http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=95389b08d93d5c06ec63ab49bd732b0069b7c35e

111298

36268

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.3

70095

USN-2378-1

USN-2379-1

https://bugzilla.redhat.com/show_bug.cgi?id=1140325

https://github.com/torvalds/linux/commit/95389b08d93d5c06ec63ab49bd732b0069b7c35e

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2     Voice Service driver for the Linux kernel 3.x, as used     in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service (memory     corruption) or possibly have unspecified other impact     via a write request, as demonstrated by a     voice_svc_send_req buffer overflow.(CVE-2016-5343i1/4%0

  - A use-after-free flaw was found in the way the Linux     kernel's Advanced Linux Sound Architecture (ALSA)     implementation handled user controls. A local,     privileged user could use this flaw to crash the     system.(CVE-2014-4655i1/4%0

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420i1/4%0

  - A flaw was found in the way the Linux kernel's keys     subsystem handled the termination condition in the     associative array garbage collection functionality. A     local, unprivileged user could use this flaw to crash     the system.(CVE-2014-3631i1/4%0

  - A flaw was found in the ext4 subsystem. This     vulnerability is a use after free vulnerability was     found in __ext4_journal_stop(). Attackers could abuse     this to allow any code which attempts to deal with the     journal failure to be mishandled or not fail at all.
    This could lead to data corruption or     crashes.(CVE-2015-8961i1/4%0

  - Buffer overflow in the oz_cdev_write function in     drivers/staging/ozwpan/ozcdev.c in the Linux kernel     before 3.12 allows local users to cause a denial of     service or possibly have unspecified other impact via a     crafted write operation.(CVE-2013-4513i1/4%0

  - The nfnetlink_rcv_batch() function in     'net/netfilter/nfnetlink.c' in the Linux kernel before     4.5 does not check whether a batch message's length     field is large enough, which allows local users to     obtain sensitive information from kernel memory or     cause a denial of service (infinite loop or     out-of-bounds read) by leveraging the CAP_NET_ADMIN     capability.(CVE-2016-7917i1/4%0

  - Array index error in the kvm_vm_ioctl_create_vcpu     function in virt/kvm/kvm_main.c in the KVM subsystem in     the Linux kernel through 3.12.5 allows local users to     gain privileges via a large id value.(CVE-2013-4587i1/4%0

  - A leak of information was possible when issuing a     netlink command of the stack memory area leading up to     this function call. An attacker could use this to     determine stack information for use in a later     exploit.(CVE-2016-5243i1/4%0

  - An issue was discovered in the Linux kernel in the F2FS     filesystem code. A NULL pointer dereference in     fscrypt_do_page_crypto() in the fs/crypto/crypto.c     function can occur when operating on a file on a     corrupted f2fs image.(CVE-2018-14616i1/4%0

  - An out-of-bounds flaw was found in the kernel, where     the sco_sock_bind() function (bluetooth/sco) did not     check the length of its sockaddr parameter. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8575i1/4%0

  - A denial of service vulnerability was found in the     WhiteHEAT USB Serial Driver (whiteheat_attach function     in drivers/usb/serial/whiteheat.c). In the driver, the     COMMAND_PORT variable was hard coded and set to 4 (5th     element). The driver assumed that the number of ports     would always be 5 and used port number 5 as the command     port. However, when using a USB device in which the     number of ports was set to a number less than 5 (for     example, 3), the driver triggered a kernel NULL-pointer     dereference. A non-privileged attacker could use this     flaw to panic the host.(CVE-2015-5257i1/4%0

  - The LLC subsystem in the Linux kernel does not ensure     that a certain destructor exists in required     circumstances, which allows local users to cause a     denial of service (BUG_ON) or possibly have unspecified     other impact via crafted system calls.(CVE-2017-6345i1/4%0

  - A vulnerability was found in Linux kernel. There is an     information leak in file sound/core/timer.c of the     latest mainline Linux kernel. The stack object aEURoer1aEUR     has a total size of 32 bytes. Its field aEURoeeventaEUR and     aEURoevalaEUR both contain 4 bytes padding. These 8 bytes     padding bytes are sent to user without being     initialized.(CVE-2016-4578i1/4%0

  - An information leak flaw was found in the way the Linux     kernel changed certain segment registers and     thread-local storage (TLS) during a context switch. A     local, unprivileged user could use this flaw to leak     the user space TLS base address of an arbitrary     process.(CVE-2014-9419i1/4%0

  - A flaw was found in the way memory was being allocated     on the stack for user space binaries. If heap (or     different memory region) and stack memory regions were     adjacent to each other, an attacker could use this flaw     to jump over the stack guard gap, cause controlled     memory corruption on process stack or the adjacent     memory region, and thus increase their privileges on     the system. This is a kernel-side mitigation which     increases the stack guard gap size from one page to 1     MiB to make successful exploitation of this issue more     difficult.(CVE-2017-1000364i1/4%0

  - A flaw was found in the Linux kernel's handling of     clearing SELinux attributes on /proc/pid/attr files. An     empty (null) write to this file can crash the system by     causing the system to attempt to access unmapped kernel     memory.(CVE-2017-2618i1/4%0

  - A use-after-free vulnerability was found in ALSA pcm     layer, which allows local users to cause a denial of     service, memory corruption, or possibly other     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2016-9794i1/4%0

  - A flaw was found in the way the Linux kernel's floppy     driver handled user space provided data in certain     error code paths while processing FDRAWCMD IOCTL     commands. A local user with write access to /dev/fdX     could use this flaw to free (using the kfree()     function) arbitrary kernel memory. (CVE-2014-1737,     Important)t was found that the Linux kernel's floppy     driver leaked internal kernel memory addresses to user     space during the processing of the FDRAWCMD IOCTL     command. A local user with write access to /dev/fdX     could use this flaw to obtain information about the     kernel heap arrangement. (CVE-2014-1738, Low)Note: A     local user with write access to /dev/fdX could use     these two flaws (CVE-2014-1737 in combination with     CVE-2014-1738) to escalate their privileges on the     system.(CVE-2014-1737i1/4%0

  - An out-of-bounds memory access flaw was found in the     Linux kernel's aiptek USB tablet driver (aiptek_probe()     function in drivers/input/tablet/aiptek.c). The driver     assumed that the interface always had at least one     endpoint. By using a specially crafted USB device with     no endpoints on one of its interfaces, an unprivileged     user with physical access to the system could trigger a     kernel NULL pointer dereference, causing the system to     panic.(CVE-2015-7515i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's futex     subsystem handled the requeuing of certain Priority     Inheritance (PI) futexes. A local, unprivileged user     could use this flaw to escalate their privileges on the     system.(CVE-2014-3153)

  - An out-of-bounds write flaw was found in the way the     Apple Magic Mouse/Trackpad multi-touch driver handled     Human Interface Device (HID) reports with an invalid     size. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3181)

  - An out-of-bounds read flaw was found in the way the     Logitech Unifying receiver driver handled HID reports     with an invalid device_index value. An attacker with     physical access to the system could use this flaw to     crash the system or, potentially, escalate their     privileges on the system.(CVE-2014-3182)

  - Multiple out-of-bounds write flaws were found in the     way the Cherry Cymotion keyboard driver, KYE/Genius     device drivers, Logitech device drivers, Monterey     Genius KB29E keyboard driver, Petalynx Maxter remote     control driver, and Sunplus wireless desktop driver     handled HID reports with an invalid report descriptor     size. An attacker with physical access to the system     could use either of these flaws to write data past an     allocated memory buffer.(CVE-2014-3184)

  - A memory corruption flaw was found in the way the USB     ConnectTech WhiteHEAT serial driver processed     completion commands sent via USB Request Blocks     buffers. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3185)

  - It was found that Linux kernel's ptrace subsystem did     not properly sanitize the address-space-control bits     when the program-status word (PSW) was being set. On     IBM S/390 systems, a local, unprivileged user could use     this flaw to set address-space-control bits to the     kernel space, and thus gain read and write access to     kernel memory.(CVE-2014-3534)

  - A flaw was found in the way the Linux kernel's     kvm_iommu_map_pages() function handled IOMMU mapping     failures. A privileged user in a guest with an assigned     host device could use this flaw to crash the     host.(CVE-2014-3601)

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610)

  - A race condition flaw was found in the way the Linux     kernel's KVM subsystem handled PIT (Programmable     Interval Timer) emulation. A guest user who has access     to the PIT I/O ports could use this flaw to crash the     host.(CVE-2014-3611)

  - A flaw was found in the way the Linux kernel's keys     subsystem handled the termination condition in the     associative array garbage collection functionality. A     local, unprivileged user could use this flaw to crash     the system.(CVE-2014-3631)

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invept     (Invalidate Translations Derived from EPT)     instructions. On hosts with an Intel processor and     invept VM exit support, an unprivileged guest user     could use these instructions to crash the     guest.(CVE-2014-3645)

  - It was found that the Linux kernel's KVM subsystem did     not handle the VM exits gracefully for the invvpid     (Invalidate Translations Based on VPID) instructions.
    On hosts with an Intel processor and invppid VM exit     support, an unprivileged guest user could use these     instructions to crash the guest.(CVE-2014-3646)

  - A flaw was found in the way the Linux kernel's KVM     subsystem handled non-canonical addresses when     emulating instructions that change the RIP (for     example, branches or calls). A guest user with access     to an I/O or MMIO region could use this flaw to crash     the guest.(CVE-2014-3647)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled malformed Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3673)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled duplicate Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3687)

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled the association's output queue. A remote     attacker could send specially crafted packets that     would cause the system to use an excessive amount of     memory, leading to a denial of service.(CVE-2014-3688)

  - It was found that the Linux kernel's KVM implementation     did not ensure that the host CR4 control register value     remained unchanged across VM entries on the same     virtual CPU. A local, unprivileged user could use this     flaw to cause a denial of service on the     system.(CVE-2014-3690)

  - An out-of-bounds memory access flaw was found in the     Linux kernel's system call auditing implementation. On     a system with existing audit rules defined, a local,     unprivileged user could use this flaw to leak kernel     memory to user space or, potentially, crash the     system.(CVE-2014-3917)

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940)

  - The capabilities implementation in the Linux kernel     before 3.14.8 does not properly consider that     namespaces are inapplicable to inodes, which allows     local users to bypass intended chmod restrictions by     first creating a user namespace, as demonstrated by     setting the setgid bit on a file with group ownership     of root.(CVE-2014-4014)

  - An information leak flaw was found in the RAM Disks     Memory Copy (rd_mcp) backend driver of the iSCSI Target     subsystem of the Linux kernel. A privileged user could     use this flaw to leak the contents of kernel memory to     an iSCSI initiator remote client.(CVE-2014-4027)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-0290 advisory.

  - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before 3.17.2 on Intel processors does not     ensure that the value in the CR4 control register remains the same after a VM entry, which allows host OS     users to kill arbitrary processes or cause a denial of service (system disruption) by leveraging /dev/kvm     access, as demonstrated by PR_SET_TSC prctl calls within a modified copy of QEMU. (CVE-2014-3690)

  - The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows     local users to cause a denial of service (memory corruption or system crash) by accessing certain memory     locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage     migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. (CVE-2014-3940)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall     numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-     bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. (CVE-2014-7825)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall     numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial     of service (invalid pointer dereference) via a crafted application. (CVE-2014-7826)

  - Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17     allows local users to cause a denial of service (file unavailability) via a combination of a write action     and an F_SETFL fcntl operation for the O_DIRECT flag. (CVE-2014-8086)

  - net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack     entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,     which allows remote attackers to bypass intended access restrictions via packets with disallowed port     numbers. (CVE-2014-8160)

  - The filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of     files with an inappropriate locking approach, which allows local users to cause a denial of service (soft     lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations. (CVE-2014-8172)

  - The pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel     before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a     transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED     madvise system call that leverages the absence of a page-table lock. (CVE-2014-8173)

  - The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly     maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information     by reading packets. (CVE-2014-8709)

  - Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in     drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a     denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.
    (CVE-2014-8884)

  - The XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote     attribute replacement, which allows local users to cause a denial of service (transaction overrun and data     corruption) or possibly gain privileges by leveraging XFS filesystem access. (CVE-2015-0274)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

* A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service.
(CVE-2014-3688, Important)

* Two flaws were found in the way the Apple Magic Mouse/Trackpad multi- touch driver and the Minibox PicoLCD driver handled invalid HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3181, CVE-2014-3186, Moderate)

* A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate)

* A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-3631, Moderate)

* Multiple flaws were found in the way the Linux kernel's ALSA implementation handled user controls. A local, privileged user could use either of these flaws to crash the system. (CVE-2014-4654, CVE-2014-4655, CVE-2014-4656, Moderate)

* A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation. (CVE-2014-5045, Moderate)

* A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low)

* A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-6410, Low)

* An information leak flaw in the way the Linux kernel handled media device enumerate entities IOCTL requests could allow a local user able to access the /dev/media0 device file to leak kernel memory bytes.
(CVE-2014-1739, Low)

* An out-of-bounds read flaw in the Logitech Unifying receiver driver could allow an attacker with physical access to the system to crash the system or, potentially, escalate their privileges on the system.
(CVE-2014-3182, Low)

* Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled invalid HID reports. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer.
(CVE-2014-3184, Low)

* An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) back end driver of the iSCSI Target subsystem could allow a privileged user to leak the contents of kernel memory to an iSCSI initiator remote client. (CVE-2014-4027, Low)

* An information leak flaw in the Linux kernel's ALSA implementation could allow a local, privileged user to leak kernel memory to user space. (CVE-2014-4652, Low)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* A flaw was found in the way the Linux kernel's SCTP implementation handled malformed or duplicate Address Configuration Change Chunks (ASCONF). A remote attacker could use either of these flaws to crash the system. (CVE-2014-3673, CVE-2014-3687, Important)

* A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service.
(CVE-2014-3688, Important)

* Two flaws were found in the way the Apple Magic Mouse/Trackpad multi-touch driver and the Minibox PicoLCD driver handled invalid HID reports. An attacker with physical access to the system could use these flaws to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3181, CVE-2014-3186, Moderate)

* A memory corruption flaw was found in the way the USB ConnectTech WhiteHEAT serial driver processed completion commands sent via USB Request Blocks buffers. An attacker with physical access to the system could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-3185, Moderate)

* A flaw was found in the way the Linux kernel's keys subsystem handled the termination condition in the associative array garbage collection functionality. A local, unprivileged user could use this flaw to crash the system. (CVE-2014-3631, Moderate)

* Multiple flaws were found in the way the Linux kernel's ALSA implementation handled user controls. A local, privileged user could use either of these flaws to crash the system. (CVE-2014-4654, CVE-2014-4655, CVE-2014-4656, Moderate)

* A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation. (CVE-2014-5045, Moderate)

* A flaw was found in the way the get_dumpable() function return value was interpreted in the ptrace subsystem of the Linux kernel. When 'fs.suid_dumpable' was set to 2, a local, unprivileged local user could use this flaw to bypass intended ptrace restrictions and obtain potentially sensitive information. (CVE-2013-2929, Low)

* A stack overflow flaw caused by infinite recursion was found in the way the Linux kernel's UDF file system implementation processed indirect ICBs. An attacker with physical access to the system could use a specially crafted UDF image to crash the system. (CVE-2014-6410, Low)

* An information leak flaw in the way the Linux kernel handled media device enumerate entities IOCTL requests could allow a local user able to access the /dev/media0 device file to leak kernel memory bytes.
(CVE-2014-1739, Low)

* An out-of-bounds read flaw in the Logitech Unifying receiver driver could allow an attacker with physical access to the system to crash the system or, potentially, escalate their privileges on the system.
(CVE-2014-3182, Low)

* Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled invalid HID reports. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer.
(CVE-2014-3184, Low)

* An information leak flaw was found in the RAM Disks Memory Copy (rd_mcp) back end driver of the iSCSI Target subsystem could allow a privileged user to leak the contents of kernel memory to an iSCSI initiator remote client. (CVE-2014-4027, Low)

* An information leak flaw in the Linux kernel's ALSA implementation could allow a local, privileged user to leak kernel memory to user space. (CVE-2014-4652, Low)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-1971 advisory.

  - The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users     to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a     crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (CVE-2013-2929)

  - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux     kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows     local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by     leveraging /dev/snd/controlCX access for an ioctl call. (CVE-2014-4654)

  - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux     kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to     cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for     a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (CVE-2014-4655)

  - The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a     certain reference count during attempts to use the umount system call in conjunction with a symlink, which     allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have     unspecified other impact via the umount program. (CVE-2014-5045)

  - Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in     the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allow physically proximate attackers to     execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted     device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response.
    (CVE-2014-3185)

  - Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c     in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allow physically proximate attackers to     cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that     provides a large amount of (1) EHCI or (2) XHCI data associated with an event. (CVE-2014-3181)

  - The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux     kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF     chunks that trigger an incorrect uncork within the side-effect interpreter. (CVE-2014-3687)

  - The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of     service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and     net/sctp/sm_statefuns.c. (CVE-2014-3673)

  - The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 might allow physically     proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides     a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3)     drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6)     drivers/hid/hid-sunplus.c. (CVE-2014-3184)

  - The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6     does not initialize a certain data structure, which allows local users to obtain sensitive information     from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
    (CVE-2014-1739)

  - Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel     before 3.16.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service     (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value.
    (CVE-2014-3182)

  - Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID     device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allows physically     proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a     crafted device that sends a large report. (CVE-2014-3186)

  - The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux     kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a     denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact     via multiple keyctl newring operations followed by a keyctl timeout operation. (CVE-2014-3631)

  - The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of     service (memory consumption) by triggering a large number of chunks in an association's output queue, as     demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. (CVE-2014-3688)

  - The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does     not properly initialize a certain data structure, which allows local users to obtain sensitive information     from ramdisk_mcp memory by leveraging access to a SCSI initiator. (CVE-2014-4027)

  - Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in     sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local     users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
    (CVE-2014-4652)

  - Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel     before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access,     related to (1) index values in the snd_ctl_add function and (2) numid values in the     snd_ctl_remove_numid_conflict function. (CVE-2014-4656)

  - The __udf_read_inode function in fs/udf/inode.c in the Linux kernel through 3.16.3 does not restrict the     amount of ICB indirection, which allows physically proximate attackers to cause a denial of service     (infinite loop or stack consumption) via a UDF filesystem with a crafted inode. (CVE-2014-6410)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Steven Vittitoe reported multiple stack buffer overflows in Linux kernel's magicmouse HID driver. A physically proximate attacker could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code via specially crafted devices.
(CVE-2014-3181)

Ben Hawkes reported some off by one errors for report descriptors in the Linux kernel's HID stack. A physically proximate attacker could exploit these flaws to cause a denial of service (out-of-bounds write) via a specially crafted device. (CVE-2014-3184)

Several bounds check flaws allowing for buffer overflows were discovered in the Linux kernel's Whiteheat USB serial driver. A physically proximate attacker could exploit these flaws to cause a denial of service (system crash) via a specially crafted device.
(CVE-2014-3185)

Steven Vittitoe reported a buffer overflow in the Linux kernel's PicoLCD HID device driver. A physically proximate attacker could exploit this flaw to cause a denial of service (system crash) or possibly execute arbitrary code via a specially craft device.
(CVE-2014-3186)

A flaw was discovered in the Linux kernel's associative-array garbage collection implementation. A local user could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact by using keyctl operations. (CVE-2014-3631)

A flaw was discovered in the Linux kernel's UDF filesystem (used on some CD-ROMs and DVDs) when processing indirect ICBs. An attacker who can cause CD, DVD or image file with a specially crafted inode to be mounted can cause a denial of service (infinite loop or stack consumption). (CVE-2014-6410)

James Eckersall discovered a buffer overflow in the Ceph filesystem in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (memory consumption and panic) or possibly have other unspecified impact via a long unencrypted auth ticket.
(CVE-2014-6416)

James Eckersall discovered a flaw in the handling of memory allocation failures in the Ceph filesystem. A remote attacker could exploit this flaw to cause a denial of service (system crash) or possibly have unspecified other impact. (CVE-2014-6417)

James Eckersall discovered a flaw in how the Ceph filesystem validates auth replies. A remote attacker could exploit this flaw to cause a denial of service (system crash) or possibly have other unspecified impact. (CVE-2014-6418).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fix CVE-2014-3631

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125301	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1508)	Nessus	Huawei Local Security Checks	high
124804	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1480)	Nessus	Huawei Local Security Checks	high
81800	Oracle Linux 7 : kernel (ELSA-2015-0290)	Nessus	Oracle Linux Local Security Checks	high
80014	Scientific Linux Security Update : kernel on SL7.x x86_64 (20141209)	Nessus	Scientific Linux Local Security Checks	high
79876	CentOS 7 : kernel (CESA-2014:1971)	Nessus	CentOS Local Security Checks	high
79848	RHEL 7 : kernel (RHSA-2014:1971)	Nessus	Red Hat Local Security Checks	high
79845	Oracle Linux 7 : kernel (ELSA-2014-1971)	Nessus	Oracle Linux Local Security Checks	high
78259	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2379-1)	Nessus	Ubuntu Local Security Checks	high
78258	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2378-1)	Nessus	Ubuntu Local Security Checks	high
77794	Fedora 21 : kernel-3.16.2-301.fc21 (2014-10693)	Nessus	Fedora Local Security Checks	high

CVE-2014-3631

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high