The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.

The remote Oracle Linux host is missing a security update for one or more kernel-related packages.

The SUSE Linux Enterprise 12 kernel was updated to 3.12.31 to receive various security and bugfixes.

Security issues fixed: CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility signal handling was fixed, which could be used by local attackers to crash the machine or execute code.

  - CVE-2014-9090: Various issues in LDT handling in 32bit     compatibility mode on the x86_64 platform were fixed,     where local attackers could crash the machine.

  - CVE-2014-8133: Insufficient validation of TLS register     usage could leak information from the kernel stack to     userspace.

  - CVE-2014-7826: kernel/trace/trace_syscalls.c in the     Linux kernel did not properly handle private syscall     numbers during use of the ftrace subsystem, which     allowed local users to gain privileges or cause a denial     of service (invalid pointer dereference) via a crafted     application.

  - CVE-2014-3647: Nadav Amit reported that the KVM (Kernel     Virtual Machine) mishandled noncanonical addresses when     emulating instructions that change the rip (Instruction     Pointer). A guest user with access to I/O or the MMIO     could use this flaw to cause a denial of service (system     crash) of the guest.

  - CVE-2014-3611: A race condition flaw was found in the     way the Linux kernel's KVM subsystem handled PIT     (Programmable Interval Timer) emulation. A guest user     who has access to the PIT I/O ports could use this flaw     to crash the host.

  - CVE-2014-3610: If the guest writes a noncanonical value     to certain MSR registers, KVM will write that value to     the MSR in the host context and a #GP will be raised     leading to kernel panic. A privileged guest user could     have used this flaw to crash the host.

  - CVE-2014-7841: A remote attacker could have used a flaw     in SCTP to crash the system by sending a maliciously     prepared SCTP packet in order to trigger a NULL pointer     dereference on the server.

  - CVE-2014-3673: The SCTP implementation in the Linux     kernel allowed remote attackers to cause a denial of     service (system crash) via a malformed ASCONF chunk,     related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c.

  - CVE-2014-3185: Multiple buffer overflows in the     command_port_read_callback function in     drivers/usb/serial/whiteheat.c in the Whiteheat USB     Serial Driver in the Linux kernel allowed physically     proximate attackers to execute arbitrary code or cause a     denial of service (memory corruption and system crash)     via a crafted device that provides a large amount of (1)     EHCI or (2) XHCI data associated with a bulk response.

Bugs fixed: BTRFS :

  - btrfs: fix race that makes btrfs_lookup_extent_info miss     skinny extent items (bnc#904077).

  - btrfs: fix invalid leaf slot access in     btrfs_lookup_extent() (bnc#904077).

  - btrfs: avoid returning -ENOMEM in convert_extent_bit()     too early (bnc#902016).

  - btrfs: make find_first_extent_bit be able to cache any     state (bnc#902016).

  - btrfs: deal with convert_extent_bit errors to avoid fs     corruption (bnc#902016).

  - btrfs: be aware of btree inode write errors to avoid fs     corruption (bnc#899551).

  - btrfs: add missing end_page_writeback on     submit_extent_page failure (bnc#899551).

  - btrfs: fix crash of btrfs_release_extent_buffer_page     (bnc#899551).

  - btrfs: ensure readers see new data after a clone     operation (bnc#898234).

  - btrfs: avoid visiting all extent items when cloning a     range (bnc#898234).

  - btrfs: fix clone to deal with holes when NO_HOLES     feature is enabled (bnc#898234).

  - btrfs: make fsync work after cloning into a file     (bnc#898234).

  - btrfs: fix use-after-free when cloning a trailing file     hole (bnc#898234).

  - btrfs: clone, don't create invalid hole extent map     (bnc#898234).

  - btrfs: limit the path size in send to PATH_MAX     (bnc#897770).

  - btrfs: send, fix more issues related to directory     renames (bnc#897770).

  - btrfs: send, remove dead code from
    __get_cur_name_and_parent (bnc#897770).

  - btrfs: send, account for orphan directories when     building path strings (bnc#897770).

  - btrfs: send, avoid unnecessary inode item lookup in the     btree (bnc#897770).

  - btrfs: send, fix incorrect ref access when using extrefs     (bnc#897770).

  - btrfs: send, build path string only once in send_hole     (bnc#897770).

  - btrfs: part 2, fix incremental send's decision to delay     a dir move/rename (bnc#897770).

  - btrfs: fix incremental send's decision to delay a dir     move/rename (bnc#897770).

  - btrfs: remove unnecessary inode generation lookup in     send (bnc#897770).

  - btrfs: avoid unnecessary utimes update in incremental     send (bnc#897770).

  - btrfs: fix send issuing outdated paths for utimes, chown     and chmod (bnc#897770).

  - btrfs: fix send attempting to rmdir non-empty     directories (bnc#897770).

  - btrfs: send, don't send rmdir for same target multiple     times (bnc#897770).

  - btrfs: incremental send, fix invalid path after dir     rename (bnc#897770).

  - btrfs: fix assert screwup for the pending move stuff     (bnc#897770).

  - btrfs: make some tree searches in send.c more efficient     (bnc#897770).

  - btrfs: use right extent item position in send when     finding extent clones (bnc#897770).

  - btrfs: more send support for parent/child dir     relationship inversion (bnc#897770).

  - btrfs: fix send dealing with file renames and directory     moves (bnc#897770).

  - btrfs: add missing error check in incremental send     (bnc#897770).

  - btrfs: make send's file extent item search more     efficient (bnc#897770).

  - btrfs: fix infinite path build loops in incremental send     (bnc#897770).

  - btrfs: send, don't delay dir move if there's a new     parent inode (bnc#897770).

  - btrfs: add helper btrfs_fdatawrite_range (bnc#902010).

  - btrfs: correctly flush compressed data before/after     direct IO (bnc#902010).

  - btrfs: make inode.c:compress_file_range() return void     (bnc#902010).

  - btrfs: report error after failure inlining extent in     compressed write path (bnc#902010).

  - btrfs: don't ignore compressed bio write errors     (bnc#902010).

  - btrfs: make inode.c:submit_compressed_extents() return     void (bnc#902010).

  - btrfs: process all async extents on compressed write     failure (bnc#902010).

  - btrfs: don't leak pages and memory on compressed write     error (bnc#902010).

  - btrfs: fix hang on compressed write error (bnc#902010).

  - btrfs: set page and mapping error on compressed write     failure (bnc#902010).

  - btrfs: fix kfree on list_head in     btrfs_lookup_csums_range error cleanup (bnc#904115).

Hyper-V :

  - hyperv: Fix a bug in netvsc_send().

  - hyperv: Fix a bug in netvsc_start_xmit().

  - drivers: hv: vmbus: Enable interrupt driven flow     control.

  - drivers: hv: vmbus: Properly protect calls to     smp_processor_id().

  - drivers: hv: vmbus: Cleanup hv_post_message().

  - drivers: hv: vmbus: Cleanup vmbus_close_internal().

  - drivers: hv: vmbus: Fix a bug in vmbus_open().

  - drivers: hv: vmbus: Cleanup vmbus_establish_gpadl().

  - drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl().

  - drivers: hv: vmbus: Cleanup vmbus_post_msg().

  - storvsc: get rid of overly verbose warning messages.

  - hyperv: NULL dereference on error.

  - hyperv: Increase the buffer length for     netvsc_channel_cb().

zSeries / S390 :

  - s390: pass march flag to assembly files as well     (bnc#903279, LTC#118177).

  - kernel: reduce function tracer overhead (bnc#903279,     LTC#118177).

  - SUNRPC: Handle EPIPE in xprt_connect_status     (bnc#901090).

  - SUNRPC: Ensure that we handle ENOBUFS errors correctly     (bnc#901090).

  - SUNRPC: Ensure call_connect_status() deals correctly     with SOFTCONN tasks (bnc#901090).

  - SUNRPC: Ensure that call_connect times out correctly     (bnc#901090).

  - SUNRPC: Handle connect errors ECONNABORTED and     EHOSTUNREACH (bnc#901090).

  - SUNRPC: Ensure xprt_connect_status handles all potential     connection errors (bnc#901090).

  - SUNRPC: call_connect_status should recheck bind and     connect status on error (bnc#901090).

kGraft :

  - kgr: force patching process to succeed (fate#313296).

  - kgr: usb-storage, mark kthread safe (fate#313296     bnc#899908).

  - Refresh patches.suse/kgr-0039-kgr-fix-ugly-race.patch.
    Fix few bugs, and also races (immutable vs     mark_processes vs other threads).

  - kgr: always use locked bit ops for thread_info->flags     (fate#313296).

  - kgr: lower the workqueue scheduling timeout (fate#313296     bnc#905087).

  - kgr: mark even more kthreads (fate#313296 bnc#904871).

  - rpm/kernel-binary.spec.in: Provide name-version-release     for kgraft packages (bnc#901925)

Other :

  - NFSv4: test SECINFO RPC_AUTH_GSS pseudoflavors for     support (bnc#905758).

  - Enable cmac(aes) and cmac(3des_ede) for FIPS mode     (bnc#905296 bnc#905772).

  - scsi_dh_alua: disable ALUA handling for non-disk devices     (bnc#876633).

  - powerpc/vphn: NUMA node code expects big-endian     (bsc#900126).

  - net: fix checksum features handling in     netif_skb_features() (bnc#891259).

  - be2net: Fix invocation of be_close() after be_clear()     (bnc#895468).

  - PCI: pciehp: Clear Data Link Layer State Changed during     init (bnc#898297).

  - PCI: pciehp: Use symbolic constants, not hard-coded     bitmask (bnc#898297).

  - PCI: pciehp: Use link change notifications for hot-plug     and removal (bnc#898297).

  - PCI: pciehp: Make check_link_active() non-static     (bnc#898297).

  - PCI: pciehp: Enable link state change notifications     (bnc#898297).

  - ALSA: hda - Treat zero connection as non-error     (bnc#902898).

  - bcache: add mutex lock for bch_is_open (bnc#902893).

  - futex: Fix a race condition between REQUEUE_PI and task     death (bcn #851603 (futex scalability series)).

  - Linux 3.12.31 (bnc#895983 bnc#897912).

  - futex: Ensure get_futex_key_refs() always implies a     barrier (bcn #851603 (futex scalability series)).

  - usbback: don't access request fields in shared ring more     than once.

  - Update Xen patches to 3.12.30.

  - locking/rwsem: Avoid double checking before try     acquiring write lock (Locking scalability.).

  - zcrypt: toleration of new crypto adapter hardware     (bnc#894057, LTC#117041).

  - zcrypt: support for extended number of ap domains     (bnc#894057, LTC#117041).

  - kABI: protect linux/fs.h include in mm/internal.h.

  - Linux 3.12.30 (FATE#315482 bnc#862957 bnc#863526     bnc#870498).

  - Update     patches.fixes/xfs-mark-all-internal-workqueues-as-freeza     ble.patch (bnc#899785).

  - xfs: mark all internal workqueues as freezable.

  - drm/i915: Move DP port disable to post_disable for pch     platforms (bnc#899787).

  - pagecachelimit: reduce lru_lock congestion for heavy     parallel reclaim fix (bnc#895680).

  - Linux 3.12.29 (bnc#879255 bnc#880892 bnc#887046     bnc#887418 bnc#891619 bnc#892612 bnc#892650 bnc#897101).

  - iommu/vt-d: Work around broken RMRR firmware entries     (bnc#892860).

  - iommu/vt-d: Store bus information in RMRR PCI device     path (bnc#892860).

  - iommu/vt-d: Only remove domain when device is removed     (bnc#883139).

  - driver core: Add BUS_NOTIFY_REMOVED_DEVICE event     (bnc#883139).

  - Update config files: Re-enable CONFIG_FUNCTION_PROFILER     (bnc#899489) Option FUNCTION_PROFILER was enabled in     debug and trace kernels so far, but it was accidentally     disabled before tracing features were merged into the     default kernel and the trace flavor was discarded. So     all kernels are missing the feature now. Re-enable it.

  - xfs: xlog_cil_force_lsn doesn't always wait correctly.

  - scsi: clear 'host_scribble' upon successful abort     (bnc#894863).

  - module: warn if module init + probe takes long     (bnc#889297 bnc#877622 bnc#889295 bnc#893454).

  - mm, THP: don't hold mmap_sem in khugepaged when     allocating THP (bnc#880767, VM Performance).

  - pagecache_limit: batch large nr_to_scan targets     (bnc#895221).

  - iommu/vt-d: Check return value of acpi_bus_get_device()     (bnc#903307).

  - rpm/kernel-binary.spec.in: Fix including the secure boot     cert in /etc/uefi/certs

  - sched: Reduce contention in update_cfs_rq_blocked_load()     (Scheduler/core performance).

  - x86: use optimized ioresource lookup in ioremap function     (Boot time optimisations (bnc#895387)).

  - x86: optimize resource lookups for ioremap (Boot time     optimisations (bnc#895387)).

  - usb: Do not re-read descriptors for wired devices in     usb_authorize_device() (bnc#904354).

  - netxen: Fix link event handling (bnc#873228).

  - x86, cpu: Detect more TLB configuration -xen (TLB     Performance).

  - x86/mm: Fix RCU splat from new TLB tracepoints (TLB     Performance).

  - x86/mm: Set TLB flush tunable to sane value (33) (TLB     Performance).

  - x86/mm: New tunable for single vs full TLB flush (TLB     Performance).

  - x86/mm: Add tracepoints for TLB flushes (TLB     Performance).

  - x86/mm: Unify remote INVLPG code (TLB Performance).

  - x86/mm: Fix missed global TLB flush stat (TLB     Performance).

  - x86/mm: Rip out complicated, out-of-date, buggy TLB     flushing (TLB Performance).

  - x86, cpu: Detect more TLB configuration (TLB     Performance).

  - mm, x86: Revisit tlb_flushall_shift tuning for page     flushes except on IvyBridge (TLB Performance).

  - x86/mm: Clean up the TLB flushing code (TLB     Performance).

  - mm: free compound page with correct order (VM     Functionality).

  - bnx2x: Utilize FW 7.10.51 (bnc#887382).

  - bnx2x: Remove unnecessary internal mem config     (bnc#887382).

  - rtnetlink: fix oops in     rtnl_link_get_slave_info_data_size (bnc#901774).

  - dm: do not call dm_sync_table() when creating new     devices (bnc#901809).

  - [media] uvc: Fix destruction order in uvc_delete()     (bnc#897736).

  - uas: replace WARN_ON_ONCE() with lockdep_assert_held()     (FATE#315595).

  - cxgb4/cxgb4vf: Add Devicde ID for two more adapter     (bsc#903999).

  - cxgb4/cxgb4vf: Add device ID for new adapter and remove     for dbg adapter (bsc#903999).

  - cxgb4: Adds device ID for few more Chelsio T4 Adapters     (bsc#903999).

  - cxgb4: Check if rx checksum offload is enabled, while     reading hardware calculated checksum (bsc#903999).

  - xen-pciback: drop SR-IOV VFs when PF driver unloads     (bsc#901839).

This update also includes fixes contained in the Linux 3.12.stable release series, not separately listed here.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host. (CVE-2014-3610)

A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)

Note: The following procedure must be performed before this update will take effect :

1) Stop all KVM guest virtual machines.

2) Either reboot the hypervisor machine or, as the root user, remove (using 'modprobe -r [module]') and reload (using 'modprobe [module]') all of the following modules which are currently running (determined using 'lsmod'): kvm, ksm, kvm-intel or kvm-amd.

3) Restart the KVM guest virtual machines.

or you may restart your system.

Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host. (CVE-2014-3610)

A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)

Red Hat would like to thank Lars Bull of Google and Nadav Amit for reporting the CVE-2014-3610 issue, and Lars Bull of Google for reporting the CVE-2014-3611 issue.

All kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect.

From Red Hat Security Advisory 2015:0869 :

Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

It was found that KVM's Write to Model Specific Register (WRMSR) instruction emulation would write non-canonical values passed in by the guest to certain MSRs in the host's context. A privileged guest user could use this flaw to crash the host. (CVE-2014-3610)

A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)

Red Hat would like to thank Lars Bull of Google and Nadav Amit for reporting the CVE-2014-3610 issue, and Lars Bull of Google for reporting the CVE-2014-3611 issue.

All kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.5 Extended Update Support.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important)

* A flaw was found in the way the Linux kernel's SCTP implementation validated INIT chunks when performing Address Configuration Change (ASCONF). A remote attacker could use this flaw to crash the system by sending a specially crafted SCTP packet to trigger a NULL pointer dereference on the system. (CVE-2014-7841, Important)

* A flaw was found in the way the ipc_rcu_putref() function in the Linux kernel's IPC implementation handled reference counter decrementing. A local, unprivileged user could use this flaw to trigger an Out of Memory (OOM) condition and, potentially, crash the system. (CVE-2013-4483, Moderate)

* A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate)

* It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate)

* A flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system.
(CVE-2014-8160, Moderate)

Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, Vladimir Davydov (Parallels) for reporting CVE-2013-4483, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646. The CVE-2014-7841 issue was discovered by Liu Wei of Red Hat.

Bug fixes :

* When forwarding a packet, the iptables target TCPOPTSTRIP used the tcp_hdr() function to locate the option space. Consequently, TCPOPTSTRIP located the incorrect place in the packet, and therefore did not match options for stripping. TCPOPTSTRIP now uses the TCP header itself to locate the option space, and the options are now properly stripped. (BZ#1172026)

* The ipset utility computed incorrect values of timeouts from an old IP set, and these values were then supplied to a new IP set. A resize on an IP set with a timeouts option enabled could then supply corrupted data from an old IP set. This bug has been fixed by properly reading timeout values from an old set before supplying them to a new set. (BZ#1172763)

* Incorrect processing of errors from the BCM5719 LAN controller could result in incoming packets being dropped. Now, received errors are handled properly, and incoming packets are no longer randomly dropped.
(BZ#1180405)

* When the NVMe driver allocated a name-space queue, it was recognized as a request-based driver, whereas it was a BIO-based driver. While trying to access data during the loading of NVMe along with a request-based DM device, the system could terminate unexpectedly or become unresponsive. Now, NVMe does not set the QUEUE_FLAG_STACKABLE flag during the allocation of a name-space queue, and the system no longer attempts to insert a request into the queue, preventing a crash. (BZ#1180554)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

An updated rhev-hypervisor6 package that fixes multiple security issues is now available for Red Hat Enterprise Virtualization 3.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

A heap-based buffer overflow was found in glibc's
__nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)

A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611)

A flaw was found in the way OpenSSL handled fragmented handshake packets. A man-in-the-middle attacker could use this flaw to force a TLS/SSL server using OpenSSL to use TLS 1.0, even if both the client and the server supported newer protocol versions. (CVE-2014-3511)

A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. (CVE-2014-3567)

It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646)

Red Hat would like to thank Qualys for reporting the CVE-2015-0235 issue, Lars Bull of Google for reporting the CVE-2014-3611 issue, and the Advanced Threat Research team at Intel Security for reporting the CVE-2014-3645 and CVE-2014-3646 issues.

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package.

Andy Lutomirski discovered that the Linux kernel does not properly handle faults associated with the Stack Segment (SS) register in the x86 architecture. A local attacker could exploit this flaw to gain administrative privileges. (CVE-2014-9322)

Lars Bull reported a race condition in the PIT (programmable interrupt timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. A local guest user with access to PIT i/o ports could exploit this flaw to cause a denial of service (crash) on the host.
(CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual Machine) handles noncanonical writes to certain MSR registers.
A privileged guest user can exploit this flaw to cause a denial of service (kernel panic) on the host. (CVE-2014-3610)

Andy Lutomirski discovered an information leak in the Linux kernel's Thread Local Storage (TLS) implementation allowing users to bypass the espfix to obtain information that could be used to bypass the Address Space Layout Randomization (ASLR) protection mechanism. A local user could exploit this flaw to obtain potentially sensitive information from kernel memory. (CVE-2014-8133)

Prasad J Pandit reported a flaw in the rock_continue function of the Linux kernel's ISO 9660 CDROM file system. A local user could exploit this flaw to cause a denial of service (system crash or hang).
(CVE-2014-9420).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Lars Bull reported a race condition in the PIT (programmable interrupt timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. A local guest user with access to PIT i/o ports could exploit this flaw to cause a denial of service (crash) on the host.
(CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual Machine) handles noncanonical writes to certain MSR registers.
A privileged guest user can exploit this flaw to cause a denial of service (kernel panic) on the host. (CVE-2014-3610).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2014-3185

Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.

CVE-2014-3611 Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation.

CVE-2014-3645 arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.

CVE-2014-3646 arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application.

Impact

An attacker may be able to gain access to unauthorized information, perform unauthorized modification of data, or cause disruption of services. CVE-2014-3185 require physical access to the device.
CVE-2014-3611, CVE-2014-3645, and CVE-2014-3646 are considered local, as they are exploitable only by an authenticated user.

The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).

Multiple vulnerabilities has been found and corrected in the Linux kernel :

The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non-canonical address to a model-specific register, which allows guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c (CVE-2014-3610).

Race condition in the __kvm_migrate_pit_timer function in arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through 3.17.2 allows guest OS users to cause a denial of service (host OS crash) by leveraging incorrect PIT emulation (CVE-2014-3611).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.12 does not have an exit handler for the INVEPT instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3645).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 does not have an exit handler for the INVVPID instruction, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3646).

arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial of service (guest OS crash) via a crafted application (CVE-2014-3647).

The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c (CVE-2014-3673).

The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter (CVE-2014-3687).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690).

kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application (CVE-2014-7825).

kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application (CVE-2014-7826).

The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call (CVE-2014-7970).

The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601 (CVE-2014-8369).

The updated packages provides a solution for these security issues.

Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest. (CVE-2014-3647)

A flaw was discovered with the handling of the invept instruction in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged guest user could exploit this flaw to cause a denial of service (system crash) on the guest. (CVE-2014-3646)

A flaw was discovered with invept instruction support when using nested EPT in the KVM (Kernel Virtual Machine). An unprivileged guest user could exploit this flaw to cause a denial of service (system crash) on the guest. (CVE-2014-3645)

Lars Bull reported a race condition in the PIT (programmable interrupt timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. A local guest user with access to PIT i/o ports could exploit this flaw to cause a denial of service (crash) on the host.
(CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual Machine) handles noncanonical writes to certain MSR registers.
A privileged guest user can exploit this flaw to cause a denial of service (kernel panic) on the host. (CVE-2014-3610)

A flaw in the handling of malformed ASCONF chunks by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel was discovered. A remote attacker could exploit this flaw to cause a denial of service (system crash). (CVE-2014-3673)

A flaw in the handling of duplicate ASCONF chunks by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel was discovered. A remote attacker could exploit this flaw to cause a denial of service (panic). (CVE-2014-3687)

It was discovered that excessive queuing by SCTP (Stream Control Transmission Protocol) implementation in the Linux kernel can cause memory pressure. A remote attacker could exploit this flaw to cause a denial of service. (CVE-2014-3688)

A flaw was discovered in how the Linux kernel's KVM (Kernel Virtual Machine) subsystem handles the CR4 control register at VM entry on Intel processors. A local host OS user can exploit this to cause a denial of service (kill arbitrary processes, or system disruption) by leveraging /dev/kvm access. (CVE-2014-3690)

Don Bailey discovered a flaw in the LZO decompress algorithm used by the Linux kernel. An attacker could exploit this flaw to cause a denial of service (memory corruption or OOPS). (CVE-2014-4608)

It was discovered the Linux kernel's implementation of IPv6 did not properly validate arguments in the ipv6_select_ident function. A local user could exploit this flaw to cause a denial of service (system crash) by leveraging tun or macvtap device access. (CVE-2014-7207)

Andy Lutomirski discovered that the Linux kernel was not checking the CAP_SYS_ADMIN when remounting filesystems to read-only. A local user could exploit this flaw to cause a denial of service (loss of writability). (CVE-2014-7975).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The 3.14.23 stable update contains a number of important fixes across the tree. Various security fixes for KVM and SCTP

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important)

* A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate)

* It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate)

Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646.

This update also fixes the following bugs :

* This update fixes several race conditions between PCI error recovery callbacks and potential calls of the ifup and ifdown commands in the tg3 driver. When triggered, these race conditions could cause a kernel crash. (BZ#1142570)

* Previously, GFS2 failed to unmount a sub-mounted GFS2 file system if its parent was also a GFS2 file system. This problem has been fixed by adding the appropriate d_op->d_hash() routine call for the last component of the mount point path in the path name lookup mechanism code (namei). (BZ#1145193)

* Due to previous changes in the virtio-net driver, a Red Hat Enterprise Linux 6.6 guest was unable to boot with the 'mgr_rxbuf=off' option specified. This was caused by providing the page_to_skb() function with an incorrect packet length in the driver's Rx path. This problem has been fixed and the guest in the described scenario can now boot successfully. (BZ#1148693)

* When using one of the newer IPSec Authentication Header (AH) algorithms with Openswan, a kernel panic could occur. This happened because the maximum truncated ICV length was too small. To fix this problem, the MAX_AH_AUTH_LEN parameter has been set to 64.
(BZ#1149083)

* A bug in the IPMI driver caused the kernel to panic when an IPMI interface was removed using the hotmod script. The IPMI driver has been fixed to properly clean the relevant data when removing an IPMI interface. (BZ#1149578)

* Due to a bug in the IPMI driver, the kernel could panic when adding an IPMI interface that was previously removed using the hotmod script.
This update fixes this bug by ensuring that the relevant shadow structure is initialized at the right time. (BZ#1149580)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2014:1843 :

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important)

* A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate)

* It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate)

Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646.

This update also fixes the following bugs :

* This update fixes several race conditions between PCI error recovery callbacks and potential calls of the ifup and ifdown commands in the tg3 driver. When triggered, these race conditions could cause a kernel crash. (BZ#1142570)

* Previously, GFS2 failed to unmount a sub-mounted GFS2 file system if its parent was also a GFS2 file system. This problem has been fixed by adding the appropriate d_op->d_hash() routine call for the last component of the mount point path in the path name lookup mechanism code (namei). (BZ#1145193)

* Due to previous changes in the virtio-net driver, a Red Hat Enterprise Linux 6.6 guest was unable to boot with the 'mgr_rxbuf=off' option specified. This was caused by providing the page_to_skb() function with an incorrect packet length in the driver's Rx path. This problem has been fixed and the guest in the described scenario can now boot successfully. (BZ#1148693)

* When using one of the newer IPSec Authentication Header (AH) algorithms with Openswan, a kernel panic could occur. This happened because the maximum truncated ICV length was too small. To fix this problem, the MAX_AH_AUTH_LEN parameter has been set to 64.
(BZ#1149083)

* A bug in the IPMI driver caused the kernel to panic when an IPMI interface was removed using the hotmod script. The IPMI driver has been fixed to properly clean the relevant data when removing an IPMI interface. (BZ#1149578)

* Due to a bug in the IPMI driver, the kernel could panic when adding an IPMI interface that was previously removed using the hotmod script.
This update fixes this bug by ensuring that the relevant shadow structure is initialized at the right time. (BZ#1149580)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

Security fixes :

  - A race condition flaw was found in the way the Linux     kernel's KVM subsystem handled PIT (Programmable     Interval Timer) emulation. A guest user who has access     to the PIT I/O ports could use this flaw to crash the     host. (CVE-2014-3611, Important)

  - A NULL pointer dereference flaw was found in the way the     Linux kernel's Stream Control Transmission Protocol     (SCTP) implementation handled simultaneous connections     between the same hosts. A remote attacker could use this     flaw to crash the system. (CVE-2014-5077, Important)

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invept     (Invalidate Translations Derived from EPT) and invvpid     (Invalidate Translations Based on VPID) instructions. On     hosts with an Intel processor and invept/invppid VM exit     support, an unprivileged guest user could use these     instructions to crash the guest. (CVE-2014-3645,     CVE-2014-3646, Moderate)

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the system.
    (CVE-2014-4653, Moderate)

Bug fixes :

  - A known issue that could prevent Chelsio adapters using     the cxgb4 driver from being initialized on IBM POWER8     systems has been fixed. These adapters can now be used     on IBM POWER8 systems as expected.

  - When bringing a hot-added CPU online, the kernel did not     initialize a CPU mask properly, which could result in a     kernel panic. This update corrects the bug by ensuring     that the CPU mask is properly initialized and the     correct NUMA node selected.

  - The kernel could fail to bring a CPU online if the     hardware supported both, the acpi-cpufreq and     intel_pstate modules. This update ensures that the     acpi-cpufreq module is not loaded in the intel_pstate     module is loaded.

  - Due to a bug in the time accounting of the kernel     scheduler, a divide error could occur when hot adding a     CPU. To fix this problem, the kernel scheduler time     accounting has been reworked.

  - The kernel did not handle exceptions caused by an     invalid floating point control (FPC) register, resulting     in a kernel oops. This problem has been fixed by placing     the label to handle these exceptions to the correct     place in the code.

  - A previous change to the kernel for the PowerPC     architecture changed implementation of the     compat_sys_sendfile() function. Consequently, the 64-bit     sendfile() system call stopped working for files larger     than 2 GB on PowerPC. This update restores previous     behavior of sendfile() on PowerPC, and it again process     files bigger than 2 GB as expected.

  - Previously, the kernel scheduler could schedule a CPU     topology update even though the topology did not change.
    This could negatively affect the CPU load balancing,     cause degradation of the system performance, and     eventually result in a kernel oops. This problem has     been fixed by skipping the CPU topology update if the     topology has not actually changed.

  - Previously, recovery of a double-degraded RAID6 array     could, under certain circumstances, result in data     corruption. This could happen because the md driver was     using an optimization that is safe to use only for     single-degraded arrays. This update ensures that this     optimization is skipped during the recovery of     double-degraded RAID6 arrays.

The system must be rebooted for this update to take effect.

Description of changes:

kernel-uek [2.6.32-400.36.10.el6uek]
- USB: whiteheat: Added bounds checking for bulk command response (James Forshaw)  [Orabug: 19849336]  {CVE-2014-3185}
- HID: fix a couple of off-by-ones (Jiri Kosina)  [Orabug: 19849320]  {CVE-2014-3181} logging macros to functions (Joe Perches)  [Orabug: 19847630] {CVE-2014-3535} logging macros to functions (Joe Perches)  [Orabug: 19847630]
- vsprintf: Recursive vsnprintf: Add '%pV', struct va_format (Joe Perches)  [Orabug: 19847630]
- KVM: x86: Improve thread safety in pit (Andy Honig)  [Orabug: 19905688]  {CVE-2014-3611}

Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest. (CVE-2014-3647)

A flaw was discovered with the handling of the invept instruction in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged guest user could exploit this flaw to cause a denial of service (system crash) on the guest. (CVE-2014-3646)

Lars Bull reported a race condition in the PIT (programmable interrupt timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. A local guest user with access to PIT i/o ports could exploit this flaw to cause a denial of service (crash) on the host.
(CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual Machine) handles noncanonical writes to certain MSR registers.
A privileged guest user can exploit this flaw to cause a denial of service (kernel panic) on the host. (CVE-2014-3610).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Linux v3.17.2. A wide variety of fixes across the tree. Even more KVM CVE fixes CVE fixes for KVM and SCTP.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service :

  - CVE-2014-3610     Lars Bull of Google and Nadav Amit reported a flaw in     how KVM handles noncanonical writes to certain MSR     registers. A privileged guest user can exploit this flaw     to cause a denial of service (kernel panic) on the host.

  - CVE-2014-3611     Lars Bull of Google reported a race condition in the PIT     emulation code in KVM. A local guest user with access to     PIT i/o ports could exploit this flaw to cause a denial     of service (crash) on the host.

  - CVE-2014-3645/ CVE-2014-3646     The Advanced Threat Research team at Intel Security     discovered that the KVM subsystem did not handle the VM     exits gracefully for the invept (Invalidate Translations     Derived from EPT) and invvpid (Invalidate Translations     Based on VPID) instructions. On hosts with an Intel     processor and invept/invppid VM exit support, an     unprivileged guest user could use these instructions to     crash the guest.

  - CVE-2014-3647     Nadav Amit reported that KVM mishandles noncanonical     addresses when emulating instructions that change rip,     potentially causing a failed VM-entry. A guest user with     access to I/O or the MMIO can use this flaw to cause a     denial of service (system crash) of the guest.

  - CVE-2014-3673     Liu Wei of Red Hat discovered a flaw in     net/core/skbuff.c leading to a kernel panic when     receiving malformed ASCONF chunks. A remote attacker     could use this flaw to crash the system.

  - CVE-2014-3687     A flaw in the sctp stack was discovered leading to a     kernel panic when receiving duplicate ASCONF chunks. A     remote attacker could use this flaw to crash the system.

  - CVE-2014-3688     It was found that the sctp stack is prone to a remotely     triggerable memory pressure issue caused by excessive     queueing. A remote attacker could use this flaw to cause     denial-of-service conditions on the system.

  - CVE-2014-3690     Andy Lutomirski discovered that incorrect register     handling in KVM may lead to denial of service.

  - CVE-2014-7207     Several Debian developers reported an issue in the IPv6     networking subsystem. A local user with access to tun or     macvtap devices, or a virtual machine connected to such     a device, can cause a denial of service (system crash).

This update includes a bug fix related to CVE-2014-7207 that disables UFO (UDP Fragmentation Offload) in the macvtap, tun, and virtio_net drivers. This will cause migration of a running VM from a host running an earlier kernel version to a host running this kernel version to fail, if the VM has been assigned a virtio network device. In order to migrate such a VM, it must be shut down first.

Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles noncanonical addresses when emulating instructions that change the rip (Instruction Pointer). A guest user with access to I/O or the MMIO can use this flaw to cause a denial of service (system crash) of the guest. (CVE-2014-3647)

A flaw was discovered with the handling of the invept instruction in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged guest user could exploit this flaw to cause a denial of service (system crash) on the guest. (CVE-2014-3646)

Lars Bull reported a race condition in the PIT (programmable interrupt timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux kernel. A local guest user with access to PIT i/o ports could exploit this flaw to cause a denial of service (crash) on the host.
(CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual Machine) handles noncanonical writes to certain MSR registers.
A privileged guest user can exploit this flaw to cause a denial of service (kernel panic) on the host. (CVE-2014-3610)

Raphael Geissert reported a NULL pointer dereference in the Linux kernel's CIFS client. A remote CIFS server could cause a denial of service (system crash) or possibly have other unspecified impact by deleting IPC$ share during resolution of DFS referrals.
(CVE-2014-7145).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

[2.6.39-400.215.12.el6uek]
- USB: whiteheat: Added bounds checking for bulk command response (James Forshaw)  [Orabug: 19849335]  {CVE-2014-3185}
- HID: fix a couple of off-by-ones (Jiri Kosina)  [Orabug: 19849318]  {CVE-2014-3181}
- KVM: x86: Improve thread safety in pit (Andy Honig)  [Orabug: 19905687]  {CVE-2014-3611}

Description of changes:

kernel-uek [3.8.13-44.1.4.el7uek]
- USB: whiteheat: Added bounds checking for bulk command response (James Forshaw)  [Orabug: 19849334]  {CVE-2014-3185}
- HID: fix a couple of off-by-ones (Jiri Kosina)  [Orabug: 19849317]  {CVE-2014-3181}
- kvm: vmx: handle invvpid vm exit gracefully (Petr Matousek) [Orabug: 19906300]  {CVE-2014-3646}
- nEPT: Nested INVEPT (Nadav Har'El)  [Orabug: 19906267] {CVE-2014-3645}
- KVM: x86: Improve thread safety in pit (Andy Honig)  [Orabug: 19905686]  {CVE-2014-3611}

Updated kernel packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important)

* A NULL pointer dereference flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled simultaneous connections between the same hosts. A remote attacker could use this flaw to crash the system. (CVE-2014-5077, Important)

* It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate)

* A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. (CVE-2014-4653, Moderate)

Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646.

Bug fixes :

* A known issue that could prevent Chelsio adapters using the cxgb4 driver from being initialized on IBM POWER8 systems has been fixed.
These adapters can now be used on IBM POWER8 systems as expected.
(BZ#1130548)

* When bringing a hot-added CPU online, the kernel did not initialize a CPU mask properly, which could result in a kernel panic. This update corrects the bug by ensuring that the CPU mask is properly initialized and the correct NUMA node selected. (BZ#1134715)

* The kernel could fail to bring a CPU online if the hardware supported both, the acpi-cpufreq and intel_pstate modules. This update ensures that the acpi-cpufreq module is not loaded in the intel_pstate module is loaded. (BZ#1134716)

* Due to a bug in the time accounting of the kernel scheduler, a divide error could occur when hot adding a CPU. To fix this problem, the kernel scheduler time accounting has been reworked. (BZ#1134717)

* The kernel did not handle exceptions caused by an invalid floating point control (FPC) register, resulting in a kernel oops. This problem has been fixed by placing the label to handle these exceptions to the correct place in the code. (BZ#1138733)

* A previous change to the kernel for the PowerPC architecture changed implementation of the compat_sys_sendfile() function. Consequently, the 64-bit sendfile() system call stopped working for files larger than 2 GB on PowerPC. This update restores previous behavior of sendfile() on PowerPC, and it again process files bigger than 2 GB as expected. (BZ#1139126)

* Previously, the kernel scheduler could schedule a CPU topology update even though the topology did not change. This could negatively affect the CPU load balancing, cause degradation of the system performance, and eventually result in a kernel oops. This problem has been fixed by skipping the CPU topology update if the topology has not actually changed. (BZ#1140300)

* Previously, recovery of a double-degraded RAID6 array could, under certain circumstances, result in data corruption. This could happen because the md driver was using an optimization that is safe to use only for single-degraded arrays. This update ensures that this optimization is skipped during the recovery of double-degraded RAID6 arrays. (BZ#1143850)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

From Red Hat Security Advisory 2014:1724 :

Updated kernel packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security fixes :

* A race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host. (CVE-2014-3611, Important)

* A NULL pointer dereference flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation handled simultaneous connections between the same hosts. A remote attacker could use this flaw to crash the system. (CVE-2014-5077, Important)

* It was found that the Linux kernel's KVM subsystem did not handle the VM exits gracefully for the invept (Invalidate Translations Derived from EPT) and invvpid (Invalidate Translations Based on VPID) instructions. On hosts with an Intel processor and invept/invppid VM exit support, an unprivileged guest user could use these instructions to crash the guest. (CVE-2014-3645, CVE-2014-3646, Moderate)

* A use-after-free flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system. (CVE-2014-4653, Moderate)

Red Hat would like to thank Lars Bull of Google for reporting CVE-2014-3611, and the Advanced Threat Research team at Intel Security for reporting CVE-2014-3645 and CVE-2014-3646.

Bug fixes :

* A known issue that could prevent Chelsio adapters using the cxgb4 driver from being initialized on IBM POWER8 systems has been fixed.
These adapters can now be used on IBM POWER8 systems as expected.
(BZ#1130548)

* When bringing a hot-added CPU online, the kernel did not initialize a CPU mask properly, which could result in a kernel panic. This update corrects the bug by ensuring that the CPU mask is properly initialized and the correct NUMA node selected. (BZ#1134715)

* The kernel could fail to bring a CPU online if the hardware supported both, the acpi-cpufreq and intel_pstate modules. This update ensures that the acpi-cpufreq module is not loaded in the intel_pstate module is loaded. (BZ#1134716)

* Due to a bug in the time accounting of the kernel scheduler, a divide error could occur when hot adding a CPU. To fix this problem, the kernel scheduler time accounting has been reworked. (BZ#1134717)

* The kernel did not handle exceptions caused by an invalid floating point control (FPC) register, resulting in a kernel oops. This problem has been fixed by placing the label to handle these exceptions to the correct place in the code. (BZ#1138733)

* A previous change to the kernel for the PowerPC architecture changed implementation of the compat_sys_sendfile() function. Consequently, the 64-bit sendfile() system call stopped working for files larger than 2 GB on PowerPC. This update restores previous behavior of sendfile() on PowerPC, and it again process files bigger than 2 GB as expected. (BZ#1139126)

* Previously, the kernel scheduler could schedule a CPU topology update even though the topology did not change. This could negatively affect the CPU load balancing, cause degradation of the system performance, and eventually result in a kernel oops. This problem has been fixed by skipping the CPU topology update if the topology has not actually changed. (BZ#1140300)

* Previously, recovery of a double-degraded RAID6 array could, under certain circumstances, result in data corruption. This could happen because the md driver was using an optimization that is safe to use only for single-degraded arrays. This update ensures that this optimization is skipped during the recovery of double-degraded RAID6 arrays. (BZ#1143850)

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

More KVM CVE fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2014-3611 is not available