http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=06bd3c36a733ac27962fea7d6f47168841376824

http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.2

http://www.openwall.com/lists/oss-security/2017/05/15/2

98491

https://bugzilla.redhat.com/show_bug.cgi?id=1450261

https://github.com/torvalds/linux/commit/06bd3c36a733ac27962fea7d6f47168841376824

https://source.android.com/security/bulletin/2017-09-01

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4823 advisory.

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain     sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl     call for /dev/sg0. (CVE-2017-14991)

  - fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-     flushing-before-commit list, which allows local users to obtain sensitive information from other users'     files in opportunistic circumstances by waiting for a hardware reset, creating a new file, making write     system calls, and reading this file. (CVE-2017-7495)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE     (Hannes Reinecke) [Orabug: 26941755] (CVE-2017-14991)

  - failover: allow name change on IFF_UP slave interfaces     (Si-Wei Liu) 

  - Revert 'net_failover: delay taking over primary device     to accommodate udevd renaming' (Si-Wei Liu) [Orabug:
    29707258]

  - build: Revert 'repairing out-of-tree build     functionality' (Todd Vierling) [Orabug: 30257829]

  - rds: add ibmr to busy_list in flush code path (Manjunath     Patil)

  - rds: fix uninteneded increase of     rds_rdma:pool->max_items_soft (Manjunath Patil)

  - ext4: fix data exposure after a crash (Jan Kara)     [Orabug: 30361860] (CVE-2017-7495)

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in the Linux kernel where the     keyctl_set_reqkey_keyring() function leaks the thread     keyring. This allows an unprivileged local user to     exhaust kernel memory and thus cause a     DoS.(CVE-2017-7472)

  - A reference counter leak in Linux kernel in     ipxitf_ioctl function was found which results in a use     after free vulnerability that's triggerable from     unprivileged userspace when IPX interface is     configured.(CVE-2017-7487)

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495)

  - A race condition was found in the Linux kernel, present     since v3.14-rc1 through v4.12. The race happens between     threads of inotify_handle_event() and vfs_rename()     while running the rename operation against the same     file. As a result of the race the next slab data or the     slab's free list pointer can be corrupted with     attacker-controlled data, which may lead to the     privilege escalation.(CVE-2017-7533)

  - Kernel memory corruption due to a buffer overflow was     found in brcmf_cfg80211_mgmt_tx() function in Linux     kernels from v3.9-rc1 to v4.13-rc1. The vulnerability     can be triggered by sending a crafted NL80211_CMD_FRAME     packet via netlink. This flaw is unlikely to be     triggered remotely as certain userspace code is needed     for this. An unprivileged local user could use this     flaw to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out,     although it is unlikely.(CVE-2017-7541)

  - An integer overflow vulnerability in     ip6_find_1stfragopt() function was found. A local     attacker that has privileges (of CAP_NET_RAW) to open     raw socket can cause an infinite loop inside the     ip6_find_1stfragopt() function.(CVE-2017-7542)

  - Incorrect error handling in the set_mempolicy() and     mbind() compat syscalls in 'mm/mempolicy.c' in the     Linux kernel allows local users to obtain sensitive     information from uninitialized stack data by triggering     failure of a certain bitmap operation.(CVE-2017-7616)

  - The NFS2/3 RPC client could send long arguments to the     NFS server. These encoded arguments are stored in an     array of memory pages, and accessed using pointer     variables. Arbitrarily long arguments could make these     pointers point outside the array and cause an     out-of-bounds memory access. A remote user or program     could use this flaw to crash the kernel, resulting in     denial of service.(CVE-2017-7645)

  - The NFSv2 and NFSv3 server implementations in the Linux     kernel through 4.10.13 lacked certain checks for the     end of a buffer. A remote attacker could trigger a     pointer-arithmetic error or possibly cause other     unspecified impacts using crafted requests related to     fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.(CVE-2017-7895)

  - It was found that the NFSv4 server in the Linux kernel     did not properly validate layout type when processing     NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A     remote attacker could use this flaw to soft-lockup the     system and thus cause denial of service.(CVE-2017-8797)

  - A use-after-free vulnerability was found in DCCP socket     code affecting the Linux kernel since 2.6.16. This     vulnerability could allow an attacker to their escalate     privileges.(CVE-2017-8824)

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     allows attackers to cause a denial of service (double     free) or possibly have unspecified other impact by     leveraging use of the accept system call. An     unprivileged local user could use this flaw to induce     kernel memory corruption on the system, leading to a     crash. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.(CVE-2017-8890)

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel allows     local users to obtain sensitive information (in the     dmesg ringbuffer and syslog) from uninitialized kernel     memory by using a crafted USB device (posing as an     io_ti USB serial device) to trigger an integer     underflow.(CVE-2017-8924)

  - The IPv6 fragmentation implementation in the Linux     kernel does not consider that the nexthdr field may be     associated with an invalid option, which allows local     users to cause a denial of service (out-of-bounds read     and BUG) or possibly have unspecified other impact via     crafted socket and send system calls. Due to the nature     of the flaw, privilege escalation cannot be fully ruled     out, although we believe it is unlikely.(CVE-2017-9074)

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9075)

  - The IPv6 DCCP implementation in the Linux kernel     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9076)

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel mishandles     inheritance, which allows local users to cause a denial     of service or possibly have unspecified other impact     via crafted system calls, a related issue to     CVE-2017-8890. An unprivileged local user could use     this flaw to induce kernel memory corruption on the     system, leading to a crash. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2017-9077)

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.(CVE-2017-9242)

  - The vmw_gb_surface_define_ioctl function (accessible     via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.11.4 defines a backup_handle variable     but does not give it an initial value. If one attempts     to create a GB surface, with a previously allocated DMA     buffer to be used as a backup buffer, the backup_handle     variable does not get written to and is then later     returned to user space, allowing local users to obtain     sensitive information from uninitialized kernel memory     via a crafted ioctl call.(CVE-2017-9605)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.(CVE-2018-1000004)

  - The code in the drivers/scsi/libsas/sas_scsi_host.c     file in the Linux kernel allow a physically proximate     attacker to cause a memory leak in the ATA command     queue and, thus, denial of service by triggering     certain failure conditions.(CVE-2018-10021)

  - The kernel_wait4 function in kernel/exit.c in the Linux     kernel, when an unspecified architecture and compiler     is used, might allow local users to cause a denial of     service by triggering an attempted use of the -INT_MIN     value.(CVE-2018-10087)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - It was found that the parse_rock_ridge_inode_internal()     function of the Linux kernel's ISOFS implementation did     not correctly check relocated directories when     processing Rock Ridge child link (CL) tags. An attacker     with physical access to the system could use a     specially crafted ISO image to crash the system or,     potentially, escalate their privileges on the     system.(CVE-2014-5472i1/4%0

  - An issue was discovered in the Linux kernel's F2FS     filesystem code. An out-of-bounds access vulnerability     is possible the in __remove_dirty_segment() in     fs/f2fs/segment.c function when mounting a crafted f2fs     image.(CVE-2018-14614i1/4%0

  - Race condition in kernel/events/core.c in the Linux     kernel before 4.4 allows local users to gain privileges     or cause a denial of service via use-after-free     vulnerability by leveraging incorrect handling of an     swevent data structure during a CPU unplug     operation.(CVE-2015-8963i1/4%0

  - The skbs processed by ip_cmsg_recv() are not guaranteed     to be linear (e.g. when sending UDP packets over     loopback with MSGMORE). Using csum_partial() on     potentially the whole skb len is dangerous instead be     on the safe side and use skb_checksum(). This may lead     to an infoleak as the kernel memory may be checksummed     and sent as part of the packet.(CVE-2017-6347i1/4%0

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in     the KVM subsystem in the Linux kernel through 3.12.5     allows guest OS users to cause a denial of service     (divide-by-zero error and host OS crash) via crafted     modifications of the TMICT value.(CVE-2013-6367i1/4%0

  - A use-after-free issue was found in the way the Linux     kernel's KVM hypervisor processed posted interrupts     when nested(=1) virtualization is enabled. In     nested_get_vmcs12_pages(), in case of an error while     processing posted interrupt address, it unmaps the     'pi_desc_page' without resetting 'pi_desc' descriptor     address, which is later used in pi_test_and_clear_on().
    A guest user/process could use this flaw to crash the     host kernel resulting in DoS or potentially gain     privileged access to a system.(CVE-2018-16882i1/4%0

  - It was discovered that the atl2_probe() function in the     Atheros L2 Ethernet driver in the Linux kernel     incorrectly enabled scatter/gather I/O. A remote     attacker could use this flaw to obtain potentially     sensitive information from the kernel     memory.(CVE-2016-2117i1/4%0

  - A flaw was found in the way the nft_flush_table()     function of the Linux kernel's netfilter tables     implementation flushed rules that were referencing     deleted chains. A local user who has the CAP_NET_ADMIN     capability could use this flaw to crash the     system.(CVE-2015-1573i1/4%0

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186i1/4%0

  - It was found that KVM's Write to Model Specific     Register (WRMSR) instruction emulation would write     non-canonical values passed in by the guest to certain     MSRs in the host's context. A privileged guest user     could use this flaw to crash the host.(CVE-2014-3610i1/4%0

  - The BPF_S_ANC_NLATTR_NEST extension implementation in     the sk_run_filter function in net/core/filter.c in the     Linux kernel through 3.14.3 uses the reverse order in a     certain subtraction, which allows local users to cause     a denial of service (over-read and system crash) via     crafted BPF instructions. NOTE: the affected code was     moved to the __skb_get_nlattr_nest function before the     vulnerability was announced.(CVE-2014-3145i1/4%0

  - The yam_ioctl function in drivers/net/hamradio/yam.c in     the Linux kernel before 3.12.8 does not initialize a     certain structure member, which allows local users to     obtain sensitive information from kernel memory by     leveraging the CAP_NET_ADMIN capability for an     SIOCYAMGCFG ioctl call.(CVE-2014-1446i1/4%0

  - A race condition flaw was found in the N_HLDC Linux     kernel driver when accessing n_hdlc.tbuf list that can     lead to double free. A local, unprivileged user able to     set the HDLC line discipline on the tty device could     use this flaw to increase their privileges on the     system.(CVE-2017-2636i1/4%0

  - A flaw was found in the way Linux kernel's Transparent     Huge Pages (THP) implementation handled non-huge page     migration. A local, unprivileged user could use this     flaw to crash the kernel by migrating transparent     hugepages.(CVE-2014-3940i1/4%0

  - A security flaw was found in the     chap_server_compute_md5() function in the ISCSI target     code in the Linux kernel in a way an authentication     request from an ISCSI initiator is processed. An     unauthenticated remote attacker can cause a stack     buffer overflow and smash up to 17 bytes of the stack.
    The attack requires the iSCSI target to be enabled on     the victim host. Depending on how the target's code was     built (i.e. depending on a compiler, compile flags and     hardware architecture) an attack may lead to a system     crash and thus to a denial of service or possibly to a     non-authorized access to data exported by an iSCSI     target. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is highly unlikely.(CVE-2018-14633i1/4%0

  - A vulnerability was found in the Linux kernel where     filesystems mounted with data=ordered mode may allow an     attacker to read stale data from recently allocated     blocks in new files after a system 'reset' by abusing     ext4 mechanics of delayed allocation.(CVE-2017-7495i1/4%0

  - drivers/media/platform/msm/broadcast/tsc.c in the TSC     driver for the Linux kernel 3.x, as used in Qualcomm     Innovation Center (QuIC) Android contributions for MSM     devices and other products, allows attackers to cause a     denial of service (invalid pointer dereference) or     possibly have unspecified other impact via a crafted     application that makes a TSC_GET_CARD_STATUS ioctl     call.(CVE-2015-0573i1/4%0

  - It was found that the unlink and rename functionality     in overlayfs did not verify the upper dentry for     staleness. A local, unprivileged user could use the     rename syscall on overlayfs on top of xfs to panic or     crash the system.(CVE-2016-6197i1/4%0

  - In net/socket.c in the Linux kernel through 4.17.1,     there is a race condition between fchownat and close in     cases where they target the same socket file     descriptor, related to the sock_close and     sockfs_setattr functions. fchownat does not increment     the file descriptor reference count, which allows close     to set the socket to NULL during fchownat's execution,     leading to a NULL pointer dereference and system     crash.(CVE-2018-12232i1/4%0

  - The ath9k_htc_set_bssid_mask function in     drivers/net/wireless/ath/ath9k/htc_drv_main.c in the     Linux kernel through 3.12 uses a BSSID masking approach     to determine the set of MAC addresses on which a Wi-Fi     device is listening, which allows remote attackers to     discover the original MAC address after spoofing by     sending a series of packets to MAC addresses with     certain bit manipulations.(CVE-2013-4579i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
(CVE-2017-7533, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

CVE-2017-8797 CVE-2015-8839 CVE-2016-9576 CVE-2016-7042 CVE-2016-7097 CVE-2016-8645 CVE-2016-9576 CVE-2016-9806 CVE-2016-10088 CVE-2017-2671 CVE-2017-5970 CVE-2017-6001 CVE-2017-6951 CVE-2017-7187 CVE-2017-7889 CVE-2017-8890 CVE-2017-9074 CVE-2017-8890 CVE-2017-9075 CVE-2017-8890 CVE-2017-9076 CVE-2017-8890 CVE-2017-9077 CVE-2016-9604 CVE-2016-9685

Documentation for these issues are available from the Technical Notes document linked to in the References section.

Red Hat would like to thank Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), and Shixiong Zhao (The University of Hong Kong) for reporting CVE-2017-7533 and Marco Grassi for reporting CVE-2016-8645. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-9604 issue was discovered by David Howells (Red Hat); and the CVE-2016-9685 issue was discovered by Qian Cai (Red Hat).

It was discovered that an out of bounds read vulnerability existed in the associative array implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2016-7914)

It was discovered that a NULL pointer dereference existed in the Direct Rendering Manager (DRM) driver for VMware devices in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-7261)

It was discovered that the USB Cypress HID drivers for the Linux kernel did not properly validate reported information from the device.
An attacker with physical access could use this to expose sensitive information (kernel memory). (CVE-2017-7273)

A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems. (CVE-2017-7487)

Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information.
(CVE-2017-7495)

It was discovered that an information leak existed in the set_mempolicy and mbind compat syscalls in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-7616).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3405-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)

Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information.
(CVE-2017-7495)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541)

It was discovered that the Linux kernel did not honor the UEFI secure boot mode when performing a kexec operation. A local attacker could use this to bypass secure boot restrictions. (CVE-2015-7837).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)

Huang Weller discovered that the ext4 filesystem implementation in the Linux kernel mishandled a needs-flushing-before-commit list. A local attacker could use this to expose sensitive information.
(CVE-2017-7495)

It was discovered that a buffer overflow existed in the Broadcom FullMAC WLAN driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-7541)

It was discovered that the Linux kernel did not honor the UEFI secure boot mode when performing a kexec operation. A local attacker could use this to bypass secure boot restrictions. (CVE-2015-7837).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-1842 advisory.

  - The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the     CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which     allows local users to cause a denial of service (loss of writability) by making certain unshare system     calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. (CVE-2014-7975)

  - The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU     Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout     data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading     the /proc/keys file. (CVE-2016-7042)

  - Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3     allows local users to cause a denial of service (double free) or possibly have unspecified other impact     via a crafted application that makes sendmsg system calls, leading to a free operation associated with a     new dump that started earlier than anticipated. (CVE-2016-9806)

  - The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly     restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory     locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
    (CVE-2016-9576)

  - The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in     situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary     kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg     device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-9576. (CVE-2016-10088)

  - The filesystem implementation in the Linux kernel through 4.8.2 preserves the setgid bit during a setxattr     call, which allows local users to gain group privileges by leveraging the existence of a setgid program     with restrictions on execute permissions. (CVE-2016-7097)

  - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through 4.10.4 allows local users to cause     a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a large     command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write     function. (CVE-2017-7187)

  - crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL     pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as     demonstrated by mcryptd(md5). (CVE-2016-10147)

  - arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows     guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by     an L2 guest. (CVE-2016-9588)

  - The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux kernel through 4.9.8 improperly     emulates the VMXON instruction, which allows KVM L1 guest OS users to cause a denial of service (host OS     memory consumption) by leveraging the mishandling of page references. (CVE-2017-2596)

  - The TCP stack in the Linux kernel before 4.8.10 mishandles skb truncation, which allows local users to     cause a denial of service (system crash) via a crafted application that makes sendto system calls, related     to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c. (CVE-2016-8645)

  - The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows     attackers to cause a denial of service (system crash) via (1) an application that makes crafted system     calls or possibly (2) IPv4 traffic with invalid IP options. (CVE-2017-5970)

  - Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain     privileges via a crafted application that makes concurrent perf_event_open system calls for moving a     software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for     CVE-2016-6786. (CVE-2017-6001)

  - The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial     of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain     match field, related to the keyring_search_iterator function in keyring.c. (CVE-2017-2647)

  - The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15     allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by     leveraging use of the accept system call. (CVE-2017-8890)

  - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)

  - The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly     interact with certain locations of a chroot directory, which allows local users to cause a denial of     service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
    (CVE-2014-7970)

  - crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been     performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause     a denial of service (NULL pointer dereference and system crash) via a crafted application that does not     supply a key, related to the lrw_crypt function in crypto/lrw.c. (CVE-2015-8970)

  - Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users     to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls     without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c     and net/l2tp/l2tp_ip6.c. (CVE-2016-10200)

  - fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount     namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via     MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of     mounts. (CVE-2016-6213)

  - It was discovered in the Linux kernel before 4.11-rc8 that root can gain direct access to an internal     keyring, such as '.dns_resolver' in RHEL-7 or '.builtin_trusted_keys' upstream, by joining it as its     session keyring. This allows root to bypass module signature verification by adding a new public key of     its own devising to the keyring. (CVE-2016-9604)

  - The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a     certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local     users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a     socket system call. (CVE-2017-2671)

  - The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows     local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call     for the dead type. (CVE-2017-6951)

  - Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux     kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by     triggering failure of a certain bitmap operation. (CVE-2017-7616)

  - The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM     protection mechanism, which allows local users to read or write to kernel memory locations in the first     megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file,     related to arch/x86/mm/init.c and drivers/char/mem.c. (CVE-2017-7889)

  - The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option, which allows local users to cause a denial of     service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send     system calls. (CVE-2017-9074)

  - The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9076)

  - The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure may occur, which allows local users to cause a     denial of service (system crash) via crafted system calls. (CVE-2017-9242)

  - Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local     users to cause a denial of service (disk corruption) by writing to a page that is associated with a     different user's file after unsynchronized hole punching and page-fault handling. (CVE-2015-8839)

  - Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow     local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.
    (CVE-2016-9685)

  - The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when     processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This     type value is uninitialized upon encountering certain error conditions. This value is used as an array     index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the     whole system. (CVE-2017-8797)

  - The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9075)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system.
(CVE-2016-10200, Important)

* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges.
(CVE-2017-2647, Important)

* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service.
(CVE-2017-8797, Important)

This update also fixes multiple Moderate and Low impact security issues :

* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685

Documentation for these issues is available from the Release Notes document linked from the References section.

Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).

Additional Changes :

For detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The regulator_ena_gpio_free function in     drivers/regulator/core.c in the Linux kernel allows     local users to gain privileges or cause a denial of     service (use-after-free) via a crafted     application.i1/4^CVE-2014-9940i1/4%0

  - Race condition in the sctp_wait_for_sndbuf function in     net/sctp/socket.c in the Linux kernel before 4.9.11     allows local users to cause a denial of service     (assertion failure and panic) via a multithreaded     application that peels off an association in a certain     buffer-full state.i1/4^CVE-2017-5986i1/4%0

  - net/sctp/socket.c in the Linux kernel through 4.10.1     does not properly restrict association peel-off     operations during certain wait states, which allows     local users to cause a denial of service (invalid     unlock and double free) via a multithreaded     application. NOTE: this vulnerability exists because of     an incorrect fix for CVE-2017-5986.i1/4^CVE-2017-6353i1/4%0

  - The ipxitf_ioctl function in net/ipx/af_ipx.c in the     Linux kernel through 4.11.1 mishandles reference     counts, which allows local users to cause a denial of     service (use-after-free) or possibly have unspecified     other impact via a failed SIOCGIFADDR ioctl call for an     IPX interface.i1/4^CVE-2017-7487i1/4%0

  - fs/ext4/inode.c in the Linux kernel before 4.6.2, when     ext4 data=ordered mode is used, mishandles a     needs-flushing-before-commit list, which allows local     users to obtain sensitive information from other users'     files in opportunistic circumstances by waiting for a     hardware reset, creating a new file, making write     system calls, and reading this file.i1/4^CVE-2017-7495i1/4%0

  - The NFSv2/NFSv3 server in the nfsd subsystem in the     Linux kernel through 4.10.11 allows remote attackers to     cause a denial of service (system crash) via a long RPC     reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c,     and fs/nfsd/nfsxdr.c.i1/4^CVE-2017-7645i1/4%0

  - The inet_csk_clone_lock function in     net/ipv4/inet_connection_sock.c in the Linux kernel     through 4.10.15 allows attackers to cause a denial of     service (double free) or possibly have unspecified     other impact by leveraging use of the accept system     call.i1/4^CVE-2017-8890i1/4%0

  - The edge_bulk_in_callback function in     drivers/usb/serial/io_ti.c in the Linux kernel before     4.10.4 allows local users to obtain sensitive     information (in the dmesg ringbuffer and syslog) from     uninitialized kernel memory by using a crafted USB     device (posing as an io_ti USB serial device) to     trigger an integer underflow.i1/4^CVE-2017-8924i1/4%0

  - The IPv6 fragmentation implementation in the Linux     kernel through 4.11.1 does not consider that the     nexthdr field may be associated with an invalid option,     which allows local users to cause a denial of service     (out-of-bounds read and BUG) or possibly have     unspecified other impact via crafted socket and send     system calls.i1/4^CVE-2017-9074i1/4%0

  - The sctp_v6_create_accept_sk function in     net/sctp/ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.i1/4^CVE-2017-9075i1/4%0

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1     mishandles inheritance, which allows local users to     cause a denial of service or possibly have unspecified     other impact via crafted system calls, a related issue     to CVE-2017-8890.i1/4^CVE-2017-9077i1/4%0

  - The __ip6_append_data function in net/ipv6/ip6_output.c     in the Linux kernel through 4.11.3 is too late in     checking whether an overwrite of an skb data structure     may occur, which allows local users to cause a denial     of service (system crash) via crafted system     calls.i1/4^CVE-2017-9242i1/4%0

  - The ext4_fill_super function in fs/ext4/super.c in the     Linux kernel through 4.9.8 does not properly validate     meta block groups, which allows physically proximate     attackers to cause a denial of service (out-of-bounds     read and system crash) via a crafted ext4     image.i1/4^CVE-2016-10208i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
129990	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4823)	Nessus	Oracle Linux Local Security Checks	medium
129986	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0047)	Nessus	OracleVM Local Security Checks	medium
124827	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1504)	Nessus	Huawei Local Security Checks	critical
124810	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1486)	Nessus	Huawei Local Security Checks	high
103046	RHEL 6 : MRG (RHSA-2017:2669)	Nessus	Red Hat Local Security Checks	high
102820	Ubuntu 14.04 LTS : linux vulnerabilities (USN-3406-1)	Nessus	Ubuntu Local Security Checks	high
102819	Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3405-2)	Nessus	Ubuntu Local Security Checks	high
102818	Ubuntu 16.04 LTS : linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities (USN-3405-1)	Nessus	Ubuntu Local Security Checks	high
102734	CentOS 7 : kernel (CESA-2017:1842) (Stack Clash)	Nessus	CentOS Local Security Checks	high
102281	Oracle Linux 7 : kernel (ELSA-2017-1842)	Nessus	Oracle Linux Local Security Checks	high
102151	RHEL 7 : kernel-rt (RHSA-2017:2077)	Nessus	Red Hat Local Security Checks	high
102143	RHEL 7 : kernel (RHSA-2017:1842) (Stack Clash)	Nessus	Red Hat Local Security Checks	high
101853	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2017-1123)	Nessus	Huawei Local Security Checks	high
101852	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1122)	Nessus	Huawei Local Security Checks	high

CVE-2017-7495

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

critical

high

high

high

high

high

high

high

high

high

high

high