http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c70422f760c120480fee4de6c38804c72aa26bc1

98551

https://bugzilla.redhat.com/show_bug.cgi?id=1451386

https://github.com/torvalds/linux/commit/c70422f760c120480fee4de6c38804c72aa26bc1

https://www.spinics.net/lists/linux-nfs/msg63334.html

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):The walk_hugetlb_range()     function in 'mm/pagewalk.c' file in the Linux kernel     from v4.0-rc1 through v4.15-rc1 mishandles holes in     hugetlb ranges. This allows local users to obtain     sensitive information from uninitialized kernel memory     via crafted use of the mincore() system     call.(CVE-2017-16994)In the Linux kernel before 4.7,     the amd_gpio_remove function in     drivers/pinctrl/pinctrl-amd.c calls the     pinctrl_unregister function, leading to a double     free.(CVE-2017-18174)In the Linux kernel through     4.20.11, af_alg_release() in crypto/af_alg.c neglects     to set a NULL value for a certain structure member,     which leads to a use-after-free in     sockfs_setattr.(CVE-2019-8912)A security flaw was found     in the Linux kernel that an attempt to move page mapped     by AIO ring buffer to the other node triggers NULL     pointer dereference at trace_writeback_dirty_page(),     because aio_fs_backing_dev_info.dev is     0.(CVE-2016-3070)The NFSv4 implementation in the Linux     kernel through 4.11.1 allows local users to cause a     denial of service (resource consumption) by leveraging     improper channel callback shutdown when unmounting an     NFSv4 filesystem, aka a 'module reference and kernel     daemon' leak.(CVE-2017-9059)When creating audit records     for parameters to executed children processes, an     attacker can convince the Linux kernel audit subsystem     can create corrupt records which may allow an attacker     to misrepresent or evade logging of executing     commands.(CVE-2016-6136)A use-after-free vulnerability     was found in a network namespaces code affecting the     Linux kernel since v4.0-rc1 through v4.15-rc5. The     function get_net_ns_by_id() does not check for the     net::count value after it has found a peer network in     netns_ids idr which could lead to double free and     memory corruption. This vulnerability could allow an     unprivileged local user to induce kernel memory     corruption on the system, leading to a crash. Due to     the nature of the flaw, privilege escalation cannot be     fully ruled out, although it is thought to be     unlikely.(CVE-2017-15129)A NULL pointer dereference     flaw was found in the rds_ib_laddr_check() function in     the Linux kernel's implementation of Reliable Datagram     Sockets (RDS). A local, unprivileged user could use     this flaw to crash the system.(CVE-2013-7339)A flaw was     found in the Linux kernel key management subsystem in     which a local attacker could crash the kernel or     corrupt the stack and additional memory (denial of     service) by supplying a specially crafted RSA key. This     flaw panics the machine during the verification of the     RSA key.(CVE-2016-8650)The uio_mmap_physical function     in drivers/uio/uio.c in the Linux kernel before 3.12     does not validate the size of a memory block, which     allows local users to cause a denial of service (memory     corruption) or possibly gain privileges via crafted     mmap operations, a different vulnerability than     CVE-2013-4511.(CVE-2013-6763)In the Linux kernel before     4.20.5, attackers can trigger a     drivers/char/ipmi/ipmi_msghandler.c use-after-free and     OOPS by arranging for certain simultaneous execution of     the code, as demonstrated by a 'service ipmievd     restart' loop.(CVE-2019-9003)An integer overflow flaw     was found in the way the Linux kernel randomized the     stack for processes on certain 64-bit architecture     systems, such as x86-64, causing the stack entropy to     be reduced by four.(CVE-2015-1593)The     compat_sys_recvmmsg function in net/compat.c in the     Linux kernel before 3.13.2, when CONFIG_X86_X32 is     enabled, allows local users to gain privileges via a     recvmmsg system call with a crafted timeout pointer     parameter.(CVE-2014-0038)The kill_something_info     function in kernel/signal.c in the Linux kernel before     4.13, when an unspecified architecture and compiler is     used, might allow local users to cause a denial of     service via an INT_MIN     argument.(CVE-2018-10124)arch/s390/kernel/head64.S in     the Linux kernel before 3.13.5 on the s390 platform     does not properly handle attempted use of the linkage     stack, which allows local users to cause a denial of     service (system crash) by executing a crafted     instruction.(CVE-2014-2039)A flaw was found in the     Linux kernel in that the aoedisk_debugfs_show()     function in drivers/block/aoe/aoeblk.c allows local     users to obtain some kernel address information by     reading a debugfs file. This address is not useful to     commit a further attack.(CVE-2018-7754)ALSA sequencer     core initializes the event pool on demand by invoking     snd_seq_pool_init() when the first write happens and     the pool is empty. A user can reset the pool size     manually via ioctl concurrently, and this may lead to     UAF or out-of-bound access.(CVE-2018-7566)In the     function wmi_set_ie(), the length validation code does     not handle unsigned integer overflow properly. As a     result, a large value of the 'ie_len' argument can     cause a buffer overflow in all Android releases from     CAF (Android for MSM, Firefox OS for MSM, QRD Android)     using the Linux Kernel.(CVE-2018-5848)The Linux kernel     does not properly initialize memory in messages passed     between virtual guests and the host operating system in     the vhost/vhost.c:vhost_new_msg() function. This can     allow local privileged users to read some kernel memory     contents when reading from the /dev/vhost-net device     file.(CVE-2018-1118)Systems with microprocessors     utilizing speculative execution and speculative     execution of memory reads before the addresses of all     prior memory writes are known may allow unauthorized     disclosure of information to an attacker with local     user access via a side-channel analysis, aka     Speculative Store Bypass (SSB), Variant     4.(CVE-2018-3639)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of [linux,libxlt] packages for PhotonOS has been released.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0015 for details.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2017-3659 advisory.

  - A missing authorization check in the fscrypt_process_policy function in fs/crypto/policy.c in the ext4 and     f2fs filesystem encryption support in the Linux kernel before 4.7.4 allows a user to assign an encryption     policy to a directory owned by a different user, potentially creating a denial of service.
    (CVE-2016-10318)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0145 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3609 advisory.

  - The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users     to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial     of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
    (CVE-2017-12134)

  - The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through     RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into     account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and     earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
    (CVE-2017-1000365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0126 for details.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-3595 advisory.

  - Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds check, and the fact that parport_ptr     integer is static, a 'secure boot' kernel command line adversary (can happen due to bootloader vulns, e.g.
    Google Nexus 6's CVE-2016-10277, where due to a vulnerability the adversary has partial control over the     command line) can overflow the parport_nr array in the following code, by appending many (>LP_NO)     'lp=none' arguments to the command line. (CVE-2017-1000363)

  - sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA     /dev/snd/timer driver resulting in local users being able to read information belonging to other users,     i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time.
    (CVE-2017-1000380)

  - The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles     inheritance, which allows local users to cause a denial of service or possibly have unspecified other     impact via crafted system calls, a related issue to CVE-2017-8890. (CVE-2017-9077)

  - The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4     allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have     unspecified other impact via a crafted HID report. (CVE-2017-7273)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Module reference leak due to improper shut down of callback channel on umount :

The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a 'module reference and kernel daemon' leak.
(CVE-2017-9059)

Incorrect overwrite check in __ip6_append_data() :

The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
(CVE-2017-9242)

Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c :

The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash.
Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-8890)

net: tcp_v6_syn_recv_sock function mishandles inheritance :

The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9077)

net: IPv6 DCCP implementation mishandles inheritance

The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9076)

net: sctp_v6_create_accept_sk function mishandles inheritance :

The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890 . An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2017-9075)

net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option :

The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074)

The 4.10.17 stable kernel update contains a number of important fixes across the tree.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124991	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1538)	Nessus	Huawei Local Security Checks	critical
111867	Photon OS 1.0: Linux PHSA-2017-0018 (deprecated)	Nessus	PhotonOS Local Security Checks	high
106469	OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0015) (BlueBorne) (Meltdown) (Spectre) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
105248	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)	Nessus	OracleVM Local Security Checks	high
105247	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659)	Nessus	Oracle Linux Local Security Checks	high
102774	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102773	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609)	Nessus	Oracle Linux Local Security Checks	critical
102064	OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0126) (Stack Clash)	Nessus	OracleVM Local Security Checks	critical
102059	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3595)	Nessus	Oracle Linux Local Security Checks	critical
100999	Amazon Linux AMI : kernel (ALAS-2017-846)	Nessus	Amazon Linux Local Security Checks	high
100491	Fedora 24 : kernel (2017-85744f8aa9)	Nessus	Fedora Local Security Checks	high
100435	Fedora 25 : kernel (2017-273b67d5ee)	Nessus	Fedora Local Security Checks	high

CVE-2017-9059

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

critical

high

high

critical

critical

critical

critical

high

high

high