http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04197b341f23b908193308b8d63d17ff23232598

106822

https://bugzilla.suse.com/show_bug.cgi?id=1124010

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.3

https://github.com/torvalds/linux/commit/04197b341f23b908193308b8d63d17ff23232598

[debian-lts-announce] 20190327 [SECURITY] [DLA 1731-1] linux security update

[debian-lts-announce] 20190401 [SECURITY] [DLA 1731-2] linux regression update

The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes.

Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331)

CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)

CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)

CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)

CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel.

For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736

The following security bugs were fixed: CVE-2016-10741:
fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010).

CVE-2017-1000407: By flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).

CVE-2017-7472: The KEYS subsystem allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862).

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host.
Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target.
(bnc#1107829).

CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).

CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).

CVE-2018-18281: The mremap() syscall performed TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-19985: The function hso_get_config_data in drivers/net/usb/hso.c read if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allowed arbitrary read in the kernel address space (bnc#1120743).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2018-5391: The Linux kernel was vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bnc#1103097).

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
(bnc#1108498).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).

CVE-2019-11486: The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c had multiple race conditions (bnc#1133188). The line discipline was disabled.

CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was discovered (bnc#1120758).

CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found (bnc#1120758).

CVE-2019-3882: A flaw was found vfio interface implementation that permitted violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).
(bnc#1131416 bnc#1131427).

CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free (bnc#1124728).

CVE-2019-7221: The KVM implementation had a Use-after-Free (bnc#1124732).

CVE-2019-7222: The KVM implementation had an Information Leak (bnc#1124735).

CVE-2019-9213: expand_downwards in mm/mmap.c lacked a check for the mmap minimum address, which made it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task (bnc#1128166).

CVE-2019-9503: Multiple brcmfmac frame validation bypasses have been fixed (bnc#1132828).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A memory corruption flaw was found in the way the USB     ConnectTech WhiteHEAT serial driver processed     completion commands sent via USB Request Blocks     buffers. An attacker with physical access to the system     could use this flaw to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-3185i1/4%0

  - Use-after-free vulnerability in the msm_set_crop     function in drivers/media/video/msm/msm_camera.c in the     MSM-Camera driver for the Linux kernel 3.x, as used in     Qualcomm Innovation Center (QuIC) Android contributions     for MSM devices and other products, allows attackers to     gain privileges or cause a denial of service (memory     corruption) via an application that makes a crafted     ioctl call.(CVE-2015-0568i1/4%0

  - The vivid_fb_ioctl function in     drivers/media/platform/vivid/vivid-osd.c in the Linux     kernel through 4.3.3 does not initialize a certain     structure member, which allows local users to obtain     sensitive information from kernel memory via a crafted     application.(CVE-2015-7884i1/4%0

  - The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel can allow     a local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16535i1/4%0

  - The ACPI parsing functionality in the Linux kernel does     not flush the node and node_ext caches which causes a     kernel stack dump. This allows local users to obtain     sensitive information from kernel memory and use this     information to bypass the KASLR protection mechanism by     creating and applying crafted ACPI     table.(CVE-2017-13694i1/4%0

  - The is_ashmem_file function in     drivers/staging/android/ashmem.c in a certain Qualcomm     Innovation Center (QuIC) Android patch for the Linux     kernel 3.x mishandles pointer validation within the     KGSL Linux Graphics Module, which allows attackers to     bypass intended access restrictions by using the     /ashmem string as the dentry name.(CVE-2016-5340i1/4%0

  - It was found that the Linux kernel did not properly     account file descriptors passed over the unix socket     against the process limit. A local user could use this     flaw to exhaust all available memory on the     system.(CVE-2013-4312i1/4%0

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this     flaw to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although it is unlikely.(CVE-2017-7541i1/4%0

  - A flaw in the netback module allowed frontends to     control mapping of requests to request queues. An     attacker can change this mapping by requesting invalid     mapping requests allowing the (usually privileged)     backend to access out-of-bounds memory access for     reading and writing.(CVE-2018-15471i1/4%0

  - A buffer overflow vulnerability due to a lack of input     filtering of incoming fragmented datagrams was found in     the IP-over-1394 driver firewire-net in a fragment     handling code in the Linux kernel. The vulnerability     exists since firewire supported IPv4, i.e. since     version 2.6.31 (year 2009) till version v4.9-rc4. A     maliciously formed fragment with a respectively large     datagram offset would cause a memcpy() past the     datagram buffer, which would cause a system panic or     possible arbitrary code execution.The flaw requires     firewire-net module to be loaded and is remotely     exploitable from connected firewire devices, but not     over a local network.(CVE-2016-8633i1/4%0

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741i1/4%0

  - A vulnerability was found in the Linux kernel. The     pointer to the netlink socket attribute is not checked,     which could cause a null pointer dereference when     parsing the nested attributes in function     tipc_nl_publ_dump(). This allows local users to cause a     DoS.(CVE-2016-4951i1/4%0

  - It was reported that with Linux kernel, earlier than     version v4.10-rc8, an application may trigger a BUG_ON     in sctp_wait_for_sndbuf if the socket tx buffer is     full, a thread is waiting on it to queue more data, and     meanwhile another thread peels off the association     being used by the first thread.(CVE-2017-5986i1/4%0

  - The kvm_vm_ioctl_check_extension function in     arch/powerpc/kvm/powerpc.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) via a     KVM_CHECK_EXTENSION KVM_CAP_PPC_HTM ioctl call to     /dev/kvm.(CVE-2017-15306i1/4%0

  - A flaw was found in the way the Linux kernel's 32-bit     emulation implementation handled forking or closing of     a task with an 'int80' entry. A local user could     potentially use this flaw to escalate their privileges     on the system.(CVE-2015-2830i1/4%0

  - A flaw was found in the way the Linux kernel's SCTP     implementation validated INIT chunks when performing     Address Configuration Change (ASCONF). A remote     attacker could use this flaw to crash the system by     sending a specially crafted SCTP packet to trigger a     NULL pointer dereference on the     system.(CVE-2014-7841i1/4%0

  - A race condition issue leading to a use-after-free flaw     was found in the way the raw packet sockets are     implemented in the Linux kernel networking subsystem     handling synchronization. A local user able to open a     raw packet socket (requires the CAP_NET_RAW capability)     can use this issue to crash the     system.(CVE-2017-1000111)

  - A flaw was found in the way the Linux kernel performed     forking inside of a transaction. A local, unprivileged     user on a PowerPC system that supports transactional     memory could use this flaw to crash the     system.(CVE-2014-2673i1/4%0

  - The hashbin_delete function in net/irda/irqueue.c in     the Linux kernel improperly manages lock dropping,     which allows local users to cause a denial of service     (deadlock) via crafted operations on IrDA     devices.(CVE-2017-6348i1/4%0

  - An out-of-bounds flaw was found in the kernel, where     the length of the sockaddr parameter was not checked in     the pptp_bind() and pptp_connect() functions. As a     result, more kernel memory was copied out than     required, leaking information from the kernel stack     (including kernel addresses). A local system user could     exploit this flaw to bypass kernel ASLR or leak other     information.(CVE-2015-8569i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel through 4.14.13, the     rds_message_alloc_sgs() function does not validate a     value that is used during DMA page allocation, leading     to a heap-based out-of-bounds write (related to the     rds_rdma_extra_size() function in 'net/rds/rdma.c') and     thus to a system panic. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-5332)

  - In the Linux kernel through 4.14.13, the     rds_cmsg_atomic() function in 'net/rds/rdma.c'     mishandles cases where page pinning fails or an invalid     address is supplied by a user. This can lead to a NULL     pointer dereference in rds_atomic_free_op() and thus to     a system panic.(CVE-2018-5333)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions.(CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local     users to obtain sensitive address information by     reading dmesg data from an SBS HC printk     call.(CVE-2018-5750)

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2018-6927)

  - Memory leak in the sas_smp_get_phy_events function in     drivers/scsi/libsas/sas_expander.c in the Linux kernel     allows local users to cause a denial of service (kernel     memory exhaustion) via multiple read accesses to files     in the /sys/class/sas_phy directory.(CVE-2018-7757)

  - A an integer overflow vulnerability was discovered in     the Linux kernel, from version 3.4 through 4.15, in the     drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() function. An     attacker with access to the udldrmfb driver could     exploit this to obtain full read and write permissions     on kernel physical pages, resulting in a code execution     in kernel space.(CVE-2018-8781)

  - A flaw was found in the way the Linux KVM module     processed the trap flag(TF) bit in EFLAGS during     emulation of the syscall instruction, which leads to a     debug exception(#DB) being raised in the guest stack. A     user/process inside a guest could use this flaw to     potentially escalate their privileges inside the guest.
    Linux guests are not affected by this.(CVE-2017-7518)

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.(CVE-2017-18360)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and reused. This is     fixed in the following kernel versions: 4.9.135,     4.14.78, 4.18.16, 4.19.(CVE-2018-18281)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary     task.(CVE-2018-17972)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection fault).(CVE-2019-3701)

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.(CVE-2018-19824)

  - A security flaw was found in the Linux kernel in a way     that the cleancache subsystem clears an inode after the     final file truncation (removal). The new file created     with the same inode may contain leftover pages from     cleancache and the old file data instead of the new     one.(CVE-2018-16862)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.(CVE-2018-18559)

  - A new software page cache side channel attack scenario     was discovered in operating systems that implement the     very common 'page cache' caching mechanism. A malicious     user/process could use 'in memory' page-cache knowledge     to infer access timings to shared memory and gain     knowledge which can be used to reduce effectiveness of     cryptographic strength by monitoring algorithmic     behavior, infer access patterns of memory to determine     code paths taken, and exfiltrate data to a blinded     attacker through page-granularity access times as a     side-channel.(CVE-2019-5489)

  - A flaw was found in mmap in the Linux kernel allowing     the process to map a null page. This allows attackers     to abuse this mechanism to turn null pointer     dereferences into workable exploits.(CVE-2019-9213)

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence     a denial of service on the system.(CVE-2018-5391)

  - An issue was discovered in the Linux kernel through     4.19. An information leak in cdrom_ioctl_select_disc in     drivers/cdrom/cdrom.c could be used by local attackers     to read kernel memory because a cast from unsigned long     to int interferes with bounds checking.(CVE-2018-18710)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A new software page cache side channel attack scenario     was discovered in operating systems that implement the     very common 'page cache' caching mechanism. A malicious     user/process could use 'in memory' page-cache knowledge     to infer access timings to shared memory and gain     knowledge which can be used to reduce effectiveness of     cryptographic strength by monitoring algorithmic     behavior, infer access patterns of memory to determine     code paths taken, and exfiltrate data to a blinded     attacker through page-granularity access times as a     side-channel.(CVE-2019-5489)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary     task.(CVE-2018-17972)

  - A security flaw was found in the Linux kernel in a way     that the cleancache subsystem clears an inode after the     final file truncation (removal). The new file created     with the same inode may contain leftover pages from     cleancache and the old file data instead of the new     one.(CVE-2018-16862)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.(CVE-2018-18559)

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.(CVE-2018-19824)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found In the Linux kernel, through version     4.19.6, where a local user could exploit a     use-after-free in the ALSA driver by supplying a     malicious USB Sound device (with zero interfaces) that     is mishandled in usb_audio_probe in sound/usb/card.c.
    An attacker could corrupt memory and possibly escalate     privileges if the attacker is able to have physical     access to the system.i1/4^CVE-2018-19824i1/4%0

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.i1/4^CVE-2016-10741i1/4%0

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service.i1/4^CVE-2017-18360i1/4%0

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.i1/4^CVE-2018-18281i1/4%0

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out.i1/4^CVE-2018-18559i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A division-by-zero in set_termios(), when debugging is     enabled, was found in the Linux kernel. When the     [io_ti] driver is loaded, a local unprivileged attacker     can request incorrect high transfer speed in the     change_port_settings() in the     drivers/usb/serial/io_ti.c so that the divisor value     becomes zero and causes a system crash resulting in a     denial of service. (CVE-2017-18360)

  - Since Linux kernel version 3.2, the mremap() syscall     performs TLB flushes after dropping pagetable locks. If     a syscall such as ftruncate() removes entries from the     pagetables of a task that is in the middle of mremap(),     a stale TLB entry can remain for a short time that     permits access to a physical page after it has been     released back to the page allocator and     reused.(CVE-2018-18281)

  - A flaw was discovered in the Linux kernel's USB     subsystem in the __usb_get_extra_descriptor() function     in the drivers/usb/core/usb.c which mishandles a size     check during the reading of an extra descriptor data.
    By using a specially crafted USB device which sends a     forged extra descriptor, an unprivileged user with     physical access to the system can potentially cause a     privilege escalation or trigger a system crash or lock     up and thus to cause a denial of service     (DoS).(CVE-2018-20169)

  - It was found that the Linux kernel can hit a BUG_ON()     statement in the __xfs_get_blocks() in the     fs/xfs/xfs_aops.c because of a race condition between     direct and memory-mapped I/O associated with a hole in     a file that is handled with BUG_ON() instead of an I/O     failure. This allows a local unprivileged attacker to     cause a system crash and a denial of     service.(CVE-2016-10741)

  - A use-after-free flaw can occur in the Linux kernel due     to a race condition between packet_do_bind() and     packet_notifier() functions called for an AF_PACKET     socket. An unprivileged, local user could use this flaw     to induce kernel memory corruption on the system,     leading to an unresponsive system or to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out. (CVE-2018-18559)

  - An issue was discovered in can_can_gw_rcv in     net/can/gw.c in the Linux kernel through 4.19.13. The     CAN frame modification rules allow bitwise logical     operations that can be also applied to the can_dlc     field. Because of a missing check, the CAN drivers may     write arbitrary content beyond the data registers in     the CAN controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection fault).(CVE-2019-3701)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image.(CVE-2018-10883)

  - It was found that the raw midi kernel driver does not     protect against concurrent access which leads to a     double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4 image.
    (CVE-2018-1094)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2016-10741

A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service.

CVE-2017-5753

Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated.

CVE-2017-13305

A memory over-read was discovered in the keys subsystem's encrypted key type. A local user could use this for denial of service or possibly to read sensitive information.

CVE-2018-3639 (SSB)

Multiple researchers have discovered that Speculative Store Bypass (SSB), a feature implemented in many processors, could be used to read sensitive information from another context. In particular, code in a software sandbox may be able to read sensitive information from outside the sandbox. This issue is also known as Spectre variant 4.

This update fixes bugs in the mitigations for SSB for AMD processors.

CVE-2018-5848

The wil6210 wifi driver did not properly validate lengths in scan and connection requests, leading to a possible buffer overflow. On systems using this driver, a local user with the CAP_NET_ADMIN capability could use this for denial of service (memory corruption or crash) or potentially for privilege escalation.

CVE-2018-5953

The swiotlb subsystem printed kernel memory addresses to the system log, which could help a local attacker to exploit other vulnerabilities.

CVE-2018-12896, CVE-2018-13053

Team OWL337 reported possible integer overflows in the POSIX timer implementation. These might have some security impact.

CVE-2018-16862

Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team discovered that the cleancache memory management feature did not invalidate cached data for deleted files. On Xen guests using the tmem driver, local users could potentially read data from other users' deleted files if they were able to create new files on the same volume.

CVE-2018-16884

A flaw was found in the NFS 4.1 client implementation. Mounting NFS shares in multiple network namespaces at the same time could lead to a user-after-free. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation.

This can be mitigated by disabling unprivileged users from creating user namespaces, which is the default in Debian.

CVE-2018-17972

Jann Horn reported that the /proc/*/stack files in procfs leaked sensitive data from the kernel. These files are now only readable by users with the CAP_SYS_ADMIN capability (usually only root)

CVE-2018-18281

Jann Horn reported a race condition in the virtual memory manager that can result in a process briefly having access to memory after it is freed and reallocated. A local user permitted to create containers could possibly exploit this for denial of service (memory corruption) or for privilege escalation.

CVE-2018-18690

Kanda Motohiro reported that XFS did not correctly handle some xattr (extended attribute) writes that require changing the disk format of the xattr. A user with access to an XFS volume could use this for denial of service.

CVE-2018-18710

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-19824

Hui Peng and Mathias Payer discovered a use-after-free bug in the USB audio driver. A physically present attacker able to attach a specially designed USB device could use this for privilege escalation.

CVE-2018-19985

Hui Peng and Mathias Payer discovered a missing bounds check in the hso USB serial driver. A physically present user able to attach a specially designed USB device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-20169

Hui Peng and Mathias Payer discovered missing bounds checks in the USB core. A physically present attacker able to attach a specially designed USB device could use this to cause a denial of service (crash) or possibly for privilege escalation.

CVE-2018-20511

InfoSect reported an information leak in the AppleTalk IP/DDP implemntation. A local user with CAP_NET_ADMIN capability could use this to read sensitive information from the kernel.

CVE-2019-3701

Muyu Yu and Marcus Meissner reported that the CAN gateway implementation allowed the frame length to be modified, typically resulting in out-of-bounds memory-mapped I/O writes. On a system with CAN devices present, a local user with CAP_NET_ADMIN capability in the initial net namespace could use this to cause a crash (oops) or other hardware-dependent impact.

CVE-2019-3819

A potential infinite loop was discovered in the HID debugfs interface exposed under /sys/kernel/debug/hid. A user with access to these files could use this for denial of service.

This interface is only accessible to root by default, which fully mitigates the issue.

CVE-2019-6974

Jann Horn reported a use-after-free bug in KVM. A local user with access to /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2019-7221

Jim Mattson and Felix Wilhelm reported a user-after-free bug in KVM's nested VMX implementation. On systems with Intel CPUs, a local user with access to /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

Nested VMX is disabled by default, which fully mitigates the issue.

CVE-2019-7222

Felix Wilhelm reported an information leak in KVM for x86. A local user with access to /dev/kvm could use this to read sensitive information from the kernel.

CVE-2019-9213

Jann Horn reported that privileged tasks could cause stack segments, including those in other processes, to grow downward to address 0. On systems lacking SMAP (x86) or PAN (ARM), this exacerbated other vulnerabilities: a NULL pointer dereference could be exploited for privilege escalation rather than only for denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 3.16.64-1.

We recommend that you upgrade your linux packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2016-10741: fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010).

CVE-2017-18360: In change_port_settings in drivers/usb/serial/io_ti.c local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates (bnc#1123706).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).

CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2019-7222: A information leak in exception handling in KVM could be used to expose host memory to guests. (bnc#1124735).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
(CVE-2017-7533, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

CVE-2017-8797 CVE-2015-8839 CVE-2016-9576 CVE-2016-7042 CVE-2016-7097 CVE-2016-8645 CVE-2016-9576 CVE-2016-9806 CVE-2016-10088 CVE-2017-2671 CVE-2017-5970 CVE-2017-6001 CVE-2017-6951 CVE-2017-7187 CVE-2017-7889 CVE-2017-8890 CVE-2017-9074 CVE-2017-8890 CVE-2017-9075 CVE-2017-8890 CVE-2017-9076 CVE-2017-8890 CVE-2017-9077 CVE-2016-9604 CVE-2016-9685

Documentation for these issues are available from the Technical Notes document linked to in the References section.

Red Hat would like to thank Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), and Shixiong Zhao (The University of Hong Kong) for reporting CVE-2017-7533 and Marco Grassi for reporting CVE-2016-8645. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-9604 issue was discovered by David Howells (Red Hat); and the CVE-2016-9685 issue was discovered by Qian Cai (Red Hat).

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-1842 advisory.

  - The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the     CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which     allows local users to cause a denial of service (loss of writability) by making certain unshare system     calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. (CVE-2014-7975)

  - The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU     Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout     data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading     the /proc/keys file. (CVE-2016-7042)

  - Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3     allows local users to cause a denial of service (double free) or possibly have unspecified other impact     via a crafted application that makes sendmsg system calls, leading to a free operation associated with a     new dump that started earlier than anticipated. (CVE-2016-9806)

  - The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly     restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory     locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
    (CVE-2016-9576)

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr     call, which allows local users to gain group privileges by leveraging the existence of a setgid program     with restrictions on execute permissions. (CVE-2016-7097)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as     demonstrated by mcryptd(md5). (CVE-2016-10147)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly     emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of page references. (CVE-2017-2596)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain     privileges via a crafted application that makes concurrent perf_event_open system calls for moving a     software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2016-6786. (CVE-2017-6001)

  - The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain     match field, related to the keyring_search_iterator function in keyring.c. (CVE-2017-2647)

  - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15     allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by     leveraging use of the accept system call. (CVE-2017-8890)

  - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)

  - The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly     interact with certain locations of a chroot directory, which allows local users to cause a denial of     service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
    (CVE-2014-7970)

  - crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause     a denial of service (NULL pointer dereference and system crash) via a crafted application that does not     supply a key, related to the lrw_crypt function in crypto/lrw.c. (CVE-2015-8970)

  - Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users     to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c     and net/l2tp/l2tp_ip6.c. (CVE-2016-10200)

  - fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount     namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via     MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of     mounts. (CVE-2016-6213)

  - It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal     keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its     session keyring. This allows root to bypass module signature verification by adding a new public key of     its own devising to the keyring. (CVE-2016-9604)

  - The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a     certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local     users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a     socket system call. (CVE-2017-2671)

  - The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows     local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call     for the dead type. (CVE-2017-6951)

  - Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux     kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by     triggering failure of a certain bitmap operation. (CVE-2017-7616)

  - The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file,     related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)

  - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option, which allows local users to cause a denial of     service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send     system calls. (CVE-2017-9074)

  - The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9076)

  - The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure may occur, which allows local users to cause a     denial of service (system crash) via crafted system calls. (CVE-2017-9242)

  - Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local     users to cause a denial of service (disk corruption) by writing to a page that is associated with a     different user's file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839)

  - Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow     local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
    (CVE-2016-9685)

  - The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when     processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This     type value is uninitialized upon encountering certain error conditions. This value is used as an array     index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the     whole system. (CVE-2017-8797)

  - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9075)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

ID	Name	Product	Family	Severity
125283	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1289-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)	Nessus	SuSE Local Security Checks	high
124970	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1517)	Nessus	Huawei Local Security Checks	high
124834	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1512)	Nessus	Huawei Local Security Checks	high
124430	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1303)	Nessus	Huawei Local Security Checks	high
123712	EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1244)	Nessus	Huawei Local Security Checks	high
123605	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1131)	Nessus	Huawei Local Security Checks	medium
123420	Debian DLA-1731-2 : linux regression update (Spectre)	Nessus	Debian Local Security Checks	medium
122891	SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13979-1)	Nessus	SuSE Local Security Checks	high
103046	RHEL 6 : MRG (RHSA-2017:2669)	Nessus	Red Hat Local Security Checks	high
102734	CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)	Nessus	CentOS Local Security Checks	high
102281	Oracle Linux 7 : kernel (ELSA-2017-1842)	Nessus	Oracle Linux Local Security Checks	high
102151	RHEL 7 : kernel-rt (RHSA-2017:2077)	Nessus	Red Hat Local Security Checks	high
102143	RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)	Nessus	Red Hat Local Security Checks	high

CVE-2016-10741

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

high

high

high

medium

medium

high

high

high

high

high

high