RHSA-2018:2164

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10872

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

https://www.oracle.com/security-alerts/cpujul2020.html

According to its self-reported version number, the remote Junos Space version is prior to 18.3R1. It is, therefore, affected by multiple vulnerabilities:

  - A use after free vulnerability exists in the    do_get_mempolicy function. An local attacker can exploit    this to cause a denial of service condition.
   (CVE-2018-10675)

  - A malicious authenticated user may be able to delete a     device from the Junos Space database without the     privileges through crafted Ajax interactions from     another legitimate delete action performed by an     administrative user. (CVE-2019-0016)

  - A flaw in validity checking of image files uploaded     to Junos Space could allow an attacker to upload     malicious scripts or images. (CVE-2019-0017)

Additionally, Junos Space is affected by several other vulnerabilities exist as noted in the vendor advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - [x86 AMD] An industry-wide issue was found in the way     many modern microprocessor designs have implemented     speculative execution of Load & Store instructions (a     commonly used performance optimization). It relies on     the presence of a precisely-defined instruction     sequence in the privileged code as well as the fact     that memory read from address to which a recent memory     write has occurred may see an older value and     subsequently cause an update into the microprocessor's     data cache even for speculatively executed instructions     that never actually commit (retire). As a result, an     unprivileged attacker could use this flaw to read     privileged memory by conducting targeted cache     side-channel attacks.

  - By mmap()ing a FUSE-backed file onto a process's memory     containing command line arguments (or environment     strings), an attacker can cause utilities from psutils     or procps (such as ps, w) or any other program which     makes a read() call to the /proc/<pid>/cmdline (or     /proc/<pid>/environ) files to block indefinitely     (denial of service) or for some controlled time (as a     synchronization primitive for other attacks).

  - A Floating Point Unit (FPU) state information leakage     flaw was found in the way the Linux kernel saved and     restored the FPU state during task switch. Linux     kernels that follow the 'Lazy FPU Restore' scheme are     vulnerable to the FPU state information leakage issue.
    An unprivileged local attacker could use this flaw to     read FPU state bits by conducting targeted cache     side-channel attacks, similar to the Meltdown     vulnerability disclosed earlier this year.

  - A flaw was found in the way the Linux kernel handled     exceptions delivered after a stack switch operation via     Mov SS or Pop SS instructions. During the stack switch     operation, processor does not deliver interrupts and     exceptions, they are delivered once the first     instruction after the stack switch is executed. An     unprivileged system user could use this flaw to crash     the system kernel resulting in DoS. This CVE-2018-10872     was assigned due to regression of CVE-2018-8897.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, x86 AMD)

* kernel: Use-after-free vulnerability in mm/mempolicy.c:do_get_mempolicy function allows local denial of service or other unspecified impact (CVE-2018-10675)

* Kernel: FPU state information leakage via lazy FPU restore (CVE-2018-3665)

* kernel: error in exception handling leads to DoS (CVE-2018-8897 regression) (CVE-2018-10872)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639 and Julian Stecklina (Amazon.de), Thomas Prescher (cyberus-technology.de), and Zdenek Sojka (sysgo.com) for reporting CVE-2018-3665.

Bug Fix(es) :

* Previously, microcode updates on 32 and 64-bit AMD and Intel architectures were not synchronized. As a consequence, it was not possible to apply the microcode updates. This fix adds the synchronization to the microcode updates so that processors of the stated architectures receive updates at the same time. As a result, microcode updates are now synchronized. (BZ# 1574592)

Security Fix(es) :

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of Load &amp; Store instructions (a commonly     used performance optimization). It relies on the     presence of a precisely-defined instruction sequence in     the privileged code as well as the fact that memory read     from address to which a recent memory write has occurred     may see an older value and subsequently cause an update     into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to read privileged memory by     conducting targeted cache side-channel attacks.
    (CVE-2018-3639, x86 AMD)

  - kernel: Use-after-free vulnerability in     mm/mempolicy.c:do_get_mempolicy function allows local     denial of service or other unspecified impact     (CVE-2018-10675)

  - Kernel: FPU state information leakage via lazy FPU     restore (CVE-2018-3665)

  - kernel: error in exception handling leads to DoS     (CVE-2018-8897 regression) (CVE-2018-10872)

Bug Fix(es) :

  - Previously, microcode updates on 32 and 64-bit AMD and     Intel architectures were not synchronized. As a     consequence, it was not possible to apply the microcode     updates. This fix adds the synchronization to the     microcode updates so that processors of the stated     architectures receive updates at the same time. As a     result, microcode updates are now synchronized.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-2164 advisory.

  - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads     before the addresses of all prior memory writes are known may allow unauthorized disclosure of information     to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),     Variant 4. (CVE-2018-3639)

  - The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to     cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system     calls. (CVE-2018-10675)

  - System software utilizing Lazy FP state restore technique on systems using Intel Core-based     microprocessors may potentially allow a local process to infer data from another process through a     speculative execution side channel. (CVE-2018-3665)

  - A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation     via Mov SS or Pop SS instructions. During the stack switch operation, processor does not deliver     interrupts and exceptions, they are delivered once the first instruction after the stack switch is     executed. An unprivileged system user could use this flaw to crash the system kernel resulting in DoS.
    This CVE-2018-10872 was assigned due to regression of CVE-2018-8897 in Red Hat Enterprise Linux 6.10 GA     kernel. No other versions are affected by this CVE. (CVE-2018-10872)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
121067	Juniper Junos Space < 18.3R1 Multiple Vulnerabilities (JSA10917)	Nessus	Junos Local Security Checks	high
111151	Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-048)	Nessus	Virtuozzo Local Security Checks	medium
111077	CentOS 6 : kernel (CESA-2018:2164) (Spectre)	Nessus	CentOS Local Security Checks	high
111002	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180710) (Spectre)	Nessus	Scientific Linux Local Security Checks	high
111001	RHEL 6 : kernel (RHSA-2018:2164) (Spectre)	Nessus	Red Hat Local Security Checks	high
110996	Oracle Linux 6 : kernel (ELSA-2018-2164)	Nessus	Oracle Linux Local Security Checks	high

CVE-2018-10872

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high

high

high

high