http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=340d394a789518018f834ff70f7534fc463d3226

102895

https://github.com/torvalds/linux/commit/340d394a789518018f834ff70f7534fc463d3226

USN-3655-1

USN-3655-2

https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.4

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The usbhid_parse function in     drivers/hid/usbhid/hid-core.c in the Linux kernel,     before 4.13.8, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16533)

  - The cdc_parse_cdc_header() function in     'drivers/usb/core/message.c' in the Linux kernel,     before 4.13.6, allows local users to cause a denial of     service (out-of-bounds read and system crash) or     possibly have unspecified other impact via a crafted     USB device. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-16534)

  - The usb_get_bos_descriptor function in     drivers/usb/core/config.c in the Linux kernel can allow     a local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16535)

  - The cx231xx_usb_probe function in     drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (NULL pointer dereference and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16536)

  - The imon_probe function in drivers/media/rc/imon.c in     the Linux kernel through 4.13.11 allows local users to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via a crafted USB device.(CVE-2017-16537)

  - The drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux     kernel, through 4.13.11, allows local users to cause a     denial of service (general protection fault and system     crash) or possibly have unspecified other impact via a     crafted USB device, related to a missing warm-start     check and incorrect attach timing     (dm04_lme2510_frontend_attach versus     dm04_lme2510_tuner).(CVE-2017-16538)

  - The parse_hid_report_descriptor function in     drivers/input/tablet/gtco.c in the Linux kernel before     4.13.11 allows local users to cause a denial of service     (out-of-bounds read and system crash) or possibly have     unspecified other impact via a crafted USB     device.(CVE-2017-16643)

  - The hdpvr_probe function in     drivers/media/usb/hdpvr/hdpvr-core.c in the Linux     kernel through 4.13.11 allows local users to cause a     denial of service (improper error handling and system     crash) or possibly have unspecified other impact via a     crafted USB device.(CVE-2017-16644)

  - The ims_pcu_get_cdc_union_desc function in     drivers/input/misc/ims-pcu.c in the Linux kernel,     through 4.13.11, allows local users to cause a denial     of service (ims_pcu_parse_cdc_data out-of-bounds read     and system crash) or possibly have unspecified other     impact via a crafted USB device.(CVE-2017-16645)

  - The usbnet_generic_cdc_bind function in     drivers/net/usb/cdc_ether.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16649)

  - The qmi_wwan_bind function in     drivers/net/usb/qmi_wwan.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16650)

  - The Linux kernel is vulerable to a use-after-free flaw     when Transformation User configuration     interface(CONFIG_XFRM_USER) compile-time configuration     were enabled. This vulnerability occurs while closing a     xfrm netlink socket in xfrm_dump_policy_done. A     user/process could abuse this flaw to potentially     escalate their privileges on a system.(CVE-2017-16939)

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net     namespaces.(CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON     is enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system.(CVE-2017-17449)

  - net/netfilter/xt_osf.c in the Linux kernel through     4.14.4 does not require the CAP_NET_ADMIN capability     for add_callback and remove_callback operations. This     allows local users to bypass intended access     restrictions because the xt_osf_fingers data structure     is shared across all network     namespaces.(CVE-2017-17450)

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider     the maximum number of configurations and interfaces     before attempting to release resources. This allows     local users to cause a denial of service, due to     out-of-bounds write access, or possibly have     unspecified other impact via a crafted USB device. Due     to the nature of the flaw, privilege escalation cannot     be fully ruled out, although we believe it is     unlikely.(CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,     before 4.14.8, does not correctly handle zero-length     inputs. This allows a local attacker the ability to use     the AF_ALG-based skcipher interface to cause a denial     of service (uninitialized-memory free and kernel crash)     or have an unspecified other impact by executing a     crafted sequence of system calls that use the     blkcipher_walk API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 are     vulnerable.(CVE-2017-17805)

  - The HMAC implementation (crypto/hmac.c) in the Linux     kernel, before 4.14.8, does not validate that the     underlying cryptographic hash algorithm is unkeyed.
    This allows a local attacker, able to use the     AF_ALG-based hash interface     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash     algorithm (CONFIG_CRYPTO_SHA3), to cause a kernel stack     buffer overflow by executing a crafted sequence of     system calls that encounter a missing SHA-3     initialization.(CVE-2017-17806)

  - The KEYS subsystem in the Linux kernel omitted an     access-control check when writing a key to the current     task's default keyring, allowing a local user to bypass     security checks to the keyring. This compromises the     validity of the keyring for those who rely on     it.(CVE-2017-17807)

  - A flaw was found in the Linux kernel's implementation     of i8042 serial ports. An attacker could cause a kernel     panic if they are able to add and remove devices as the     module is loaded.(CVE-2017-18079)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with     CAP_SYS_ADMIN capability) can directly perform the     ioctl operations for dm device creation and removal and     this would typically be outside the direct control of     the unprivileged attacker.(CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The hid_input_field() function in     'drivers/hid/hid-core.c' in the Linux kernel before 4.6     allows physically proximate attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read) by connecting a     device.(CVE-2016-7915)

  - The Linux kernel, before version 4.14.2, is vulnerable     to a deadlock caused by     fs/ocfs2/file.c:ocfs2_setattr(), as the function does     not wait for DIO requests before locking the inode.
    This can be exploited by local users to cause a     subsequent denial of service.(CVE-2017-18204)

  - The vmw_gb_surface_define_ioctl function (accessible     via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.11.4 defines a backup_handle variable     but does not give it an initial value. If one attempts     to create a GB surface, with a previously allocated DMA     buffer to be used as a backup buffer, the backup_handle     variable does not get written to and is then later     returned to user space, allowing local users to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.(CVE-2017-9605)

  - Use-after-free vulnerability in the nfqnl_zcopy     function in net/netfilter/nfnetlink_queue_core.c in the     Linux kernel through 3.13.6 allows attackers to obtain     sensitive information from kernel memory by leveraging     the absence of a certain orphaning operation. NOTE: the     affected code was moved to the skb_zerocopy function in     net/core/skbuff.c before the vulnerability was     announced.(CVE-2014-2568)

  - It was found that the Linux kernel's ISO file system     implementation did not correctly limit the traversal of     Rock Ridge extension Continuation Entries (CE). An     attacker with physical access to the system could use     this flaw to trigger an infinite loop in the kernel,     resulting in a denial of service.(CVE-2014-9420)

  - An integer overflow vulnerability was found in the     ring_buffer_resize() calculations in which a privileged     user can adjust the size of the ringbuffer message     size. These calculations can create an issue where the     kernel memory allocator will not allocate the correct     count of pages yet expect them to be usable. This can     lead to the ftrace() output to appear to corrupt kernel     memory and possibly be used for privileged escalation     or more likely kernel panic.(CVE-2016-9754)

  - A symlink size validation was missing in Linux kernels     built with UDF file system (CONFIG_UDF_FS) support,     allowing the corruption of kernel memory. An attacker     able to mount a corrupted/malicious UDF file system     image could cause the kernel to crash.(CVE-2014-9730)

  - In was found that in the Linux kernel, in     vmw_surface_define_ioctl() function in     'drivers/gpu/drm/vmwgfx/vmwgfx_surface.c' file, a     'num_sizes' parameter is assigned a user-controlled     value which is not checked if it is zero. This is used     in a call to kmalloc() and later leads to dereferencing     ZERO_SIZE_PTR, which in turn leads to a GPF and     possibly to a kernel panic.(CVE-2017-7261)

  - A race condition flaw was found in the way the Linux     kernel keys management subsystem performed key garbage     collection. A local attacker could attempt accessing a     key while it was being garbage collected, which would     cause the system to crash.(CVE-2014-9529)

  - A flaw was found in the Linux kernel's implementation     of i8042 serial ports. An attacker could cause a kernel     panic if they are able to add and remove devices as the     module is loaded.(CVE-2017-18079)

  - drivers/hid/hid-pl.c in the Human Interface Device     (HID) subsystem in the Linux kernel through 3.11, when     CONFIG_HID_PANTHERLORD is enabled, allows physically     proximate attackers to cause a denial of service     (heap-based out-of-bounds write) via a crafted     device.(CVE-2013-2892)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - A divide-by-zero vulnerability was found in a way the     kernel processes TCP connections. The error can occur     if a connection starts another cwnd reduction phase by     setting tp->prior_cwnd to the current cwnd (0) in     tcp_init_cwnd_reduction(). A remote, unauthenticated     attacker could use this flaw to crash the kernel     (denial of service).(CVE-2016-2070)

  - The adjust_branches function in kernel/bpf/verifier.c     in the Linux kernel before 4.5 does not consider the     delta in the backward-jump case, which allows local     users to obtain sensitive information from kernel     memory by creating a packet filter and then loading     crafted BPF instructions.(CVE-2016-2383)

  - System using the infiniband support module ib_srpt were     vulnerable to a denial of service by system crash by a     local attacker who is able to abort writes to a device     using this initiator.(CVE-2016-6327)

  - A security flaw was found in the Linux kernel in the     mark_source_chains() function in     'net/ipv4/netfilter/ip_tables.c'. It is possible for a     user-supplied 'ipt_entry' structure to have a large     'next_offset' field. This field is not bounds checked     prior to writing to a counter value at the supplied     offset.(CVE-2016-3134)

  - An out-of-bounds access issue was discovered in     yurex_read() in drivers/usb/misc/yurex.c in the Linux     kernel. A local attacker could use user access     read/writes with incorrect bounds checking in the yurex     USB driver to crash the kernel or potentially escalate     privileges.(CVE-2018-16276)

  - drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux     kernel before 4.5.3 allows local users to cause a     denial of service (kernel memory write operation) or     possibly have unspecified other impact via a crafted     number of planes in a VIDIOC_DQBUF ioctl     call.(CVE-2016-4568)

  - The usb_serial_console_disconnect function in     drivers/usb/serial/console.c in the Linux kernel,     before 4.13.8, allows local users to cause a denial of     service (use-after-free and system crash) or possibly     have unspecified other impact via a crafted USB device,     related to disconnection and failed     setup.(CVE-2017-16525)

  - The Linux kernel is vulnerable to a NULL pointer     dereference in the ext4/xattr.c:ext4_xattr_inode_hash()     function. An attacker could trick a legitimate user or     a privileged attacker could exploit this to cause a     NULL pointer dereference with a crafted ext4 image.
    (CVE-2018-1094)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - rds: congestion updates can be missed when kernel low on     memory (Mukesh Kacker) [Orabug: 28425811]

  - net/rds: ib: Fix endless RNR Retries caused by memory     allocation failures (Venkat Venkatsubra) [Orabug:
    28127993]

  - net: rds: fix excess initialization of the recv SGEs     (Zhu Yanjun) [Orabug: 29004503]

  - xhci: fix usb2 resume timing and races. (Mathias Nyman)     [Orabug: 29028940]

  - xhci: Fix a race in usb2 LPM resume, blocking U3 for     usb2 devices (Mathias Nyman) [Orabug: 29028940]

  - userfaultfd: check VM_MAYWRITE was set after verifying     the uffd is registered (Andrea Arcangeli) [Orabug:
    29163750] (CVE-2018-18397)

  - userfaultfd: shmem/hugetlbfs: only allow to register     VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750]     (CVE-2018-18397)

  - x86/apic/x2apic: set affinity of a single interrupt to     one cpu (Jianchao Wang) [Orabug: 29196396]

  - xen/blkback: rework validate_io_op (Dongli Zhang)     [Orabug: 29199843]

  - xen/blkback: optimize validate_io_op to filter     BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
    29199843]

  - xen/blkback: do not BUG for invalid blkif_request from     frontend (Dongli Zhang) [Orabug: 29199843]

  - net/rds: WARNING: at net/rds/recv.c:222     rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra)     [Orabug: 29201779]

  - xen-netback: wake up xenvif_dealloc_kthread when it     should stop (Dongli Zhang) [Orabug: 29217927]

  - Revert 'xfs: remove nonblocking mode from     xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang)     [Orabug: 29279692]

  - Revert 'xfs: Introduce writeback context for writepages'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: xfs_cluster_write is redundant' (Wengang     Wang) [Orabug: 29279692]

  - Revert 'xfs: factor mapping out of xfs_do_writepage'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: don't chain ioends during writepage     submission' (Wengang Wang) [Orabug: 29279692]

  - mstflint: Fix coding style issues - left with     LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

  - mstflint: Fix coding-style issues (Idan Mehalel)     [Orabug: 28878697]

  - mstflint: Fix errors found with checkpatch script (Idan     Mehalel) [Orabug: 28878697]

  - Added support for 5th Gen devices in Secure Boot module     and mtcr (Adham Masarwah) [Orabug: 28878697]

  - Fix typos in mst_kernel (Adham Masarwah) [Orabug:
    28878697]

  - bnxt_en: Report PCIe link properties with     pcie_print_link_status (Brian Maly) [Orabug: 28942099]

  - selinux: Perform both commoncap and selinux xattr checks     (Eric W. Biederman) [Orabug: 28951521]

  - Introduce v3 namespaced file capabilities (Serge E.
    Hallyn) [Orabug: 28951521]

  - rds: ib: Use a delay when reconnecting to the very same     IP address (H&aring kon Bugge) [Orabug: 29138813]

  - Change mincore to count 'mapped' pages rather than     'cached' pages (Linus Torvalds) [Orabug: 29187415]     (CVE-2019-5489)

  - NFSD: Set the attributes used to store the verifier for     EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

  - ext4: update i_disksize when new eof exceeds it (Shan     Hai) [Orabug: 28940828]

  - ext4: update i_disksize if direct write past ondisk size     (Eryu Guan) [Orabug: 28940828]

  - ext4: protect i_disksize update by i_data_sem in direct     write path (Eryu Guan) [Orabug: 28940828]

  - ALSA: usb-audio: Fix UAF decrement if card has no live     interfaces in card.c (Hui Peng) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Replace probing flag with active     refcount (Takashi Iwai) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Avoid nested autoresume calls (Takashi     Iwai) [Orabug: 29042981] (CVE-2018-19824)

  - ext4: validate that metadata blocks do not overlap     superblock (Theodore Ts'o) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: update inline int ext4_has_metadata_csum(struct     super_block *sb) (John Donnelly) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: always initialize the crc32c checksum driver     (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)     (CVE-2018-1094)

  - Revert 'bnxt_en: Reduce default rings on multi-port     cards.' (Brian Maly) [Orabug: 28687746]

  - mlx4_core: Disable P_Key Violation Traps (H&aring kon     Bugge) [Orabug: 27693633]

  - rds: RDS connection does not reconnect after CQ access     violation error (Venkat Venkatsubra) [Orabug: 28733324]

  - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL     (KarimAllah Ahmed) [Orabug: 28069548]

  - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL -     reloaded (Mihai Carabas) [Orabug: 28069548]

  - KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

  - KVM: x86: pass host_initiated to functions that read     MSRs (Paolo Bonzini) [Orabug: 28069548]

  - KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
    28069548]

  - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing     L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    28069548]

  - ocfs2: don't clear bh uptodate for block read (Junxiao     Bi) [Orabug: 28762940]

  - ocfs2: clear journal dirty flag after shutdown journal     (Junxiao Bi) [Orabug: 28924775]

  - ocfs2: fix panic due to unrecovered local alloc (Junxiao     Bi) [Orabug: 28924775]

  - net: rds: fix rds_ib_sysctl_max_recv_allocation error     (Zhu Yanjun) [Orabug: 28947481]

  - x86/speculation: Always disable IBRS in     disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
    29139710]

  - pinctrl: amd: Use devm_pinctrl_register for pinctrl     registration (Laxman Dewangan) [Orabug: 27539246]     (CVE-2017-18174)

  - mlock: fix mlock count can not decrease in race     condition (Yisheng Xie) [Orabug: 27677611]     (CVE-2017-18221)

  - perf/core: Fix the perf_cpu_time_max_percent check (Tan     Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

  - x86/microcode/intel: Fix a wrong assignment of revision     in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

  - mm: cma: fix incorrect type conversion for size during     dma allocation (Rohit Vaswani) [Orabug: 28407826]     (CVE-2017-9725)

  - x86/speculation: Make enhanced IBRS the default spectre     v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

  - x86/speculation: Enable enhanced IBRS usage (Alejandro     Jimenez) [Orabug: 28474851]

  - x86/speculation: functions for supporting enhanced IBRS     (Alejandro Jimenez) [Orabug: 28474851]

  - xen/blkback: fix disconnect while I/Os in flight     (Juergen Gross) [Orabug: 28744234]

  - mlx4_vnic: use the mlid while calling ib_detach_mcast     (aru kolappan) [Orabug: 29029705]

  - ext4: fail ext4_iget for root directory if unallocated     (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092)     (CVE-2018-1092)

  - Bluetooth: hidp: buffer overflow in hidp_process_report     (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363)     (CVE-2018-9363)

  - HID: debug: check length before copy_to_user (Daniel     Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

  - x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
    29149888] (CVE-2018-7995)

  - Input: i8042 - fix crash at boot time (Chen Hong)     [Orabug: 29152328] (CVE-2017-18079)

  - base/memory, hotplug: fix a kernel oops in     show_valid_zones (Toshi Kani) [Orabug: 29050538]

  - mm/memory_hotplug.c: check start_pfn in     test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

  - drivers/base/memory.c: prohibit offlining of memory     blocks with missing sections (Seth Jennings) [Orabug:
    29050538]

  - mm: Check if section present during memory block     (un)registering (Yinghai Lu) [Orabug: 29050538]

  - hugetlb: take PMD sharing into account when flushing     tlb/caches (Mike Kravetz) [Orabug: 28951854]

  - mm: migration: fix migration of huge PMD shared pages     (Mike Kravetz) [Orabug: 28951854]

  - hugetlbfs: use truncate mutex to prevent pmd sharing     race (Mike Kravetz) [Orabug: 28896255]

  - rds: ib: Improve tracing during failover/back     (H&aring kon Bugge) [Orabug: 28860366]

  - rds: ib: Remove superfluous add of address on fail-back     device (H&aring kon Bugge) [Orabug: 28860366]

  - libiscsi: Fix NULL pointer dereference in     iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

  - wil6210: missing length check in wmi_set_ie (Lior David)     [Orabug: 28951265] (CVE-2018-5848)

  - netfilter: xt_osf: Add missing permission checks (Kevin     Cernekee) [Orabug: 29037831] (CVE-2017-17450)

  - x86/speculation: Fix bad argument to rdmsrl in     cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

Description of changes:

kernel-uek [3.8.13-118.29.1.el7uek]
- Copy secure_boot flag in boot params across kexec reboot (Dave Young) [Orabug: 22066352] {CVE-2015-7837}
- ipv6: tcp: add rcu locking in tcp_v6_send_synack() (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- ipv6: add complete rcu protection around np->opt (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- scsi: qla2xxx: Fix an integer overflow in sysfs code (Dan Carpenter) [Orabug: 28220420] {CVE-2017-14051}
- ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 28220433] {CVE-2018-1092} {CVE-2018-1092}
- certs: Add Oracle's new X509 cert into the kernel keyring (Eric Snowberg) [Orabug: 28926205] - ALSA: seq: Fix regression by incorrect ioctl_mutex usages (Takashi Iwai) [Orabug: 29005190] {CVE-2018-1000004}
- netfilter: xt_osf: Add missing permission checks (Kevin Cernekee) [Orabug: 29037832] {CVE-2017-17450}
- wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 29060697] {CVE-2018-5848}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128167] {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug: 29152249] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong) [Orabug: 29152329] {CVE-2017-18079}

Description of changes:

[4.1.12-124.24.1.el7uek]
- pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration (Laxman Dewangan)  [Orabug: 27539246]  {CVE-2017-18174}
- mlock: fix mlock count can not decrease in race condition (Yisheng Xie)  [Orabug: 27677611]  {CVE-2017-18221}
- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) [Orabug: 27823815]  {CVE-2017-18255}
- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc (Zhenzhong Duan)  [Orabug: 28190263] - mm: cma: fix incorrect type conversion for size during dma allocation (Rohit Vaswani)  [Orabug: 28407826]  {CVE-2017-9725}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez)  [Orabug: 28474851] - xen/blkback: fix disconnect while I/Os in flight (Juergen Gross)  [Orabug: 28744234] - mlx4_vnic: use the mlid while calling ib_detach_mcast (aru kolappan)  [Orabug: 29029705] - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 29048557]  {CVE-2018-1092} {CVE-2018-1092}
- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn)   [Orabug: 29121215]  {CVE-2018-9363} {CVE-2018-9363}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128165]  {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han)  [Orabug: 29149888] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong)  [Orabug: 29152328] {CVE-2017-18079}

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A use-after-free vulnerability was found in network     namespaces code affecting the Linux kernel before     4.14.11. The function get_net_ns_by_id() in     net/core/net_namespace.c does not check for the     net::count value after it has found a peer network in     netns_ids idr, which could lead to double free and     memory corruption. This vulnerability could allow an     unprivileged local user to induce kernel memory     corruption on the system, leading to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out, although it is thought to be     unlikely.(CVE-2017-15129)

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact     by leveraging the presence of xt_TCPMSS in an iptables     action.(CVE-2017-18017)

  - A flaw was found in the upstream kernel Skcipher     component. This vulnerability affects the     skcipher_recvmsg function of the component Skcipher.
    The manipulation with an unknown input leads to a     privilege escalation vulnerability.(CVE-2017-13215)

  - In the Linux kernel through 4.14.13, the     rds_message_alloc_sgs() function does not validate a     value that is used during DMA page allocation, leading     to a heap-based out-of-bounds write (related to the     rds_rdma_extra_size() function in 'net/rds/rdma.c') and     thus to a system panic. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-5332)

  - In the Linux kernel through 4.14.13, the     rds_cmsg_atomic() function in 'net/rds/rdma.c'     mishandles cases where page pinning fails or an invalid     address is supplied by a user. This can lead to a NULL     pointer dereference in rds_atomic_free_op() and thus to     a system panic.(CVE-2018-5333)

  - drivers/input/serio/i8042.c in the Linux kernel before     4.12.4 allows attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact because the port->exists     value can change after it is validated.(CVE-2017-18079)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)

Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134)

It was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220)

It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory).
(CVE-2017-13305)

It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449)

It was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079)

It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203)

It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204)

It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang).
(CVE-2017-18208)

Kefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221)

Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In the Linux kernel 4.12, 3.10, 2.6 and possibly     earlier versions a race condition vulnerability exists     in the sound system, this can lead to a deadlock and     denial of service condition.(CVE-2018-1000004)

  - drivers/input/serio/i8042.c in the Linux kernel before     4.12.4 allows attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact because the port->exists     value can change after it is validated.(CVE-2017-18079)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel through 4.14.15 allows local users     to obtain sensitive address information by reading     dmesg data from an SBS HC printk call.(CVE-2018-5750)

  - The futex_requeue function in kernel/futex.c in the     Linux kernel, before 4.14.15, might allow attackers to     cause a denial of service (integer overflow) or     possibly have unspecified other impacts by triggering a     negative wake or requeue value. Due to the nature of     the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2018-6927)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with     CAP_SYS_ADMIN capability) can directly perform the     ioctl operations for dm device creation and removal and     this would typically be outside the direct control of     the unprivileged attacker.(CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel     allows local users to cause a denial of service     (infinite loop) by triggering use of MADVISE_WILLNEED     for a DAX mapping.(CVE-2017-18208)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis (bnc#1068032). The previous fix using CPU     Microcode has been complemented by building the Linux     Kernel with return trampolines aka 'retpolines'.

  - CVE-2018-5332: In the Linux kernel the     rds_message_alloc_sgs() function did not validate a     value that is used during DMA page allocation, leading     to a heap-based out-of-bounds write (related to the     rds_rdma_extra_size function in net/rds/rdma.c)     (bnc#1075621).

  - CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic     function in net/rds/rdma.c mishandled cases where page     pinning fails or an invalid address is supplied, leading     to an rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel allowed     remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

  - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux     kernel allowed attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact because the port->exists     value can change after it is validated (bnc#1077922).

  - CVE-2017-17741: The KVM implementation in the Linux     kernel allowed attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and include/trace/events/kvm.h     (bnc#1073311).

  - CVE-2017-13215: A elevation of privilege vulnerability     in the Upstream kernel skcipher. (bnc#1075908).

  - CVE-2018-1000004: In the Linux kernel a race condition     vulnerability exists in the sound system, this can lead     to a deadlock and denial of service condition     (bnc#1076017).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis (bnc#1068032). The previous fix using CPU     Microcode has been complemented by building the Linux     Kernel with return trampolines aka 'retpolines'.

  - CVE-2018-5332: In the Linux kernel the     rds_message_alloc_sgs() function did not validate a     value that is used during DMA page allocation, leading     to a heap-based out-of-bounds write (related to the     rds_rdma_extra_size function in net/rds/rdma.c)     (bnc#1075621).

  - CVE-2018-5333: In the Linux kernel the rds_cmsg_atomic     function in net/rds/rdma.c mishandled cases where page     pinning fails or an invalid address is supplied, leading     to an rds_atomic_free_op NULL pointer dereference     (bnc#1075617).

  - CVE-2017-18017: The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel allowed     remote attackers to cause a denial of service     (use-after-free and memory corruption) or possibly have     unspecified other impact by leveraging the presence of     xt_TCPMSS in an iptables action (bnc#1074488).

  - CVE-2017-18079: drivers/input/serio/i8042.c in the Linux     kernel allowed attackers to cause a denial of service     (NULL pointer dereference and system crash) or possibly     have unspecified other impact because the port->exists     value can change after it is validated (bnc#1077922).

  - CVE-2015-1142857: On multiple SR-IOV cars it is possible     for VF's assigned to guests to send ethernet flow     control pause frames via the PF. (bnc#1077355).

  - CVE-2017-17741: The KVM implementation in the Linux     kernel allowed attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and include/trace/events/kvm.h     (bnc#1073311).

  - CVE-2017-13215: A elevation of privilege vulnerability     in the Upstream kernel skcipher. (bnc#1075908).

  - CVE-2018-1000004: In the Linux kernel a race condition     vulnerability existed in the sound system, this can lead     to a deadlock and denial of service condition     (bnc#1076017).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis (bnc#1068032). The previous fix using CPU     Microcode has been complemented by building the Linux     Kernel with return trampolines aka 'retpolines'.

  - CVE-2017-18079: drivers/input/serio/i8042.c allowed     attackers to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact because the port->exists value     can change after it is validated (bnc#1077922).

  - CVE-2015-1142857: Prevent guests from sending ethernet     flow control pause frames via the PF (bnc#1077355).

  - CVE-2017-17741: KVM allowed attackers to obtain     potentially sensitive information from kernel memory,     aka a write_mmio stack-based out-of-bounds read     (bnc#1073311).

  - CVE-2017-13215: Prevent elevation of privilege     (bnc#1075908).

  - CVE-2018-1000004: Prevent race condition in the sound     system, this could have lead a deadlock and denial of     service condition (bnc#1076017).

  - CVE-2017-17806: The HMAC implementation did not validate     that the underlying cryptographic hash algorithm is     unkeyed, allowing a local attacker able to use the     AF_ALG-based hash interface     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash     algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel     stack-based buffer overflow by executing a crafted     sequence of system calls that encounter a missing SHA-3     initialization (bnc#1073874).

  - CVE-2017-17805: The Salsa20 encryption algorithm did not     correctly handle zero-length inputs, allowing a local     attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of     service (uninitialized-memory free and kernel crash) or     have unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were     vulnerable (bnc#1073792).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed :

  - CVE-2017-5715: Systems with microprocessors utilizing     speculative execution and indirect branch prediction may     allow unauthorized disclosure of information to an     attacker with local user access via a side-channel     analysis (bnc#1068032). The previous fix using CPU     Microcode has been complemented by building the Linux     Kernel with return trampolines aka 'retpolines'.

  - CVE-2017-18079: drivers/input/serio/i8042.c allowed     attackers to cause a denial of service (NULL pointer     dereference and system crash) or possibly have     unspecified other impact because the port->exists value     can change after it is validated (bnc#1077922)

  - CVE-2015-1142857: Prevent guests from sending ethernet     flow control pause frames via the PF (bnc#1077355)

  - CVE-2017-17741: KVM allowed attackers to obtain     potentially sensitive information from kernel memory,     aka a write_mmio stack-based out-of-bounds read     (bnc#1073311)

  - CVE-2017-13215: Prevent elevation of privilege     (bnc#1075908)

  - CVE-2018-1000004: Prevent race condition in the sound     system, this could have lead a deadlock and denial of     service condition (bnc#1076017)

  - CVE-2017-17806: The HMAC implementation did not validate     that the underlying cryptographic hash algorithm is     unkeyed, allowing a local attacker able to use the     AF_ALG-based hash interface     (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash     algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel     stack-based buffer overflow by executing a crafted     sequence of system calls that encounter a missing SHA-3     initialization (bnc#1073874)

  - CVE-2017-17805: The Salsa20 encryption algorithm did not     correctly handle zero-length inputs, allowing a local     attacker able to use the AF_ALG-based skcipher interface     (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of     service (uninitialized-memory free and kernel crash) or     have unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 were     vulnerable (bnc#1073792)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124824	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1501)	Nessus	Huawei Local Security Checks	high
124796	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1472)	Nessus	Huawei Local Security Checks	high
121605	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)	Nessus	OracleVM Local Security Checks	high
120977	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316)	Nessus	Oracle Linux Local Security Checks	high
120976	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)	Nessus	Oracle Linux Local Security Checks	high
117543	EulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1234)	Nessus	Huawei Local Security Checks	critical
110050	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3655-1) (Spectre)	Nessus	Ubuntu Local Security Checks	high
108458	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1054)	Nessus	Huawei Local Security Checks	high
108279	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0660-1) (Spectre)	Nessus	SuSE Local Security Checks	critical
107055	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:0555-1) (Meltdown) (Spectre)	Nessus	SuSE Local Security Checks	critical
106967	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0525-1) (Spectre)	Nessus	SuSE Local Security Checks	high
106815	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0437-1) (Spectre)	Nessus	SuSE Local Security Checks	high

CVE-2017-18079

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins