http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3e0097499839e0fe3af380410eababe5a47c4cf9

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.4

101187

https://github.com/torvalds/linux/commit/3e0097499839e0fe3af380410eababe5a47c4cf9

USN-3754-1

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4855 advisory.

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during     the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0. (CVE-2017-14991)

  - In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params     division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry     with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should     be called. It can be triggered by an unprivileged local user even when a floppy disk has not been     inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)

  - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated     user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

  - The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local     users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a     write-what-where condition that occurs after a race condition and a NULL pointer dereference.
    (CVE-2017-15102)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an     out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)

  - An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket     option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general     protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be     triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after     namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of     the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before     4.9.187. (CVE-2017-18509)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4854 advisory.

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during     the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0. (CVE-2017-14991)

  - In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params     division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry     with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should     be called. It can be triggered by an unprivileged local user even when a floppy disk has not been     inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)

  - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated     user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

  - The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local     users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a     write-what-where condition that occurs after a race condition and a NULL pointer dereference.
    (CVE-2017-15102)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an     out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4823 advisory.

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0. (CVE-2017-14991)

  - fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-     flushing-before-commit list, which allows local users to obtain sensitive information from other users'     files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write     system calls, and reading this file. (CVE-2017-7495)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE     (Hannes Reinecke) [Orabug: 26941755] (CVE-2017-14991)

  - failover: allow name change on IFF_UP slave interfaces     (Si-Wei Liu) 

  - Revert 'net_failover: delay taking over primary device     to accommodate udevd renaming' (Si-Wei Liu) [Orabug:
    29707258]

  - build: Revert 'repairing out-of-tree build     functionality' (Todd Vierling) [Orabug: 30257829]

  - rds: add ibmr to busy_list in flush code path (Manjunath     Patil)

  - rds: fix uninteneded increase of     rds_rdma:pool->max_items_soft (Manjunath Patil)

  - ext4: fix data exposure after a crash (Jan Kara)     [Orabug: 30361860] (CVE-2017-7495)

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The offset2lib patch as used in the Linux Kernel     contains a vulnerability that allows a PIE binary to be     execve()'ed with 1GB of arguments or environmental     strings then the stack occupies the address 0x80000000     and the PIE binary is mapped above 0x40000000     nullifying the protection of the offset2lib patch. This     affects Linux Kernel version 4.11.5 and earlier. This     is a different issue than CVE-2017-1000371. This issue     appears to be limited to i386 based     systems.(CVE-2017-1000370i1/4%0

  - Integer overflow in the LZ4 algorithm implementation,     as used in Yann Collet LZ4 before r118 and in the     lz4_uncompress function in lib/lz4/lz4_decompress.c in     the Linux kernel before 3.15.2, on 32-bit platforms     might allow context-dependent attackers to cause a     denial of service (memory corruption) or possibly have     unspecified other impact via a crafted Literal Run that     would be improperly handled by programs not complying     with an API limitation, a different vulnerability than     CVE-2014-4715.(CVE-2014-4611i1/4%0

  - The replace_map_fd_with_map_ptr function in     kernel/bpf/verifier.c in the Linux kernel before 4.5.5     does not properly maintain an fd data structure, which     allows local users to gain privileges or cause a denial     of service (use-after-free) via crafted BPF     instructions that reference an incorrect file     descriptor.(CVE-2016-4557i1/4%0

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider     the maximum number of configurations and interfaces     before attempting to release resources. This allows     local users to cause a denial of service, due to     out-of-bounds write access, or possibly have     unspecified other impact via a crafted USB device. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-17558i1/4%0

  - The cdrom_ioctl_media_changed function in     drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6     allows local attackers to use a incorrect bounds check     in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read     out kernel memory.(CVE-2018-10940i1/4%0

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5471i1/4%0

  - A flaw was found in the Linux kernel's implementation     of Unix sockets. A server polling for client-socket     data could put the peer socket on a wait list the peer     socket could then close the connection, making the     reference on the wait list no longer valid. This could     lead to bypassing the permissions on a Unix socket and     packets being injected into the stream, and could also     panic the machine (denial of service).(CVE-2013-7446i1/4%0

  - The do_check function in kernel/bpf/verifier.c in the     Linux kernel before 4.11.1 does not make the     allow_ptr_leaks value available for restricting the     output of the print_bpf_insn function, which allows     local users to obtain sensitive address information via     crafted bpf system calls.(CVE-2017-9150i1/4%0

  - The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x     and 4.x, as used in Qualcomm Innovation Center (QuIC)     Android contributions for MSM devices and other     products, does not verify authorization for private SET     IOCTL calls, which allows attackers to gain privileges     via a crafted application, related to     wlan_hdd_hostapd.c and     wlan_hdd_wext.c.(CVE-2015-0571i1/4%0

  - arch/arm64/kvm/guest.c in KVM in the Linux kernel     before 4.18.12 on the arm64 platform mishandles the     KVM_SET_ON_REG ioctl. This is exploitable by attackers     who can create virtual machines. An attacker can     arbitrarily redirect the hypervisor flow of control     (with full register control). An attacker can also     cause a denial of service (hypervisor panic) via an     illegal exception return. This occurs because of     insufficient restrictions on userspace access to the     core register file, and because PSTATE.M validation     does not prevent unintended execution     modes.(CVE-2018-18021i1/4%0

  - A resource-exhaustion vulnerability was found in the     kernel, where an unprivileged process could allocate     and accumulate far more file descriptors than the     process' limit. A local, unauthenticated user could     exploit this flaw by sending file descriptors over a     Unix socket and then closing them to keep the process'     fd count low, thereby creating kernel-memory or     file-descriptors exhaustion (denial of     service).(CVE-2016-2550i1/4%0

  - The Linux kernel before 3.12.4 updates certain length     values before ensuring that associated data structures     have been initialized, which allows local users to     obtain sensitive information from kernel stack memory     via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system     call, related to net/ipv4/ping.c, net/ipv4/raw.c,     net/ipv4/udp.c, net/ipv6/raw.c, and     net/ipv6/udp.c.(CVE-2013-7263i1/4%0

  - It is possible for a single process to cause an OOM     condition by filling large pipes with data that are     never read. A typical process filling 4096 pipes with 1     MB of data will use 4 GB of memory and there can be     multiple such processes, up to a     per-user-limit.(CVE-2016-2847i1/4%0

  - The __get_user_asm_ex macro in     arch/x86/include/asm/uaccess.h in the Linux kernel     before 4.7.5 does not initialize a certain integer     variable, which allows local users to obtain sensitive     information from kernel stack memory by triggering     failure of a get_user_ex call.(CVE-2016-9178i1/4%0

  - It was found that the x86 ISA (Instruction Set     Architecture) is prone to a denial of service attack     inside a virtualized environment in the form of an     infinite loop in the microcode due to the way     (sequential) delivering of benign exceptions such as     #DB (debug exception) is handled. A privileged user     inside a guest could use this flaw to create denial of     service conditions on the host kernel.(CVE-2015-8104i1/4%0

  - The Direct Rendering Manager (DRM) subsystem in the     Linux kernel through 4.x mishandles requests for     Graphics Execution Manager (GEM) objects, which allows     context-dependent attackers to cause a denial of     service (memory consumption) via an application that     processes graphics data, as demonstrated by JavaScript     code that creates many CANVAS elements for rendering by     Chrome or Firefox.(CVE-2013-7445i1/4%0

  - A flaw was found in the Linux kernel which does not     initialize certain data structures used by DMA transfer     on ARM64 based systems. This could allow local users to     obtain sensitive information from kernel memory by     triggering a dma_mmap call and reconstructing the     data.(CVE-2015-8950i1/4%0

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or     use-after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.(CVE-2017-10661i1/4%0

  - The sg_ioctl() function in 'drivers/scsi/sg.c' in the     Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows     local users to obtain sensitive information from     uninitialized kernel heap-memory locations via an     SG_GET_REQUEST_TABLE ioctl call for     '/dev/sg0'.(CVE-2017-14991i1/4%0

  - A race condition in the ip4_datagram_release_cb     function in net/ipv4/datagram.c in the Linux kernel     allows local users to gain privileges or cause a denial     of service (use-after-free) by leveraging incorrect     expectations about locking during multithreaded access     to internal data structures for IPv4 UDP     sockets.(CVE-2014-9914i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - It was found that in the Linux kernel through     v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in     'block/bio.c' do unbalanced pages refcounting if IO     vector has small consecutive buffers belonging to the     same page. bio_add_pc_page() merges them into one, but     the page reference is never dropped, causing a memory     leak and possible system lockup due to out-of-memory     condition.(CVE-2017-12190)

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on a negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel.(CVE-2017-12192)

  - A flaw was found in the Linux kernel's implementation     of associative arrays introduced in 3.13. This     functionality was backported to the 3.10 kernels in Red     Hat Enterprise Linux 7. The flaw involved a null     pointer dereference in assoc_array_apply_edit() due to     incorrect node-splitting in assoc_array implementation.
    This affects the keyring key type and thus key addition     and link creation operations may cause the kernel to     panic.(CVE-2017-12193)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This     can result in a kernel panic causing a local denial of     service.(CVE-2017-14106)

  - The move_pages system call in mm/migrate.c in the Linux     kernel doesn't check the effective uid of the target     process. This enables a local attacker to learn the     memory layout of a setuid executable allowing     mitigation of ASLR.(CVE-2017-14140)

  - The iscsi_if_rx() function in     'drivers/scsi/scsi_transport_iscsi.c' in the Linux     kernel from v2.6.24-rc1 through 4.13.2 allows local     users to cause a denial of service (a system panic) by     making a number of certain syscalls by leveraging     incorrect length validation in the kernel     code.(CVE-2017-14489)

  - The sg_ioctl() function in 'drivers/scsi/sg.c' in the     Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows     local users to obtain sensitive information from     uninitialized kernel heap-memory locations via an     SG_GET_REQUEST_TABLE ioctl call for     '/dev/sg0'.(CVE-2017-14991)

  - The tower_probe function in     drivers/usb/misc/legousbtower.c in the Linux kernel     before 4.8.1 allows local users (who are physically     proximate for inserting a crafted USB device) to gain     privileges by leveraging a write-what-where condition     that occurs after a race condition and a NULL pointer     dereference.(CVE-2017-15102)

  - A vulnerability was found in the Linux kernel when     peeling off an association to the socket in another     network namespace. All transports in this association     are not to be rehashed and keep using the old key in     hashtable, thus removing transports from hashtable when     closing the socket, all transports are being freed.
    Later on a use-after-free issue could be caused when     looking up an association and dereferencing the     transports.(CVE-2017-15115)

  - A use-after-free vulnerability was found in a network     namespaces code affecting the Linux kernel since     v4.0-rc1 through v4.15-rc5. The function     get_net_ns_by_id() does not check for the net::count     value after it has found a peer network in netns_ids     idr which could lead to double free and memory     corruption. This vulnerability could allow an     unprivileged local user to induce kernel memory     corruption on the system, leading to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out, although it is thought to be     unlikely.(CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing     an ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption     or possibly privilege escalation.(CVE-2017-15265)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel     oops).(CVE-2017-15274)

  - A vulnerability was found in the key management     subsystem of the Linux kernel. An update on an     uninstantiated key could cause a kernel panic, leading     to denial of service (DoS).(CVE-2017-15299)

  - It was found that fanout_add() in     'net/packet/af_packet.c' in the Linux kernel, before     version 4.13.6, allows local users to gain privileges     via crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind)     that leads to a use-after-free bug.(CVE-2017-15649)

  - The usb_serial_console_disconnect function in     drivers/usb/serial/console.c in the Linux kernel,     before 4.13.8, allows local users to cause a denial of     service (use-after-free and system crash) or possibly     have unspecified other impact via a crafted USB device,     related to disconnection and failed     setup.(CVE-2017-16525)

  - The drivers/uwb/uwbd.c in the Linux kernel, before     4.13.6, allows local users to cause a denial of service     (general protection fault and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16526)

  - The sound/usb/mixer.c in the Linux kernel, before     4.13.8, allows local users to cause a denial of service     (snd_usb_mixer_interrupt use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16527)

  - The sound/core/seq_device.c in the Linux kernel, before     4.13.4, allows local users to cause a denial of service     (snd_rawmidi_dev_seq_free use-after-free and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16528)

  - The snd_usb_create_streams function in sound/usb/card.c     in the Linux kernel, before 4.13.6, allows local users     to cause a denial of service (out-of-bounds read and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16529)

  - The uas driver in the Linux kernel before 4.13.6 allows     local users to cause a denial of service (out-of-bounds     read and system crash), or possibly have unspecified     other impacts via a crafted USB device, related to     drivers/usb/storage/uas-detect.h and     drivers/usb/storage/uas.c.(CVE-2017-16530)

  - The function drivers/usb/core/config.c in the Linux     kernel, allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB device,     related to the USB_DT_INTERFACE_ASSOCIATION     descriptor.(CVE-2017-16531)

  - The get_endpoints function in     drivers/usb/misc/usbtest.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16532)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel did not properly validate meta block groups. An attacker with physical access could use this to specially craft an ext4 image that causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table parsing implementation in the Linux kernel. A local attacker could use this to construct a malicious ACPI table that, when loaded, caused a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did not properly handle device attachment and warm-start. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge HD PVR USB devices in the Linux kernel did not properly handle some error conditions. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did not properly prevent a user from creating keyrings for other users. A local attacker could use this cause a denial of service or expose sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in the Linux kernel did not properly emulate instructions on the SS segment register. A local attacker in a guest virtual machine could use this to cause a denial of service (guest OS crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel improperly emulated certain instructions. A local attacker could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in the Linux kernel did not properly initialize memory related to logging. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic Routing Encapsulation (GRE) tunneling implementation in the Linux kernel. An attacker could use this to possibly expose sensitive information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did not properly set up a destructor in certain situations. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux kernel was vulnerable to a debug exception error when single-stepping through a syscall. A local attacker in a non-Linux guest vm could possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3 server implementations in the Linux kernel did not properly handle certain long RPC replies. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP SAA7164 TV Decoder driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the Linux kernel did not properly validate its arguments in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in the NUMA memory policy implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained an incorrect bounds check. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in the Linux kernel contained a buffer overflow when handling extended attributes. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly handle an error condition with a corrupted xfs image. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid file creation when performed by a non-member of the group. A local attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in the Linux kernel contained an integer overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping socket implementation in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
(CVE-2017-10911)

Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).

It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel.
A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051)

It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156)

Dave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-14489)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task's extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15537)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.
(CVE-2017-10911)

Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).

It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel.
A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051)

It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156)

Dave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash).
(CVE-2017-14489)

It was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task's extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15537)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,     when nested virtualisation is used, does not properly     traverse guest pagetable entries to resolve a guest     virtual address, which allows L1 guest OS users to     execute arbitrary code on the host OS or cause a denial     of service (incorrect index during page walking, and     host OS crash), aka an MMU potential stack buffer     overrun.(CVE-2017-12188)

  - A vulnerability was found in the Key Management sub     component of the Linux kernel, where when trying to     issue a KEYTCL_READ on negative key would lead to a     NULL pointer dereference. A local attacker could use     this flaw to crash the kernel.(CVE-2017-12192)

  - security/keys/keyctl.c in the Linux kernel before     4.11.5 does not consider the case of a NULL payload in     conjunction with a nonzero length value, which allows     local users to cause a denial of service (NULL pointer     dereference and OOPS) via a crafted add_key or keyctl     system call, a different vulnerability than     CVE-2017-12192.(CVE-2017-15274)

  - Linux kernel: heap out-of-bounds in AF_PACKET sockets.
    This new issue is analogous to previously disclosed     CVE-2016-8655. In both cases, a socket option that     changes socket state may race with safety checks in     packet_set_ring. Previously with PACKET_VERSION. This     time with PACKET_RESERVE. The solution is similar: lock     the socket for the update. This issue may be     exploitable, we did not investigate further. As this     issue affects PF_PACKET sockets, it requires     CAP_NET_RAW in the process namespace. But note that     with user namespaces enabled, any process can create a     namespace in which it has     CAP_NET_RAW.(CVE-2017-1000111)

  - Use-after-free vulnerability in the Linux kernel before     4.14-rc5 allows local users to have unspecified impact     via vectors related to /dev/snd/seq.(CVE-2017-15265)

  - net/packet/af_packet.c in the Linux kernel before     4.13.6 allows local users to gain privileges via     crafted system calls that trigger mishandling of     packet_fanout data structures, because of a race     condition (involving fanout_add and packet_do_bind)     that leads to a use-after-free, a different     vulnerability than CVE-2017-6346.(CVE-2017-15649)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux     kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel     heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0.(CVE-2017-14991)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root     privileges.(CVE-2017-1000112)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

stack buffer overflow in the native Bluetooth stack

A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251)

dereferencing NULL payload with nonzero length

A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). (CVE-2017-15274)

xfs: unprivileged user kernel oops

A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic.(CVE-2017-14340)

Information leak in the scsi driver

The sg_ioctl() function in 'drivers/scsi/sg.c' in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for '/dev/sg0'.
(CVE-2017-14991)

kvm: nVMX: L2 guest could access hardware(L0) CR8 register

Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. (CVE-2017-12154)

ID	Name	Product	Family	Severity
131209	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2019-4855)	Nessus	Oracle Linux Local Security Checks	medium
131175	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4854)	Nessus	Oracle Linux Local Security Checks	medium
129990	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4823)	Nessus	Oracle Linux Local Security Checks	medium
129986	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0047)	Nessus	OracleVM Local Security Checks	medium
124989	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536)	Nessus	Huawei Local Security Checks	high
124822	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1499)	Nessus	Huawei Local Security Checks	medium
112113	Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3754-1)	Nessus	Ubuntu Local Security Checks	critical
104321	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3469-2)	Nessus	Ubuntu Local Security Checks	high
104320	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3469-1)	Nessus	Ubuntu Local Security Checks	high
104296	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)	Nessus	Huawei Local Security Checks	high
104180	Amazon Linux AMI : kernel (ALAS-2017-914) (BlueBorne)	Nessus	Amazon Linux Local Security Checks	high

CVE-2017-14991

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

high

medium

critical

high

high

high

high