100658

RHSA-2018:0676

RHSA-2018:1062

RHSA-2018:1130

RHSA-2018:1170

https://source.android.com/security/bulletin/2017-09-01

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities:

  - Integer overflow in the aio_setup_single_vector function     in fs/aio.c in the Linux kernel 4.0 allows local users     to cause a denial of service or possibly have     unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701     regression. (CVE-2015-8830)

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited. (CVE-2016-3672)

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2016-7913)

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value. (CVE-2017-1000252)

  - Linux kernel Virtualization Module (CONFIG_KVM) for the     Intel processor family (CONFIG_KVM_INTEL) is vulnerable     to a DoS issue. It could occur if a guest was to flood     the I/O port 0x80 with write requests. A guest user     could use this flaw to crash the host kernel resulting     in DoS. (CVE-2017-1000407)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can be     sent to an attacker leaking data in kernel address     space. (CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or use-     after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be fully     ruled out, although we believe it is unlikely.
    (CVE-2017-10661)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a nested     visualization setup, L2 guest user could use this flaw     to potentially crash the host(L0) resulting in DoS.
    (CVE-2017-12154)

  - It was found that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'     do unbalanced pages refcounting if IO vector has small     consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page     reference is never dropped, causing a memory leak and     possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A flaw was found in the Linux kernel's implementation of     valid_master_desc() in which a memory buffer would be     compared to a userspace value with an incorrect size of     comparison. By bruteforcing the comparison, an attacker     could determine what was in memory after the description     and possibly obtain sensitive information from kernel     memory. (CVE-2017-13305)

  - A use-after-free vulnerability was found in a network     namespaces code affecting the Linux kernel since     v4.0-rc1 through v4.15-rc5. The function     get_net_ns_by_id() does not check for the net::count     value after it has found a peer network in netns_ids idr     which could lead to double free and memory corruption.
    This vulnerability could allow an unprivileged local     user to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is thought to be unlikely. (CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing an     ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption or     possibly privilege escalation. (CVE-2017-15265)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel oops).
    (CVE-2017-15274)

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON is     enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system. (CVE-2017-17449)

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider the     maximum number of configurations and interfaces before     attempting to release resources. This allows local users     to cause a denial of service, due to out-of-bounds write     access, or possibly have unspecified other impact via a     crafted USB device. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,     before 4.14.8, does not correctly handle zero-length     inputs. This allows a local attacker the ability to use     the AF_ALG-based skcipher interface to cause a denial of     service (uninitialized-memory free and kernel crash) or     have an unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 are     vulnerable. (CVE-2017-17805)

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact by     leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2017-18017)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with CAP_SYS_ADMIN     capability) can directly perform the ioctl operations     for dm device creation and removal and this would     typically be outside the direct control of the     unprivileged attacker. (CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel allows     local users to cause a denial of service (infinite loop)     by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original allocation.
    (CVE-2017-9725)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely. (CVE-2018-1000004)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can exploit     this vulnerability in the host machine, causing a crash     in the network card. (CVE-2018-1000026)

  - By mmap()ing a FUSE-backed file onto a process's memory     containing command line arguments (or environment     strings), an attacker can cause utilities from psutils     or procps (such as ps, w) or any other program which     makes a read() call to the /proc//cmdline (or     /proc//environ) files to block indefinitely (denial     of service) or for some controlled time (as a     synchronization primitive for other attacks).
    (CVE-2018-1120)

  - A null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in the Linux kernel allows a local     user to cause a denial of service by a number of certain     crafted system calls. (CVE-2018-1130)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary task.
    (CVE-2018-17972)

  - A flaw was found in the Linux kernel with files on tmpfs     and hugetlbfs. An attacker is able to bypass file     permissions on filesystems mounted with tmpfs/hugetlbs     to modify a file and possibly disrupt normal system     behavior. At this time there is an understanding there     is no crash or privilege escalation but the impact of     modifications on these filesystems of files in     production systems may have adverse affects.
    (CVE-2018-18397)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to long     form. (CVE-2018-18690)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions. (CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local users     to obtain sensitive address information by reading dmesg     data from an SBS HC printk call. (CVE-2018-5750)

  - An error in the _sctp_make_chunk() function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS. (CVE-2018-5803)

  - In the function wmi_set_ie() in the Linux kernel the     length validation code does not handle unsigned integer     overflow properly. As a result, a large value of the     ie_len argument can cause a buffer overflow and thus a     memory corruption leading to a system crash or other or     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2018-5848)

  - ALSA sequencer core initializes the event pool on demand     by invoking snd_seq_pool_init() when the first write     happens and the pool is empty. A user can reset the pool     size manually via ioctl concurrently, and this may lead     to UAF or out-of-bound access. (CVE-2018-7566)

  - A possible memory corruption due to a type confusion was     found in the Linux kernel in the sk_clone_lock()     function in the net/core/sock.c. The possibility of     local escalation of privileges cannot be fully ruled out     for a local unprivileged attacker. (CVE-2018-9568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities:

  - Integer overflow in the aio_setup_single_vector function     in fs/aio.c in the Linux kernel 4.0 allows local users     to cause a denial of service or possibly have     unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701     regression. (CVE-2015-8830)

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86     machine can disable ASLR by setting the RLIMIT_STACK     resource to unlimited. (CVE-2016-3672)

  - The xc2028_set_config function in     drivers/media/tuners/tuner-xc2028.c in the Linux kernel     before 4.6 allows local users to gain privileges or     cause a denial of service (use-after-free) via vectors     involving omission of the firmware name from a certain     data structure. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2016-7913)

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A reachable assertion failure flaw was found in the     Linux kernel built with KVM virtualisation(CONFIG_KVM)     support with Virtual Function I/O feature (CONFIG_VFIO)     enabled. This failure could occur if a malicious guest     device sent a virtual interrupt (guest IRQ) with a     larger (>1024) index value. (CVE-2017-1000252)

  - Linux kernel Virtualization Module (CONFIG_KVM) for the     Intel processor family (CONFIG_KVM_INTEL) is vulnerable     to a DoS issue. It could occur if a guest was to flood     the I/O port 0x80 with write requests. A guest user     could use this flaw to crash the host kernel resulting     in DoS. (CVE-2017-1000407)

  - A flaw was found in the processing of incoming L2CAP     bluetooth commands. Uninitialized stack variables can be     sent to an attacker leaking data in kernel address     space. (CVE-2017-1000410)

  - A race condition was found in the Linux kernel before     version 4.11-rc1 in 'fs/timerfd.c' file which allows a     local user to cause a kernel list corruption or use-     after-free via simultaneous operations with a file     descriptor which leverage improper 'might_cancel'     queuing. An unprivileged local user could use this flaw     to cause a denial of service of the system. Due to the     nature of the flaw, privilege escalation cannot be fully     ruled out, although we believe it is unlikely.
    (CVE-2017-10661)

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a nested     visualization setup, L2 guest user could use this flaw     to potentially crash the host(L0) resulting in DoS.
    (CVE-2017-12154)

  - It was found that in the Linux kernel through v4.14-rc5,     bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'     do unbalanced pages refcounting if IO vector has small     consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page     reference is never dropped, causing a memory leak and     possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A flaw was found in the Linux kernel's implementation of     valid_master_desc() in which a memory buffer would be     compared to a userspace value with an incorrect size of     comparison. By bruteforcing the comparison, an attacker     could determine what was in memory after the description     and possibly obtain sensitive information from kernel     memory. (CVE-2017-13305)

  - A use-after-free vulnerability was found in a network     namespaces code affecting the Linux kernel since     v4.0-rc1 through v4.15-rc5. The function     get_net_ns_by_id() does not check for the net::count     value after it has found a peer network in netns_ids idr     which could lead to double free and memory corruption.
    This vulnerability could allow an unprivileged local     user to induce kernel memory corruption on the system,     leading to a crash. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     it is thought to be unlikely. (CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing an     ioctl to a sound device. This could allow a user to     exploit a race condition and create memory corruption or     possibly privilege escalation. (CVE-2017-15265)

  - A flaw was found in the implementation of associative     arrays where the add_key systemcall and KEYCTL_UPDATE     operations allowed for a NULL payload with a nonzero     length. When accessing the payload within this length     parameters value, an unprivileged user could trivially     cause a NULL pointer dereference (kernel oops).
    (CVE-2017-15274)

  - The net/netfilter/nfnetlink_cthelper.c function in the     Linux kernel through 4.14.4 does not require the     CAP_NET_ADMIN capability for new, get, and del     operations. This allows local users to bypass intended     access restrictions because the nfnl_cthelper_list data     structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in     net/netlink/af_netlink.c in the Linux kernel, through     4.14.4, does not restrict observations of Netlink     messages to a single net namespace, when CONFIG_NLMON is     enabled. This allows local users to obtain sensitive     information by leveraging the CAP_NET_ADMIN capability     to sniff an nlmon interface for all Netlink activity on     the system. (CVE-2017-17449)

  - The usb_destroy_configuration() function, in     'drivers/usb/core/config.c' in the USB core subsystem,     in the Linux kernel through 4.14.5 does not consider the     maximum number of configurations and interfaces before     attempting to release resources. This allows local users     to cause a denial of service, due to out-of-bounds write     access, or possibly have unspecified other impact via a     crafted USB device. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,     before 4.14.8, does not correctly handle zero-length     inputs. This allows a local attacker the ability to use     the AF_ALG-based skcipher interface to cause a denial of     service (uninitialized-memory free and kernel crash) or     have an unspecified other impact by executing a crafted     sequence of system calls that use the blkcipher_walk     API. Both the generic implementation     (crypto/salsa20_generic.c) and x86 implementation     (arch/x86/crypto/salsa20_glue.c) of Salsa20 are     vulnerable. (CVE-2017-17805)

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact by     leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely. (CVE-2017-18017)

  - The Linux kernel, before version 4.14.3, is vulnerable     to a denial of service in     drivers/md/dm.c:dm_get_from_kobject() which can be     caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM     devices. Only privileged local users (with CAP_SYS_ADMIN     capability) can directly perform the ioctl operations     for dm device creation and removal and this would     typically be outside the direct control of the     unprivileged attacker. (CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel allows     local users to cause a denial of service (infinite loop)     by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original allocation.
    (CVE-2017-9725)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely. (CVE-2018-1000004)

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can exploit     this vulnerability in the host machine, causing a crash     in the network card. (CVE-2018-1000026)

  - By mmap()ing a FUSE-backed file onto a process's memory     containing command line arguments (or environment     strings), an attacker can cause utilities from psutils     or procps (such as ps, w) or any other program which     makes a read() call to the /proc//cmdline (or     /proc//environ) files to block indefinitely (denial     of service) or for some controlled time (as a     synchronization primitive for other attacks).
    (CVE-2018-1120)

  - A null pointer dereference in dccp_write_xmit() function     in net/dccp/output.c in the Linux kernel allows a local     user to cause a denial of service by a number of certain     crafted system calls. (CVE-2018-1130)

  - An issue was discovered in the proc_pid_stack function     in fs/proc/base.c in the Linux kernel. An attacker with     a local account can trick the stack unwinder code to     leak stack contents to userspace. The fix allows only     root to inspect the kernel stack of an arbitrary task.
    (CVE-2018-17972)

  - A flaw was found in the Linux kernel with files on tmpfs     and hugetlbfs. An attacker is able to bypass file     permissions on filesystems mounted with tmpfs/hugetlbs     to modify a file and possibly disrupt normal system     behavior. At this time there is an understanding there     is no crash or privilege escalation but the impact of     modifications on these filesystems of files in     production systems may have adverse affects.
    (CVE-2018-18397)

  - In the Linux kernel before 4.17, a local attacker able     to set attributes on an xfs filesystem could make this     filesystem non-operational until the next mount by     triggering an unchecked error condition during an xfs     attribute change, because xfs_attr_shortform_addname in     fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE     operations with conversion of an attr from short to long     form. (CVE-2018-18690)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel attacks.
    (CVE-2018-3646)

  - A flaw was found in the Linux kernel's handling of     loopback devices. An attacker, who has permissions to     setup loopback disks, may create a denial of service or     other unspecified actions. (CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c     in the Linux kernel, through 4.14.15, allows local users     to obtain sensitive address information by reading dmesg     data from an SBS HC printk call. (CVE-2018-5750)

  - An error in the _sctp_make_chunk() function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS. (CVE-2018-5803)

  - In the function wmi_set_ie() in the Linux kernel the     length validation code does not handle unsigned integer     overflow properly. As a result, a large value of the     ie_len argument can cause a buffer overflow and thus a     memory corruption leading to a system crash or other or     unspecified impact. Due to the nature of the flaw,     privilege escalation cannot be fully ruled out, although     we believe it is unlikely. (CVE-2018-5848)

  - ALSA sequencer core initializes the event pool on demand     by invoking snd_seq_pool_init() when the first write     happens and the pool is empty. A user can reset the pool     size manually via ioctl concurrently, and this may lead     to UAF or out-of-bound access. (CVE-2018-7566)

  - A possible memory corruption due to a type confusion was     found in the Linux kernel in the sk_clone_lock()     function in the net/core/sock.c. The possibility of     local escalation of privileges cannot be fully ruled out     for a local unprivileged attacker. (CVE-2018-9568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the     fact that memory writes occur to an address which     depends on the untrusted value. Such writes cause an     update into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to influence speculative execution     and/or read privileged memory by conducting targeted     cache side-channel attacks.(CVE-2018-3693)

  - A flaw named SegmentSmack was found in the way the     Linux kernel handled specially crafted TCP packets. A     remote attacker could use this flaw to trigger time and     calculation expensive calls to tcp_collapse_ofo_queue()     and tcp_prune_ofo_queue() functions by sending     specially modified packets within ongoing TCP sessions     which could lead to a CPU saturation and hence a denial     of service on the system. Maintaining the denial of     service condition requires continuous two-way TCP     sessions to a reachable open port, thus the attacks     cannot be performed using spoofed IP     addresses.(CVE-2018-5390)

  - It was found that the raw midi kernel driver does not     protect against concurrent access which leads to a     double realloc (double free) in     snd_rawmidi_input_params() and     snd_rawmidi_output_status() which are part of     snd_rawmidi_ioctl() handler in rawmidi.c file. A     malicious local attacker could possibly use this for     privilege escalation.(CVE-2018-10902)

  - Integer overflow in the aio_setup_single_vector     function in fs/aio.c in the Linux kernel 4.0 allows     local users to cause a denial of service or possibly     have unspecified other impact via a large AIO iovec.
    NOTE: this vulnerability exists because of a     CVE-2012-6701 regression.(CVE-2015-8830)

  - A flaw was found in the Linux networking subsystem     where a local attacker with CAP_NET_ADMIN capabilities     could cause an out-of-bounds memory access by creating     a smaller-than-expected ICMP header and sending to its     destination via sendto().(CVE-2016-8399)

  - Out-of-bounds kernel heap access vulnerability was     found in xfrm, kernel's IP framework for transforming     packets. An error dealing with netlink messages from an     unprivileged user leads to arbitrary read/write and     privilege escalation.(CVE-2017-7184)

  - The Linux kernel was found to be vulnerable to a NULL     pointer dereference bug in the __netlink_ns_capable()     function in the net/netlink/af_netlink.c file. A local     attacker could exploit this when a net namespace with a     netnsid is assigned to cause a kernel panic and a     denial of service.i1/4^CVE-2018-14646i1/4%0

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original     allocation.(CVE-2017-9725)

  - A bug in the 32-bit compatibility layer of the ioctl     handling code of the v4l2 video driver in the Linux     kernel has been found. A memory protection mechanism     ensuring that user-provided buffers always point to a     userspace memory were disabled, allowing destination     address to be in a kernel space. This flaw could be     exploited by an attacker to overwrite a kernel memory     from an unprivileged userspace process, leading to     privilege escalation.(CVE-2017-13166)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5754 relies on the     fact that, on impacted microprocessors, during     speculative execution of instruction permission faults,     exception generation triggered by a faulting access is     suppressed until the retirement of the whole     instruction block. In a combination with the fact that     memory accesses may populate the cache even when the     block is being dropped and never committed (executed),     an unprivileged local attacker could use this flaw to     read privileged (kernel space) memory by conducting     targeted cache side-channel attacks. Note:
    CVE-2017-5754 affects Intel x86-64 microprocessors. AMD     x86-64 microprocessors are not affected by this     issue.(CVE-2017-5754)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall boundary and read privileged memory by     conducting targeted cache side-channel     attacks.(CVE-2017-5753)

  - A flaw was found in the Linux kernel's skcipher     component, which affects the skcipher_recvmsg function.
    Attackers using a specific input can lead to a     privilege escalation.i1/4^CVE-2017-13215i1/4%0

  - The tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c in the Linux kernel before     4.11, and 4.9.x before 4.9.36, allows remote attackers     to cause a denial of service (use-after-free and memory     corruption) or possibly have unspecified other impact     by leveraging the presence of xt_TCPMSS in an iptables     action. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out, although we     believe it is unlikely.i1/4^CVE-2017-18017i1/4%0

  - A kernel data leak due to an out-of-bound read was     found in the Linux kernel in     inet_diag_msg_sctp{,l}addr_fill() and     sctp_get_sctp_info() functions present since version     4.7-rc1 through version 4.13. A data leak happens when     these functions fill in sockaddr data structures used     to export socket's diagnostic information. As a result,     up to 100 bytes of the slab data could be leaked to a     userspace.i1/4^CVE-2017-7558i1/4%0

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is     unlikely.i1/4^CVE-2017-0861i1/4%0

  - Improper validation in the bnx2x network card driver of     the Linux kernel version 4.15 can allow for denial of     service (DoS) attacks via a packet with a gso_size     larger than ~9700 bytes. Untrusted guest VMs can     exploit this vulnerability in the host machine, causing     a crash in the network card.i1/4^CVE-2018-1000026i1/4%0

  - An error in the '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP, packet     length can be exploited by a malicious local user to     cause a kernel crash and a DoS.i1/4^CVE-2018-5803i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found where the kernel truncated the value     used to indicate the size of a buffer which it would     later become zero using an untruncated value. This can     corrupt memory outside of the original     allocation.(CVE-2017-9725)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall boundary and read privileged memory by     conducting targeted cache side-channel     attacks.(CVE-2017-5753)

  - A buffer overflow was found in the Linux kernel's     isdn_net_newslave() function in the     /drivers/isdn/i4l/isdn_net.c file. An overflow happens     when the user-controlled buffer is copied into a local     buffer of constant size using strcpy() without a length     check.(CVE-2017-12762)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel     attacks.(CVE-2018-3646)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5715 triggers the     speculative execution by utilizing branch target     injection. It relies on the presence of a     precisely-defined instruction sequence in the     privileged code as well as the fact that memory     accesses may cause allocation into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to cross the     syscall and guest/host boundaries and read privileged     memory by conducting targeted cache side-channel     attacks.(CVE-2017-5715)

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimization) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel     attacks.(CVE-2018-3620)

  - In hid_debug_events_read of drivers/hid/hid-debug.c,     there is a possible out of bounds write due to a     missing bounds check. This could lead to local     escalation of privilege with System execution     privileges needed. User interaction is not needed for     exploitation. Product: Android Versions: Android kernel     Android ID: A-71361580.(CVE-2018-9516)

  - Systems with microprocessors utilizing speculative     execution and speculative execution of memory reads     before the addresses of all prior memory writes are     known may allow unauthorized disclosure of information     to an attacker with local user access via a     side-channel analysis, aka Speculative Store Bypass     (SSB), Variant 4.(CVE-2018-3639)

  - It was found that the Linux kernel memory resource     controller's (memcg) handling of OOM (out of memory)     conditions could lead to deadlocks. An attacker able to     continuously spawn new processes within a single     memory-constrained cgroup during an OOM event could use     this flaw to lock up the system.(CVE-2014-8171)

  - In sk_clone_lock of sock.c, there is a possible memory     corruption due to type confusion. This could lead to     local escalation of privilege with no additional     execution privileges needed. User interaction is not     needed for exploitation. Product: Android. Versions:
    Android kernel. Android ID: A-113509306. References:
    Upstream kernel.(CVE-2018-9568)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - rds: congestion updates can be missed when kernel low on     memory (Mukesh Kacker) [Orabug: 28425811]

  - net/rds: ib: Fix endless RNR Retries caused by memory     allocation failures (Venkat Venkatsubra) [Orabug:
    28127993]

  - net: rds: fix excess initialization of the recv SGEs     (Zhu Yanjun) [Orabug: 29004503]

  - xhci: fix usb2 resume timing and races. (Mathias Nyman)     [Orabug: 29028940]

  - xhci: Fix a race in usb2 LPM resume, blocking U3 for     usb2 devices (Mathias Nyman) [Orabug: 29028940]

  - userfaultfd: check VM_MAYWRITE was set after verifying     the uffd is registered (Andrea Arcangeli) [Orabug:
    29163750] (CVE-2018-18397)

  - userfaultfd: shmem/hugetlbfs: only allow to register     VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750]     (CVE-2018-18397)

  - x86/apic/x2apic: set affinity of a single interrupt to     one cpu (Jianchao Wang) [Orabug: 29196396]

  - xen/blkback: rework validate_io_op (Dongli Zhang)     [Orabug: 29199843]

  - xen/blkback: optimize validate_io_op to filter     BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
    29199843]

  - xen/blkback: do not BUG for invalid blkif_request from     frontend (Dongli Zhang) [Orabug: 29199843]

  - net/rds: WARNING: at net/rds/recv.c:222     rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra)     [Orabug: 29201779]

  - xen-netback: wake up xenvif_dealloc_kthread when it     should stop (Dongli Zhang) [Orabug: 29217927]

  - Revert 'xfs: remove nonblocking mode from     xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang)     [Orabug: 29279692]

  - Revert 'xfs: Introduce writeback context for writepages'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: xfs_cluster_write is redundant' (Wengang     Wang) [Orabug: 29279692]

  - Revert 'xfs: factor mapping out of xfs_do_writepage'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: don't chain ioends during writepage     submission' (Wengang Wang) [Orabug: 29279692]

  - mstflint: Fix coding style issues - left with     LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

  - mstflint: Fix coding-style issues (Idan Mehalel)     [Orabug: 28878697]

  - mstflint: Fix errors found with checkpatch script (Idan     Mehalel) [Orabug: 28878697]

  - Added support for 5th Gen devices in Secure Boot module     and mtcr (Adham Masarwah) [Orabug: 28878697]

  - Fix typos in mst_kernel (Adham Masarwah) [Orabug:
    28878697]

  - bnxt_en: Report PCIe link properties with     pcie_print_link_status (Brian Maly) [Orabug: 28942099]

  - selinux: Perform both commoncap and selinux xattr checks     (Eric W. Biederman) [Orabug: 28951521]

  - Introduce v3 namespaced file capabilities (Serge E.
    Hallyn) [Orabug: 28951521]

  - rds: ib: Use a delay when reconnecting to the very same     IP address (H&aring kon Bugge) [Orabug: 29138813]

  - Change mincore to count 'mapped' pages rather than     'cached' pages (Linus Torvalds) [Orabug: 29187415]     (CVE-2019-5489)

  - NFSD: Set the attributes used to store the verifier for     EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

  - ext4: update i_disksize when new eof exceeds it (Shan     Hai) [Orabug: 28940828]

  - ext4: update i_disksize if direct write past ondisk size     (Eryu Guan) [Orabug: 28940828]

  - ext4: protect i_disksize update by i_data_sem in direct     write path (Eryu Guan) [Orabug: 28940828]

  - ALSA: usb-audio: Fix UAF decrement if card has no live     interfaces in card.c (Hui Peng) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Replace probing flag with active     refcount (Takashi Iwai) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Avoid nested autoresume calls (Takashi     Iwai) [Orabug: 29042981] (CVE-2018-19824)

  - ext4: validate that metadata blocks do not overlap     superblock (Theodore Ts'o) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: update inline int ext4_has_metadata_csum(struct     super_block *sb) (John Donnelly) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: always initialize the crc32c checksum driver     (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)     (CVE-2018-1094)

  - Revert 'bnxt_en: Reduce default rings on multi-port     cards.' (Brian Maly) [Orabug: 28687746]

  - mlx4_core: Disable P_Key Violation Traps (H&aring kon     Bugge) [Orabug: 27693633]

  - rds: RDS connection does not reconnect after CQ access     violation error (Venkat Venkatsubra) [Orabug: 28733324]

  - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL     (KarimAllah Ahmed) [Orabug: 28069548]

  - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL -     reloaded (Mihai Carabas) [Orabug: 28069548]

  - KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

  - KVM: x86: pass host_initiated to functions that read     MSRs (Paolo Bonzini) [Orabug: 28069548]

  - KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
    28069548]

  - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing     L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    28069548]

  - ocfs2: don't clear bh uptodate for block read (Junxiao     Bi) [Orabug: 28762940]

  - ocfs2: clear journal dirty flag after shutdown journal     (Junxiao Bi) [Orabug: 28924775]

  - ocfs2: fix panic due to unrecovered local alloc (Junxiao     Bi) [Orabug: 28924775]

  - net: rds: fix rds_ib_sysctl_max_recv_allocation error     (Zhu Yanjun) [Orabug: 28947481]

  - x86/speculation: Always disable IBRS in     disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
    29139710]

  - pinctrl: amd: Use devm_pinctrl_register for pinctrl     registration (Laxman Dewangan) [Orabug: 27539246]     (CVE-2017-18174)

  - mlock: fix mlock count can not decrease in race     condition (Yisheng Xie) [Orabug: 27677611]     (CVE-2017-18221)

  - perf/core: Fix the perf_cpu_time_max_percent check (Tan     Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

  - x86/microcode/intel: Fix a wrong assignment of revision     in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

  - mm: cma: fix incorrect type conversion for size during     dma allocation (Rohit Vaswani) [Orabug: 28407826]     (CVE-2017-9725)

  - x86/speculation: Make enhanced IBRS the default spectre     v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

  - x86/speculation: Enable enhanced IBRS usage (Alejandro     Jimenez) [Orabug: 28474851]

  - x86/speculation: functions for supporting enhanced IBRS     (Alejandro Jimenez) [Orabug: 28474851]

  - xen/blkback: fix disconnect while I/Os in flight     (Juergen Gross) [Orabug: 28744234]

  - mlx4_vnic: use the mlid while calling ib_detach_mcast     (aru kolappan) [Orabug: 29029705]

  - ext4: fail ext4_iget for root directory if unallocated     (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092)     (CVE-2018-1092)

  - Bluetooth: hidp: buffer overflow in hidp_process_report     (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363)     (CVE-2018-9363)

  - HID: debug: check length before copy_to_user (Daniel     Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

  - x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
    29149888] (CVE-2018-7995)

  - Input: i8042 - fix crash at boot time (Chen Hong)     [Orabug: 29152328] (CVE-2017-18079)

  - base/memory, hotplug: fix a kernel oops in     show_valid_zones (Toshi Kani) [Orabug: 29050538]

  - mm/memory_hotplug.c: check start_pfn in     test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

  - drivers/base/memory.c: prohibit offlining of memory     blocks with missing sections (Seth Jennings) [Orabug:
    29050538]

  - mm: Check if section present during memory block     (un)registering (Yinghai Lu) [Orabug: 29050538]

  - hugetlb: take PMD sharing into account when flushing     tlb/caches (Mike Kravetz) [Orabug: 28951854]

  - mm: migration: fix migration of huge PMD shared pages     (Mike Kravetz) [Orabug: 28951854]

  - hugetlbfs: use truncate mutex to prevent pmd sharing     race (Mike Kravetz) [Orabug: 28896255]

  - rds: ib: Improve tracing during failover/back     (H&aring kon Bugge) [Orabug: 28860366]

  - rds: ib: Remove superfluous add of address on fail-back     device (H&aring kon Bugge) [Orabug: 28860366]

  - libiscsi: Fix NULL pointer dereference in     iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

  - wil6210: missing length check in wmi_set_ie (Lior David)     [Orabug: 28951265] (CVE-2018-5848)

  - netfilter: xt_osf: Add missing permission checks (Kevin     Cernekee) [Orabug: 29037831] (CVE-2017-17450)

  - x86/speculation: Fix bad argument to rdmsrl in     cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

Description of changes:

[4.1.12-124.24.1.el7uek]
- pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration (Laxman Dewangan)  [Orabug: 27539246]  {CVE-2017-18174}
- mlock: fix mlock count can not decrease in race condition (Yisheng Xie)  [Orabug: 27677611]  {CVE-2017-18221}
- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) [Orabug: 27823815]  {CVE-2017-18255}
- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc (Zhenzhong Duan)  [Orabug: 28190263] - mm: cma: fix incorrect type conversion for size during dma allocation (Rohit Vaswani)  [Orabug: 28407826]  {CVE-2017-9725}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez)  [Orabug: 28474851] - xen/blkback: fix disconnect while I/Os in flight (Juergen Gross)  [Orabug: 28744234] - mlx4_vnic: use the mlid while calling ib_detach_mcast (aru kolappan)  [Orabug: 29029705] - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 29048557]  {CVE-2018-1092} {CVE-2018-1092}
- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn)   [Orabug: 29121215]  {CVE-2018-9363} {CVE-2018-9363}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128165]  {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han)  [Orabug: 29149888] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong)  [Orabug: 29152328] {CVE-2017-18079}

Security Fix(es) :

  - hw: cpu: speculative execution permission faults     handling (CVE-2017-5754, Important, KVM for Power)

  - kernel: Buffer overflow in firewire driver via crafted     incoming packets (CVE-2016-8633, Important)

  - kernel: Use-after-free vulnerability in DCCP socket     (CVE-2017-8824, Important)

  - Kernel: kvm: nVMX: L2 guest could access hardware(L0)     CR8 register (CVE-2017-12154, Important)

  - kernel: v4l2: disabled memory access protection     mechanism allowing privilege escalation (CVE-2017-13166,     Important)

  - kernel: media: use-after-free in [tuner-xc2028] media     driver (CVE-2016-7913, Moderate)

  - kernel: drm/vmwgfx: fix integer overflow in     vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

  - kernel: Incorrect type conversion for size during dma     allocation (CVE-2017-9725, Moderate)

  - kernel: memory leak when merging buffers in SCSI IO     vectors (CVE-2017-12190, Moderate)

  - kernel: vfs: BUG in truncate_inode_pages_range() and     fuse client (CVE-2017-15121, Moderate)

  - kernel: Use-after-free in     userfaultfd_event_wait_completion function in     userfaultfd.c (CVE-2017-15126, Moderate)

  - kernel: net: double-free and memory corruption in     get_net_ns_by_id() (CVE-2017-15129, Moderate)

  - kernel: Use-after-free in snd_seq_ioctl_create_port()     (CVE-2017-15265, Moderate)

  - kernel: Missing capabilities check in     net/netfilter/nfnetlink_cthelper.c allows for     unprivileged access to systemwide nfnl_cthelper_list     structure (CVE-2017-17448, Moderate)

  - kernel: Missing namespace check in     net/netlink/af_netlink.c allows for network monitors to     observe systemwide activity (CVE-2017-17449, Moderate)

  - kernel: Unallocated memory access by malicious USB     device via bNumInterfaces overflow (CVE-2017-17558,     Moderate)

  - kernel: netfilter: use-after-free in     tcpmss_mangle_packet function in     net/netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

  - kernel: Race condition in     drivers/md/dm.c:dm_get_from_kobject() allows local users     to cause a denial of service (CVE-2017-18203, Moderate)

  - kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ     (CVE-2017-1000252, Moderate)

  - Kernel: KVM: DoS via write flood to I/O port 0x80     (CVE-2017-1000407, Moderate)

  - kernel: Stack information leak in the EFS element     (CVE-2017-1000410, Moderate)

  - kernel: Kernel address information leak in     drivers/acpi/sbshc.c:acpi_smbus_hc_add() function     potentially allowing KASLR bypass (CVE-2018-5750,     Moderate)

  - kernel: Race condition in sound system can lead to     denial of service (CVE-2018-1000004, Moderate)

  - kernel: multiple Low security impact security issues     (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116,     CVE-2017-15127, CVE-2018-6927, Low)

Additional Changes :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824 and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

* The kernel-rt packages have been upgraded to version 3.10.0-693.25.2.rt56.612, which provides a number of security and bug fixes over the previous version. (BZ#1549731)

* Intel Core X-Series (Skylake) processors use a hard-coded Time Stamp Counter (TSC) frequency of 25 MHz. In some cases this can be imprecise and lead to timing-related problems such as time drift, timers being triggered early, or TSC clock instability. This update mitigates these problems by no longer using the 'native_calibrate_tsc()' function to define the TSC frequency. Refined calibration is now used to update the clock rate accordingly in these cases. (BZ#1547854)

An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting CVE-2017-8824; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article:
https://access.redhat.com/articles/3411331

From Red Hat Security Advisory 2018:1062 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling (CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672, CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register (CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation (CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client (CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id() (CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265, Moderate)

* kernel: Incorrect handling in arch/x86/include/asm/ mmu_context.h:init_new_context function allowing use-after-free (CVE-2017-17053, Moderate)

* kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows for network monitors to observe systemwide activity (CVE-2017-17449, Moderate)

* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject() allows local users to cause a denial of service (CVE-2017-18203, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ (CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410, Moderate)

* kernel: Kernel address information leak in drivers/acpi/ sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass (CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004, Moderate)

* kernel: unlimiting the stack disables ASLR (CVE-2016-3672, Low)

* kernel: Missing permission check in move_pages system call (CVE-2017-14140, Low)

* kernel: NULL pointer dereference in rngapi_reset function (CVE-2017-15116, Low)

* kernel: Improper error handling of VM_SHARED hugetlbfs mapping in mm/ hugetlb.c (CVE-2017-15127, Low)

* kernel: Integer overflow in futex.c:futux_requeue can lead to denial of service or unspecified impact (CVE-2018-6927, Low)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Mohamed Ghannam for reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for reporting CVE-2017-15129; Jan H.
Schonherr (Amazon) for reporting CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

Additional Changes :

See the Red Hat Enterprise Linux 7.5 Release Notes linked from References.

ID	Name	Product	Family	Severity
127281	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)	Nessus	NewStart CGSL Local Security Checks	critical
127272	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)	Nessus	NewStart CGSL Local Security Checks	critical
124992	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)	Nessus	Huawei Local Security Checks	critical
124836	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1515)	Nessus	Huawei Local Security Checks	critical
121605	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)	Nessus	OracleVM Local Security Checks	high
120976	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)	Nessus	Oracle Linux Local Security Checks	high
109449	Scientific Linux Security Update : kernel on SL7.x x86_64 (20180410) (Meltdown)	Nessus	Scientific Linux Local Security Checks	critical
109380	CentOS 7 : kernel (CESA-2018:1062)	Nessus	CentOS Local Security Checks	critical
109335	RHEL 6 : MRG (RHSA-2018:1170)	Nessus	Red Hat Local Security Checks	critical
109116	RHEL 7 : kernel (RHSA-2018:1130)	Nessus	Red Hat Local Security Checks	critical
109113	Oracle Linux 7 : kernel (ELSA-2018-1062)	Nessus	Oracle Linux Local Security Checks	critical
108997	RHEL 7 : kernel (RHSA-2018:1062)	Nessus	Red Hat Local Security Checks	critical
108984	RHEL 7 : kernel-rt (RHSA-2018:0676)	Nessus	Red Hat Local Security Checks	critical

CVE-2017-9725

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins