (transaction overrun and data     corruption) or possibly gain privileges by leveraging XFS filesystem access. (CVE-2015-0274)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* It was found that Linux kernel's ptrace subsystem did not properly sanitize the address-space-control bits when the program-status word (PSW) was being set. On IBM S/390 systems, a local, unprivileged user could use this flaw to set address-space-control bits to the kernel space, and thus gain read and write access to kernel memory.
(CVE-2014-3534, Important)

* It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process. (CVE-2014-0181, Moderate)

* It was found that a remote attacker could use a race condition flaw in the ath_tx_aggr_sleep() function to crash the system by creating large network traffic on the system's Atheros 9k wireless network adapter. (CVE-2014-2672, Moderate)

* A flaw was found in the way the Linux kernel performed forking inside of a transaction. A local, unprivileged user on a PowerPC system that supports transactional memory could use this flaw to crash the system. (CVE-2014-2673, Moderate)

* A race condition flaw was found in the way the Linux kernel's mac80211 subsystem implementation handled synchronization between TX and STA wake-up code paths. A remote attacker could use this flaw to crash the system. (CVE-2014-2706, Moderate)

* An integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.
(CVE-2014-4667, Moderate)

Red Hat would like to thank Martin Schwidefsky of IBM for reporting CVE-2014-3534, Andy Lutomirski for reporting CVE-2014-0181, and Gopal Reddy Kodudula of Nokia Siemens Networks for reporting CVE-2014-4667.

This update also fixes the following bugs :

* Due to a NULL pointer dereference bug in the IPIP and SIT tunneling code, a kernel panic could be triggered when using IPIP or SIT tunnels with IPsec. This update restructures the related code to avoid a NULL pointer dereference and the kernel no longer panics when using IPIP or SIT tunnels with IPsec. (BZ#1114957)

* Previously, an IBM POWER8 system could terminate unexpectedly when the kernel received an IRQ while handling a transactional memory re-checkpoint critical section. This update ensures that IRQs are disabled in this situation and the problem no longer occurs.
(BZ#1113150)

* A missing read memory barrier, rmb(), in the bnx2x driver caused the kernel to crash under various circumstances. This problem has been fixed by adding an rmb() call to the relevant place in the bnx2x code.
(BZ#1107721)

* The hpwdt driver previously emitted a panic message that was misleading on certain HP systems. This update ensures that upon a kernel panic, hpwdt displays information valid on all HP systems.
(BZ#1096961)

* The qla2xxx driver has been upgraded to version 8.06.00.08.07.0-k3, which provides a number of bug fixes over the previous version in order to correct various timeout problems with the mailbox commands.
(BZ#1112389)

* The SCSI mid-layer could retry an I/O operation indefinitely if a storage array repeatedly returned a CHECK CONDITION status to that I/O operation but the sense data was invalid. This update fixes the problem by limiting a time for which is such an I/O operation retried.
(BZ#1114468)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-1023 advisory.

  - Race condition in the ath_tx_aggr_sleep function in drivers/net/wireless/ath/ath9k/xmit.c in the Linux     kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via a large     amount of network traffic that triggers certain list deletions. (CVE-2014-2672)

  - Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to     cause a denial of service (system crash) via network traffic that improperly interacts with the     WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (CVE-2014-2706)

  - The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing     socket operations based on the opener of a socket, which allows local users to bypass intended access     restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr     of a setuid program. (CVE-2014-0181)

  - The arch_dup_task_struct function in the Transactional Memory (TM) implementation in     arch/powerpc/kernel/process.c in the Linux kernel before 3.13.7 on the powerpc platform does not properly     interact with the clone and fork system calls, which allows local users to cause a denial of service     (Program Check and system crash) via certain instructions that are executed with the processor in the     Transactional state. (CVE-2014-2673)

  - arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly     restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to     obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted     application that makes a ptrace system call. (CVE-2014-3534)

  - The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not     properly manage a certain backlog value, which allows remote attackers to cause a denial of service     (socket outage) via a crafted SCTP packet. (CVE-2014-4667)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Matthew Daley reported an information leak in the floppy disk driver of the Linux kernel. An unprivileged local user could exploit this flaw to obtain potentially sensitive information from kernel memory.
(CVE-2014-1738)

Matthew Daley reported a flaw in the handling of ioctl commands by the floppy disk driver in the Linux kernel. An unprivileged local user could exploit this flaw to gain administrative privileges if the floppy disk module is loaded. (CVE-2014-1737)

A flaw was discovered in the vhost-net subsystem of the Linux kernel.
Guest OS users could exploit this flaw to cause a denial of service (host OS crash). (CVE-2014-0055)

A flaw was discovered in the handling of network packets when mergeable buffers are disabled for virtual machines in the Linux kernel. Guest OS users may exploit this flaw to cause a denial of service (host OS crash) or possibly gain privilege on the host OS.
(CVE-2014-0077)

Nikolay Aleksandrov discovered a race condition in Linux kernel's IPv4 fragment handling code. Remote attackers could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact. (CVE-2014-0100)

A flaw was discovered in the Linux kernel's handling of the SCTP handshake. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-0101)

A flaw was discovered in the handling of routing information in Linux kernel's IPv6 stack. A remote attacker could exploit this flaw to cause a denial of service (memory consumption) via a flood of ICMPv6 router advertisement packets. (CVE-2014-2309)

An error was discovered in the Linux kernel's DCCP protocol support. A remote attacked could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2014-2523)

Max Sydorenko discovered a race condition in the Atheros 9k wireless driver in the Linux kernel. This race could be exploited by remote attackers to cause a denial of service (system crash). (CVE-2014-2672)

Adhemerval Zanella Neto discovered a flaw the in the Transactional Memory (TM) implementation for powerpc based machine. An unprivileged local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-2673)

An error was discovered in the Reliable Datagram Sockets (RDS) protocol stack in the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-2678)

Yaara Rozenblum discovered a race condition in the Linux kernel's Generic IEEE 802.11 Networking Stack (mac80211). Remote attackers could exploit this flaw to cause a denial of service (system crash).
(CVE-2014-2706)

A flaw was discovered in the Linux kernel's ping sockets. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or possibly gain privileges via a crafted application. (CVE-2014-2851).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124970	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1517)	Nessus	Huawei Local Security Checks	high
124803	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1479)	Nessus	Huawei Local Security Checks	critical
81800	Oracle Linux 7 : kernel (ELSA-2015-0290)	Nessus	Oracle Linux Local Security Checks	high
77046	RHEL 7 : kernel (RHSA-2014:1023)	Nessus	Red Hat Local Security Checks	high
77045	Oracle Linux 7 : kernel (ELSA-2014-1023)	Nessus	Oracle Linux Local Security Checks	high
77034	CentOS 7 : kernel (CESA-2014:1023)	Nessus	CentOS Local Security Checks	high
74215	Ubuntu 13.10 : linux vulnerabilities (USN-2228-1)	Nessus	Ubuntu Local Security Checks	critical
74213	Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2225-1)	Nessus	Ubuntu Local Security Checks	critical

CVE-2014-2673

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

critical

high

high

high

high

critical

critical