104905

RHSA-2018:2390

RHSA-2018:2391

RHSA-2018:2392

RHSA-2018:2393

RHSA-2018:2394

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10901

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3444d7da1839b851eefedd372978d8a982316c36

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's implementation of     the SCTP protocol. A remote attacker could trigger an     out-of-bounds read with an offset of up to 64kB     potentially causing the system to crash. (CVE-2016-9555)

  - An exploitable memory corruption flaw was found in the     Linux kernel. The append path can be erroneously     switched from UFO to non-UFO in ip_ufo_append_data()     when building an UFO packet with MSG_MORE option. If     unprivileged user namespaces are available, this flaw     can be exploited to gain root privileges.
    (CVE-2017-1000112)

  - A bug in the 32-bit compatibility layer of the ioctl     handling code of the v4l2 video driver in the Linux     kernel has been found. A memory protection mechanism     ensuring that user-provided buffers always point to a     userspace memory were disabled, allowing destination     address to be in a kernel space. This flaw could be     exploited by an attacker to overwrite a kernel memory     from an unprivileged userspace process, leading to     privilege escalation. (CVE-2017-13166)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5753 triggers the     speculative execution by performing a bounds-check     bypass. It relies on the presence of a precisely-defined     instruction sequence in the privileged code as well as     the fact that memory accesses may cause allocation into     the microprocessor's data cache even for speculatively     executed instructions that never actually commit     (retire). As a result, an unprivileged attacker could     use this flaw to cross the syscall boundary and read     privileged memory by conducting targeted cache side-     channel attacks. (CVE-2017-5753)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions (a commonly used performance     optimization). There are three primary variants of the     issue which differ in the way the speculative execution     can be exploited. Variant CVE-2017-5754 relies on the     fact that, on impacted microprocessors, during     speculative execution of instruction permission faults,     exception generation triggered by a faulting access is     suppressed until the retirement of the whole instruction     block. In a combination with the fact that memory     accesses may populate the cache even when the block is     being dropped and never committed (executed), an     unprivileged local attacker could use this flaw to read     privileged (kernel space) memory by conducting targeted     cache side-channel attacks. Note: CVE-2017-5754 affects     Intel x86-64 microprocessors. AMD x86-64 microprocessors     are not affected by this issue. (CVE-2017-5754)

  - It was found that the packet_set_ring() function of the     Linux kernel's networking implementation did not     properly validate certain block-size data. A local     attacker with CAP_NET_RAW capability could use this flaw     to trigger a buffer overflow resulting in a system crash     or a privilege escalation. (CVE-2017-7308)

  - A use-after-free vulnerability was found in DCCP socket     code affecting the Linux kernel since 2.6.16. This     vulnerability could allow an attacker to their escalate     privileges. (CVE-2017-8824)

  - The do_get_mempolicy() function in mm/mempolicy.c in the     Linux kernel allows local users to hit a use-after-free     bug via crafted system calls and thus cause a denial of     service (DoS) or possibly have unspecified other impact.
    Due to the nature of the flaw, privilege escalation     cannot be fully ruled out. (CVE-2018-10675)

  - A flaw was found in Linux kernel's KVM virtualization     subsystem. The VMX code does not restore the GDT.LIMIT     to the previous host value, but instead sets it to 64KB.
    With a corrupted GDT limit a host's userspace code has     an ability to place malicious entries in the GDT,     particularly to the per-cpu variables. An attacker can     use this to escalate their privileges. (CVE-2018-10901)

  - An integer overflow flaw was found in the Linux kernel's     create_elf_tables() function. An unprivileged local user     with access to SUID (or otherwise privileged) binary     could use this flaw to escalate their privileges on the     system. (CVE-2018-14634)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of Load & Store instructions (a commonly used     performance optimization). It relies on the presence of     a precisely-defined instruction sequence in the     privileged code as well as the fact that memory read     from address to which a recent memory write has occurred     may see an older value and subsequently cause an update     into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to read privileged memory by     conducting targeted cache side-channel attacks.
    (CVE-2018-3639)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the fact     that memory writes occur to an address which depends on     the untrusted value. Such writes cause an update into     the microprocessor's data cache even for speculatively     executed instructions that never actually commit     (retire). As a result, an unprivileged attacker could     use this flaw to influence speculative execution and/or     read privileged memory by conducting targeted cache     side-channel attacks. (CVE-2018-3693)

  - A flaw named SegmentSmack was found in the way the Linux     kernel handled specially crafted TCP packets. A remote     attacker could use this flaw to trigger time and     calculation expensive calls to tcp_collapse_ofo_queue()     and tcp_prune_ofo_queue() functions by sending specially     modified packets within ongoing TCP sessions which could     lead to a CPU saturation and hence a denial of service     on the system. Maintaining the denial of service     condition requires continuous two-way TCP sessions to a     reachable open port, thus the attacks cannot be     performed using spoofed IP addresses. (CVE-2018-5390)

  - A flaw named FragmentSmack was found in the way the     Linux kernel handled reassembly of fragmented IPv4 and     IPv6 packets. A remote attacker could use this flaw to     trigger time and calculation expensive fragment     reassembly algorithm by sending specially crafted     packets which could lead to a CPU saturation and hence a     denial of service on the system. (CVE-2018-5391)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the remote Junos Space version is 18.4.x prior to 18.4R1. It is, therefore, affected by multiple vulnerabilities : 

  - An integer overflow issue exists in procps-ng. This is     related to CVE-2018-1124. (CVE-2018-1126)

  - A directory traversal issue exits in reposync, a part     of yum-utils.tory configuration files. If an attacker     controls a repository, they may be able to copy files     outside of the destination directory on the targeted     system via path traversal. (CVE-2018-10897)

  - An integer overflow flaw was found in the Linux     kernel's create_elf_tables() function. An unprivileged     local user with access to SUID binary could use this     flaw to escalate their privileges on the system.
    (CVE-2018-14634)

Additionally, Junos Space is affected by several other vulnerabilities exist as noted in the vendor advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the cpupools / cpupools-features / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimisation) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel attacks.

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the     fact that memory writes occur to an address which     depends on the untrusted value. Such writes cause an     update into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to influence speculative execution     and/or read privileged memory by conducting targeted     cache side-channel attacks.

  - A flaw named SegmentSmack was found in the way the     Linux kernel handled specially crafted TCP packets. A     remote attacker could use this flaw to trigger time and     calculation expensive calls to tcp_collapse_ofo_queue()     and tcp_prune_ofo_queue() functions by sending     specially modified packets within ongoing TCP sessions     which could lead to a CPU saturation and hence a denial     of service on the system. Maintaining the denial of     service condition requires continuous two-way TCP     sessions to a reachable open port, thus the attacks     cannot be performed using spoofed IP addresses.

  - A flaw was found in Linux kernel's KVM virtualization     subsystem. The VMX code does not restore the GDT.LIMIT     to the previous host value, but instead sets it to     64KB. With a corrupted GDT limit a host's userspace     code has an ability to place malicious entries in the     GDT, particularly to the per-cpu variables. An attacker     can use this to escalate their privileges.

  - Use-after-free vulnerability in the snd_pcm_info()     function in the ALSA subsystem in the Linux kernel     allows attackers to induce a kernel memory corruption     and possibly crash or lock up a system. Due to the     nature of the flaw, a privilege escalation cannot be     fully ruled out, although we believe it is unlikely.

  - ALSA sequencer core initializes the event pool on     demand by invoking snd_seq_pool_init() when the first     write happens and the pool is empty. A user can reset     the pool size manually via ioctl concurrently, and this     may lead to UAF or out-of-bound access.

  - In the Linux kernel versions 4.12, 3.10, 2.6, and     possibly earlier, a race condition vulnerability exists     in the sound system allowing for a potential deadlock     and memory corruption due to use-after-free condition     and thus denial of service. Due to the nature of the     flaw, privilege escalation cannot be fully ruled out,     although we believe it is unlikely.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - Modern operating systems implement virtualization of     physical memory to efficiently use available system     resources and provide inter-domain protection through     access control and isolation. The L1TF issue was found     in the way the x86 microprocessor designs have     implemented speculative execution of instructions (a     commonly used performance optimisation) in combination     with handling of page-faults caused by terminated     virtual to physical address resolving process. As a     result, an unprivileged attacker could use this flaw to     read privileged memory of the kernel or other processes     and/or cross guest/host boundaries to read host memory     by conducting targeted cache side-channel attacks.
    (CVE-2018-3620, CVE-2018-3646)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of instructions past bounds check. The flaw     relies on the presence of a precisely-defined     instruction sequence in the privileged code and the fact     that memory writes occur to an address which depends on     the untrusted value. Such writes cause an update into     the microprocessor's data cache even for speculatively     executed instructions that never actually commit     (retire). As a result, an unprivileged attacker could     use this flaw to influence speculative execution and/or     read privileged memory by conducting targeted cache     side- channel attacks. (CVE-2018-3693)

  - kernel: kvm: vmx: host GDT limit corruption     (CVE-2018-10901)

  - kernel: Use-after-free in snd_pcm_info function in ALSA     subsystem potentially leads to privilege escalation     (CVE-2017-0861)

  - kernel: Use-after-free in snd_seq_ioctl_create_port()     (CVE-2017-15265)

  - kernel: race condition in snd_seq_write() may lead to     UAF or OOB-access (CVE-2018-7566)

  - kernel: Race condition in sound system can lead to     denial of service (CVE-2018-1000004)

Bug Fix(es) :

  - The Least recently used (LRU) operations are batched by     caching pages in per-cpu page vectors to prevent     contention of the heavily used lru_lock spinlock. The     page vectors can hold even the compound pages.
    Previously, the page vectors were cleared only if they     were full. Subsequently, the amount of memory held in     page vectors, which is not reclaimable, was sometimes     too high. Consequently the page reclamation started the     Out of Memory (OOM) killing processes. With this update,     the underlying source code has been fixed to clear LRU     page vectors each time when a compound page is added to     them. As a result, OOM killing processes due to high     amounts of memory held in page vectors no longer occur.

An update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

An update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks.
(CVE-2018-3693)

* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
(CVE-2018-5390)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)

* kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693;
Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

Bug Fix(es) :

* The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur. (BZ#1575819)

From Red Hat Security Advisory 2018:2390 :

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
(CVE-2018-3620, CVE-2018-3646)

* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks.
(CVE-2018-3693)

* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
(CVE-2018-5390)

* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)

* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)

* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)

* kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566)

* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693;
Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.

Bug Fix(es) :

* The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur. (BZ#1575819)

A weakness was found in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
(CVE-2018-1108)

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service. (CVE-2018-8897)

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.(CVE-2018-1091)

An address corruption flaw was discovered in the Linux kernel built with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system.(CVE-2018-1000199)

A flaw was found in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.(CVE-2018-1087)

A flaw was found in the Linux kernel's skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.(CVE-2017-13215)

The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(CVE-2018-10675)

A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.(CVE-2018-10901)

A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
(CVE-2018-7995)

Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c :

A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
(CVE-2018-7995)

Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c :

A flaw was found in the Linux kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

A flaw was found in the Linux kernel's skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.(CVE-2017-13215)

The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.(CVE-2018-10675)

A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.(CVE-2018-10901)

ID	Name	Product	Family	Severity
127408	NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0143)	Nessus	NewStart CGSL Local Security Checks	critical
121068	Juniper Junos Space 18.4.x < 18.4R1 Multiple Vulnerabilities (JSA10917)	Nessus	Junos Local Security Checks	high
112018	Virtuozzo 6 : cpupools / cpupools-features / etc (VZA-2018-055)	Nessus	Virtuozzo Local Security Checks	high
111777	Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180814) (Foreshadow)	Nessus	Scientific Linux Local Security Checks	high
111735	RHEL 6 : kernel (RHSA-2018:2394) (Foreshadow) (Spectre)	Nessus	Red Hat Local Security Checks	high
111734	RHEL 6 : kernel (RHSA-2018:2393) (Foreshadow)	Nessus	Red Hat Local Security Checks	high
111733	RHEL 6 : kernel (RHSA-2018:2392) (Foreshadow)	Nessus	Red Hat Local Security Checks	high
111732	RHEL 6 : kernel (RHSA-2018:2391) (Foreshadow)	Nessus	Red Hat Local Security Checks	high
111731	RHEL 6 : kernel (RHSA-2018:2390) (Foreshadow)	Nessus	Red Hat Local Security Checks	high
111724	Oracle Linux 6 : kernel (ELSA-2018-2390) (Foreshadow)	Nessus	Oracle Linux Local Security Checks	high
111704	CentOS 6 : kernel (CESA-2018:2390) (Foreshadow)	Nessus	CentOS Local Security Checks	high
110197	Amazon Linux AMI : kernel (ALAS-2018-1023)	Nessus	Amazon Linux Local Security Checks	high
109177	Amazon Linux 2 : kernel (ALAS-2018-994)	Nessus	Amazon Linux Local Security Checks	high

CVE-2018-10901

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins