http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=223b02d923ecd7c84cf9780bb3686f455d279279

[netfilter-devel] 20140526 OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (reproductible, 3.14.4)

RHSA-2015:1534

RHSA-2015:1564

DSA-3237

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.5

[oss-security] 20150407 CVE request netfilter connection tracking accounting.

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

73953

1032415

https://bugzilla.redhat.com/show_bug.cgi?id=1208684

https://github.com/torvalds/linux/commit/223b02d923ecd7c84cf9780bb3686f455d279279

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715i1/4%0

  - A flaw was found in the Linux kernel which could cause     a kernel panic when restoring machine specific     registers on the PowerPC platform. Incorrect     transactional memory state registers could     inadvertently change the call path on return from     userspace and cause the kernel to enter an unknown     state and crash.(CVE-2015-8844i1/4%0

  - A timing flaw was found in the Chrome EC driver in the     Linux kernel. An attacker could abuse timing to skip     validation checks to copy additional data from     userspace possibly increasing privilege or crashing the     system.(CVE-2016-6156i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's IPC subsystem initialized certain fields in an     IPC object structure that were later used for     permission checking before inserting the object into a     globally visible list. A local, unprivileged user could     potentially use this flaw to elevate their privileges     on the system.(CVE-2015-7613i1/4%0

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731i1/4%0

  - A race condition leading to a NULL pointer dereference     was found in the Linux kernel's Link Layer Control     implementation. A local attacker with access to ping     sockets could use this flaw to crash the     system.(CVE-2017-2671i1/4%0

  - The f2fs implementation in the Linux kernel, before     4.14, mishandles reference counts associated with     f2fs_wait_discard_bios calls. This allows local users     to cause a denial of service (BUG), as demonstrated by     fstrim.(CVE-2017-18200i1/4%0

  - The LIST_POISON feature in include/linux/poison.h in     the Linux kernel before 4.3, as used in Android 6.0.1     before 2016-03-01, does not properly consider the     relationship to the mmap_min_addr value, which makes it     easier for attackers to bypass a poison-pointer     protection mechanism by triggering the use of an     uninitialized list entry, aka Android internal bug     26186802, a different vulnerability than     CVE-2015-3636.(CVE-2016-0821i1/4%0

  - The xsave/xrstor implementation in     arch/x86/include/asm/xsave.h in the Linux kernel before     3.19.2 creates certain .altinstr_replacement pointers     and consequently does not provide any protection     against instruction faulting, which allows local users     to cause a denial of service (panic) by triggering a     fault, as demonstrated by an unaligned memory operand     or a non-canonical address memory     operand.(CVE-2015-2672i1/4%0

  - The n_tty_write function in drivers/tty/n_tty.c in the     Linux kernel through 3.14.3 does not properly manage     tty driver access in the 'LECHO i1/4+ !OPOST' case, which     allows local users to cause a denial of service (memory     corruption and system crash) or gain privileges by     triggering a race condition involving read and write     operations with long strings.(CVE-2014-0196i1/4%0

  - In the Linux kernel through 4.14.13,     drivers/block/loop.c mishandles lo_release     serialization, which allows attackers to cause a denial     of service (__lock_acquire use-after-free) or possibly     have unspecified other impact.(CVE-2018-5344i1/4%0

  - The lbs_debugfs_write function in     drivers/net/wireless/libertas/debugfs.c in the Linux     kernel through 3.12.1 allows local users to cause a     denial of service (OOPS) by leveraging root privileges     for a zero-length write operation.(CVE-2013-6378i1/4%0

  - A NULL-pointer dereference vulnerability was discovered     in the Linux kernel. The kernel's Reliable Datagram     Sockets (RDS) protocol implementation did not verify     that an underlying transport existed before creating a     connection to a remote server. A local system user     could exploit this flaw to crash the system by creating     sockets at specific times to trigger a NULL pointer     dereference.(CVE-2015-6937i1/4%0

  - A stack buffer overflow flaw was found in the way the     Bluetooth subsystem of the Linux kernel processed     pending L2CAP configuration responses from a client. On     systems with the stack protection feature enabled in     the kernel (CONFIG_CC_STACKPROTECTOR=y, which is     enabled on all architectures other than s390x and     ppc64le), an unauthenticated attacker able to initiate     a connection to a system via Bluetooth could use this     flaw to crash the system. Due to the nature of the     stack protection feature, code execution cannot be     fully ruled out, although we believe it is unlikely. On     systems without the stack protection feature (ppc64le     the Bluetooth modules are not built on s390x), an     unauthenticated attacker able to initiate a connection     to a system via Bluetooth could use this flaw to     remotely execute arbitrary code on the system with ring     0 (kernel) privileges.(CVE-2017-1000251i1/4%0

  - Integer signedness error in the MSM QDSP6 audio driver     for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to gain     privileges or cause a denial of service (memory     corruption) via a crafted application that makes an     ioctl call.(CVE-2016-2066i1/4%0

  - The bcm_char_ioctl function in     drivers/staging/bcm/Bcmchar.c in the Linux kernel     before 3.12 does not initialize a certain data     structure, which allows local users to obtain sensitive     information from kernel memory via an     IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl     call.(CVE-2013-4515i1/4%0

  - A flaw was found in the way the Linux kernel's Stream     Control Transmission Protocol (SCTP) implementation     handled malformed Address Configuration Change Chunks     (ASCONF). A remote attacker could use either of these     flaws to crash the system.(CVE-2014-3673i1/4%0

  - It was found that paravirt_patch_call/jump() functions     in the arch/x86/kernel/paravirt.c in the Linux kernel     mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtualized guests.(CVE-2018-15594i1/4%0

  - It was found that the Linux kernel's KVM implementation     did not ensure that the host CR4 control register value     remained unchanged across VM entries on the same     virtual CPU. A local, unprivileged user could use this     flaw to cause a denial of service on the     system.(CVE-2014-3690i1/4%0

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way the Linux kernel's Crypto     subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed     kernel module, and thus increase the attack surface of     the running kernel.(CVE-2014-9644)

  - The Btrfs implementation in the Linux kernel before     3.19 does not ensure that the visible xattr state is     consistent with a requested replacement, which allows     local users to bypass intended ACL settings and gain     privileges via standard filesystem operations (1)     during an xattr-replacement time window, related to a     race condition, or (2) after an xattr-replacement     attempt that fails because the data does not     fit.(CVE-2014-9710)

  - An integer overflow flaw was found in the way the Linux     kernel's netfilter connection tracking implementation     loaded extensions. An attacker on a local network could     potentially send a sequence of specially crafted     packets that would initiate the loading of a large     number of extensions, causing the targeted system in     that network to crash.(CVE-2014-9715)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9728)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9729)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - A path length checking flaw was found in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support. An     attacker able to mount a corrupted/malicious UDF file     system image could use this flaw to leak kernel memory     to user-space.(CVE-2014-9731)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - drivers/media/media-device.c in the Linux kernel before     3.11, as used in Android before 2016-08-05 on Nexus 5     and 7 (2013) devices, does not properly initialize     certain data structures, which allows local users to     obtain sensitive information via a crafted application,     aka Android internal bug 28750150 and Qualcomm internal     bug CR570757, a different vulnerability than     CVE-2014-1739.(CVE-2014-9895)

  - The ethtool_get_wol function in net/core/ethtool.c in     the Linux kernel through 4.7, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     initialize a certain data structure, which allows local     users to obtain sensitive information via a crafted     application, aka Android internal bug 28803952 and     Qualcomm internal bug CR570754.(CVE-2014-9900)

  - The snd_compress_check_input function in     sound/core/compress_offload.c in the ALSA subsystem in     the Linux kernel before 3.17 does not properly check     for an integer overflow, which allows local users to     cause a denial of service (insufficient memory     allocation) or possibly have unspecified other impact     via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl     call.(CVE-2014-9904)

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914)

  - A flaw was discovered in the way the kernel allows     stackable filesystems to overlay. A local attacker who     is able to mount filesystems can abuse this flaw to     escalate privileges.(CVE-2014-9922)

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.(CVE-2014-9940)

  - It was found that the Linux kernel KVM subsystem's     sysenter instruction emulation was not sufficient. An     unprivileged guest user could use this flaw to escalate     their privileges by tricking the hypervisor to emulate     a SYSENTER instruction in 16-bit mode, if the guest OS     did not initialize the SYSENTER model-specific     registers (MSRs). Note: Certified guest operating     systems for Red Hat Enterprise Linux with KVM do     initialize the SYSENTER MSRs and are thus not     vulnerable to this issue when running on a KVM     hypervisor.(CVE-2015-0239)

  - A flaw was found in the way the Linux kernel's XFS file     system handled replacing of remote attributes under     certain conditions. A local user with access to XFS     file system mount could potentially use this flaw to     escalate their privileges on the system.(CVE-2015-0274)

  - A flaw was found in the way the Linux kernel's ext4     file system handled the 'page size i1/4z block size'     condition when the fallocate zero range functionality     was used. A local attacker could use this flaw to crash     the system.(CVE-2015-0275)

  - It was found that the Linux kernel's keyring     implementation would leak memory when adding a key to a     keyring via the add_key() function. A local attacker     could use this flaw to exhaust all available memory on     the system.(CVE-2015-1333)

  - Race condition in the handle_to_path function in     fs/fhandle.c in the Linux kernel through 3.19.1 allows     local users to bypass intended size restrictions and     trigger read operations on additional memory locations     by changing the handle_bytes value of a file handle     during the execution of this function.(CVE-2015-1420)

  - A use-after-free flaw was found in the way the Linux     kernel's SCTP implementation handled authentication key     reference counting during INIT collisions. A remote     attacker could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2015-1421)

  - The IPv4 implementation in the Linux kernel before     3.18.8 does not properly consider the length of the     Read-Copy Update (RCU) grace period for redirecting     lookups in the absence of caching, which allows remote     attackers to cause a denial of service (memory     consumption or system crash) via a flood of     packets.(CVE-2015-1465)

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573)

  - An integer overflow flaw was found in the way the Linux     kernel randomized the stack for processes on certain     64-bit architecture systems, such as x86-64, causing     the stack entropy to be reduced by four.(CVE-2015-1593)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0037 for details.

The openSUSE 13.1 kernel was updated to receive various security and bugfixes.

Following security bugs were fixed :

  - CVE-2016-0728: A reference leak in keyring handling with     join_session_keyring() could lead to local attackers     gain root privileges. (bsc#962075).

  - CVE-2015-7550: A local user could have triggered a race     between read and revoke in keyctl (bnc#958951).

  - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect     functions in drivers/net/ppp/pptp.c in the Linux kernel     did not verify an address length, which allowed local     users to obtain sensitive information from kernel memory     and bypass the KASLR protection mechanism via a crafted     application (bnc#959190).

  - CVE-2015-8543: The networking implementation in the     Linux kernel did not validate protocol identifiers for     certain protocol families, which allowed local users to     cause a denial of service (NULL function pointer     dereference and system crash) or possibly gain     privileges by leveraging CLONE_NEWUSER support to     execute a crafted SOCK_RAW application (bnc#958886).

  - CVE-2014-8989: The Linux kernel did not properly     restrict dropping of supplemental group memberships in     certain namespace scenarios, which allowed local users     to bypass intended file permissions by leveraging a     POSIX ACL containing an entry for the group category     that is more restrictive than the entry for the other     category, aka a 'negative groups' issue, related to     kernel/groups.c, kernel/uid16.c, and     kernel/user_namespace.c (bnc#906545).

  - CVE-2015-5157: arch/x86/entry/entry_64.S in the Linux     kernel on the x86_64 platform mishandles IRET faults in     processing NMIs that occurred during userspace     execution, which might allow local users to gain     privileges by triggering an NMI (bnc#937969).

  - CVE-2015-7799: The slhc_init function in     drivers/net/slip/slhc.c in the Linux kernel through     4.2.3 did not ensure that certain slot numbers are     valid, which allowed local users to cause a denial of     service (NULL pointer dereference and system crash) via     a crafted PPPIOCSMAXCID ioctl call (bnc#949936).

  - CVE-2015-8104: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #DB (aka Debug)     exceptions, related to svm.c (bnc#954404).

  - CVE-2015-5307: The KVM subsystem in the Linux kernel     through 4.2.6, and Xen 4.3.x through 4.6.x, allowed     guest OS users to cause a denial of service (host OS     panic or hang) by triggering many #AC (aka Alignment     Check) exceptions, related to svm.c and vmx.c     (bnc#953527).

  - CVE-2014-9529: Race condition in the key_gc_unused_keys     function in security/keys/gc.c in the Linux kernel     allowed local users to cause a denial of service (memory     corruption or panic) or possibly have unspecified other     impact via keyctl commands that trigger access to a key     structure member during garbage collection of a key     (bnc#912202).

  - CVE-2015-7990: Race condition in the rds_sendmsg     function in net/rds/sendmsg.c in the Linux kernel     allowed local users to cause a denial of service (NULL     pointer dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound. NOTE: this vulnerability exists because     of an incomplete fix for CVE-2015-6937 (bnc#952384     953052).

  - CVE-2015-6937: The __rds_conn_create function in     net/rds/connection.c in the Linux kernel allowed local     users to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact by using a socket that was not     properly bound (bnc#945825).

  - CVE-2015-7885: The dgnc_mgmt_ioctl function in     drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel     through 4.3.3 did not initialize a certain structure     member, which allowed local users to obtain sensitive     information from kernel memory via a crafted application     (bnc#951627).

  - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in     the Linux kernel did not validate attempted changes to     the MTU value, which allowed context-dependent attackers     to cause a denial of service (packet loss) via a value     that is (1) smaller than the minimum compliant value or     (2) larger than the MTU of an interface, as demonstrated     by a Router Advertisement (RA) message that is not     validated by a daemon, a different vulnerability than     CVE-2015-0272. NOTE: the scope of CVE-2015-0272 is     limited to the NetworkManager product (bnc#955354).

  - CVE-2015-8767: A case can occur when sctp_accept() is     called by the user during a heartbeat timeout event     after the 4-way handshake. Since sctp_assoc_migrate()     changes both assoc->base.sk and assoc->ep, the     bh_sock_lock in sctp_generate_heartbeat_event() will be     taken with the listening socket but released with the     new association socket. The result is a deadlock on any     future attempts to take the listening socket lock.
    (bsc#961509)

  - CVE-2015-8575: Validate socket address length in     sco_sock_bind() to prevent information leak     (bsc#959399).

  - CVE-2015-8551, CVE-2015-8552: xen/pciback: For     XEN_PCI_OP_disable_msi[|x] only disable if device has     MSI(X) enabled (bsc#957990).

  - CVE-2015-8550: Compiler optimizations in the XEN PV     backend drivers could have lead to double fetch     vulnerabilities, causing denial of service or arbitrary     code execution (depending on the configuration)     (bsc#957988).

The following non-security bugs were fixed :

  - ALSA: hda - Disable 64bit address for Creative HDA     controllers (bnc#814440).

  - ALSA: hda - Fix noise problems on Thinkpad T440s     (boo#958504).

  - Input: aiptek - fix crash on detecting device without     endpoints (bnc#956708).

  - KEYS: Make /proc/keys unconditional if CONFIG_KEYS=y     (boo#956934).

  - KVM: x86: update masterclock values on TSC writes     (bsc#961739).

  - NFS: Fix a NULL pointer dereference of migration     recovery ops for v4.2 client (bsc#960839).

  - apparmor: allow SYS_CAP_RESOURCE to be sufficient to     prlimit another task (bsc#921949).

  - blktap: also call blkif_disconnect() when frontend     switched to closed (bsc#952976).

  - blktap: refine mm tracking (bsc#952976).

  - cdrom: Random writing support for BD-RE media     (bnc#959568).

  - genksyms: Handle string literals with spaces in     reference files (bsc#958510).

  - ipv4: Do not increase PMTU with Datagram Too Big message     (bsc#955224).

  - ipv6: distinguish frag queues by device for multicast     and link-local packets (bsc#955422).

  - ipv6: fix tunnel error handling (bsc#952579).

  - route: Use ipv4_mtu instead of raw rt_pmtu (bsc#955224).

  - uas: Add response iu handling (bnc#954138).

  - usbvision fix overflow of interfaces array (bnc#950998).

  - x86/evtchn: make use of PHYSDEVOP_map_pirq.

  - xen/pciback: Do not allow MSI-X ops if     PCI_COMMAND_MEMORY is not set (bsc#957990 XSA-157).

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate)

* A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate)

* It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate)

* It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low)

Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue.

The kernel-rt packages have been upgraded to version 3.10.0-229.11.1, which provides a number of bug fixes and enhancements over the previous version, including :

* drbg: Add stdrng alias and increase priority

* seqiv / eseqiv / chainiv: Move IV seeding into init function

* ipv4: kABI fix for 0bbf87d backport

* ipv4: Convert ipv4.ip_local_port_range to be per netns

* libceph: tcp_nodelay support

* ipr: Increase default adapter init stage change timeout

* fix use-after-free bug in usb_hcd_unlink_urb()

* libceph: fix double __remove_osd() problem

* ext4: fix data corruption caused by unwritten and delayed extents

* sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT

* nfs: Fixing lease renewal (Benjamin Coddington)

* control hard lockup detection default

* Fix print-once on enable

* watchdog: update watchdog_thresh properly and watchdog attributes atomically

* module: Call module notifier on failure after complete_formation()

(BZ#1234470)

This update also fixes the following bugs :

* The megasas driver used the smp_processor_id() function within a preemptible context, which caused warning messages to be returned to the console. The function has been changed to raw_smp_processor_id() so that a lock is held while getting the processor ID. As a result, correct operations are now allowed without any console warnings being produced. (BZ#1235304)

* In the NFSv4 file system, non-standard usage of the write_seqcount_{begin,end}() functions were used, which caused the realtime code to try to sleep while locks were held. As a consequence, the 'scheduling while atomic' error messages were returned. The underlying source code has been modified to use the
__write_seqcount_{begin,end}() functions that do not hold any locks, allowing correct execution of realtime. (BZ#1235301)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

* An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate)

* A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate)

* It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate)

* It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low)

Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue.

This update also fixes several bugs. Refer to the following Knowledgebase article for further information :

https://access.redhat.com/articles/1474193

All kernel users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The system must be rebooted for this update to take effect.

* An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate)

* A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate)

* It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate)

* It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low)

This update also fixes several bugs.

The system must be rebooted for this update to take effect.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-3068 advisory.

  - include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5     uses an insufficiently large data type for certain extension data, which allows local users to cause a     denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension     loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. (CVE-2014-9715)

  - The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a     certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory     via a GET_BITMAP_FILE ioctl call. (CVE-2015-5697)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-3067 advisory.

  - include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5     uses an insufficiently large data type for certain extension data, which allows local users to cause a     denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension     loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. (CVE-2014-9715)

  - The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a     certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory     via a GET_BITMAP_FILE ioctl call. (CVE-2015-5697)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updated kernel-rt packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

* An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate)

* It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate)

* It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low)

Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue.

This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5 that is layered on Red Hat Enterprise Linux 6, and fixes the following issues :

* drbg: Add stdrng alias and increase priority

* seqiv / eseqiv / chainiv: Move IV seeding into init function

* ipv4: kABI fix for 0bbf87d backport

* ipv4: Convert ipv4.ip_local_port_range to be per netns

* libceph: tcp_nodelay support

* ipr: Increase default adapter init stage change timeout

* fix use-after-free bug in usb_hcd_unlink_urb()

* libceph: fix double __remove_osd() problem

* ext4: fix data corruption caused by unwritten and delayed extents

* sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT

* nfs: Fixing lease renewal (Benjamin Coddington)

* control hard lockup detection default

* Fix print-once on enable

* watchdog: update watchdog_thresh properly and watchdog attributes atomically

* module: Call module notifier on failure after complete_formation()

(BZ#1230403)

This update also fixes the following bugs :

* Non-standard usage of the functions write_seqcount_{begin,end}() were used in NFSv4, which caused the realtime code to try to sleep while locks were held and produced the 'scheduling while atomic' messages. The code was modified to use the functions
__write_seqcount_{begin,end}() that do not hold any locks removing the message and allowing correct execution. (BZ#1225642)

* Dracut in Red Hat Enterprise Linux 6 has a dependency on a module called scsi_wait_scan that no longer exists on 3.x kernels. This caused the system to display misleading messages at start-up when the obsoleted scsi_wait_scan module was not found. To address this issue, MRG Realtime provides a dummy scsi_wait_scan module so that the requirements for the initramfs created by dracut are met and the boot messages are no longer displayed. (BZ#1230403)

All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1534 advisory.

  - The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol     implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure     a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. (CVE-2015-2922)

  - The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain     list data structure during an unhash operation, which allows local users to gain privileges or cause a     denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket     system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a     disconnect. (CVE-2015-3636)

  - include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5     uses an insufficiently large data type for certain extension data, which allows local users to cause a     denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension     loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. (CVE-2014-9715)

  - Stack-based buffer overflow in the get_matching_model_microcode function in     arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent     attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for     write access to the initrd. (CVE-2015-2666)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Vincent Tondellier discovered an integer overflow in the Linux kernel's netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system). (CVE-2014-9715)

Jan Beulich discovered the Xen virtual machine subsystem of the Linux kernel did not properly restrict access to PCI command registers. A local guest user could exploit this flaw to cause a denial of service (host crash). (CVE-2015-2150)

A privilege escalation was discovered in the fork syscal vi the int80 entry on 64 bit kernels with 32 bit emulation support. An unprivileged local attacker could exploit this flaw to increase their privileges on the system. (CVE-2015-2830)

A memory corruption issue was discovered in AES decryption when using the Intel AES-NI accelerated code path. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate privileges on Intel base machines with AEC-GCM mode IPSec security association. (CVE-2015-3331).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Vincent Tondellier discovered an integer overflow in the Linux kernel's netfilter connection tracking accounting of loaded extensions. An attacker on the local area network (LAN) could potential exploit this flaw to cause a denial of service (system crash of targeted system).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2014-8159     It was found that the Linux kernel's InfiniBand/RDMA     subsystem did not properly sanitize input parameters     while registering memory regions from user space via the     (u)verbs API. A local user with access to a     /dev/infiniband/uverbsX device could use this flaw to     crash the system or, potentially, escalate their     privileges on the system.

  - CVE-2014-9715     It was found that the netfilter connection tracking     subsystem used too small a type as an offset within each     connection's data structure, following a bug fix in     Linux 3.2.33 and 3.6. In some configurations, this would     lead to memory corruption and crashes (even without     malicious traffic). This could potentially also result     in violation of the netfilter policy or remote code     execution.

  This can be mitigated by disabling connection tracking   accounting:sysctl net.netfilter.nf_conntrack_acct=0

  - CVE-2015-2041     Sasha Levin discovered that the LLC subsystem exposed     some variables as sysctls with the wrong type. On a     64-bit kernel, this possibly allows privilege escalation     from a process with CAP_NET_ADMIN capability; it also     results in a trivial information leak.

  - CVE-2015-2042     Sasha Levin discovered that the RDS subsystem exposed     some variables as sysctls with the wrong type. On a     64-bit kernel, this results in a trivial information     leak.

  - CVE-2015-2150     Jan Beulich discovered that Xen guests are currently     permitted to modify all of the (writable) bits in the     PCI command register of devices passed through to them.
    This in particular allows them to disable memory and I/O     decoding on the device unless the device is an SR-IOV     virtual function, which can result in denial of service     to the host.

  - CVE-2015-2830     Andrew Lutomirski discovered that when a 64-bit task on     an amd64 kernel makes a fork(2) or clone(2) system call     using int $0x80, the 32-bit compatibility flag is set     (correctly) but is not cleared on return. As a result,     both seccomp and audit will misinterpret the following     system call by the task(s), possibly leading to a     violation of security policy.

  - CVE-2015-2922     Modio AB discovered that the IPv6 subsystem would     process a router advertisement that specifies no route     but only a hop limit, which would then be applied to the     interface that received it. This can result in loss of     IPv6 connectivity beyond the local network.

  This may be mitigated by disabling processing of IPv6 router   advertisements if they are not needed:sysctl   net.ipv6.conf.default.accept_ra=0sysctl   net.ipv6.conf.<interface>.accept_ra=0

  - CVE-2015-3331     Stephan Mueller discovered that the optimised     implementation of RFC4106 GCM for x86 processors that     support AESNI miscalculated buffer addresses in some     cases. If an IPsec tunnel is configured to use this mode     (also known as AES-GCM-ESP) this can lead to memory     corruption and crashes (even without malicious traffic).
    This could potentially also result in remote code     execution.

  - CVE-2015-3332     Ben Hutchings discovered that the TCP Fast Open feature     regressed in Linux 3.16.7-ckt9, resulting in a kernel     BUG when it is used. This can be used as a local denial     of service.

  - CVE-2015-3339     It was found that the execve(2) system call can race     with inode attribute changes made by chown(2). Although     chown(2) clears the setuid/setgid bits of a file if it     changes the respective owner ID, this race condition     could result in execve(2) setting effective uid/gid to     the new owner ID, a privilege escalation.

ID	Name	Product	Family	Severity
124986	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1533)	Nessus	Huawei Local Security Checks	high
124809	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1485)	Nessus	Huawei Local Security Checks	high
90019	OracleVM 3.2 : kernel-uek (OVMSA-2016-0037)	Nessus	OracleVM Local Security Checks	critical
88545	openSUSE Security Update : the Linux Kernel (openSUSE-2016-124)	Nessus	SuSE Local Security Checks	high
85705	RHEL 7 : kernel-rt (RHSA-2015:1565)	Nessus	Red Hat Local Security Checks	medium
85305	CentOS 7 : kernel (CESA-2015:1534)	Nessus	CentOS Local Security Checks	medium
85264	Scientific Linux Security Update : kernel on SL7.x x86_64 (20150805)	Nessus	Scientific Linux Local Security Checks	medium
85263	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3068)	Nessus	Oracle Linux Local Security Checks	medium
85262	Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2015-3067)	Nessus	Oracle Linux Local Security Checks	medium
85249	RHEL 6 : MRG (RHSA-2015:1564)	Nessus	Red Hat Local Security Checks	medium
85248	RHEL 7 : kernel (RHSA-2015:1534)	Nessus	Red Hat Local Security Checks	medium
85247	Oracle Linux 7 : kernel (ELSA-2015-1534)	Nessus	Oracle Linux Local Security Checks	medium
83760	Ubuntu 14.04 LTS : linux vulnerabilities (USN-2614-1)	Nessus	Ubuntu Local Security Checks	high
83759	Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2613-1)	Nessus	Ubuntu Local Security Checks	high
83758	Ubuntu 12.04 LTS : linux vulnerability (USN-2611-1)	Nessus	Ubuntu Local Security Checks	medium
83065	Debian DSA-3237-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2014-9715

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

high

medium

medium

medium

medium

medium

medium

medium

medium

high

high

medium

high