RHSA-2019:1350

RHSA-2019:2029

RHSA-2019:2043

https://bugzilla.kernel.org/show_bug.cgi?id=199915

https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=23fcb3340d033d9f081e21e6c12c2db7eaa541d3

https://github.com/torvalds/linux/commit/23fcb3340d033d9f081e21e6c12c2db7eaa541d3

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,     there is a possible use after free due to a logic     error. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0466)

  - fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8,     when there is an NFS export of a subdirectory of a     filesystem, allows remote attackers to traverse to     other parts of the filesystem via READDIRPLUS. NOTE:
    some parties argue that such a subdirectory export is     not intended to prevent this attack see also the     exports(5) no_subtree_check default     behavior.(CVE-2021-3178)

  - An issue was discovered in the Linux kernel through     5.11.3. A kernel pointer leak can be used to determine     the address of the iscsi_transport structure. When an     iSCSI transport is registered with the iSCSI subsystem,     the transport's handle is available to unprivileged     users via the sysfs file system, at     /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When     read, the show_transport_handle function (in     drivers/scsi/scsi_transport_iscsi.c) is called, which     leaks the handle. This handle is actually the pointer     to an iscsi_transport struct in the kernel module's     global variables.(CVE-2021-27363)

  - An issue was discovered in the Linux kernel through     5.11.3. drivers/scsi/scsi_transport_iscsi.c is     adversely affected by the ability of an unprivileged     user to craft Netlink messages.(CVE-2021-27364)

  - A race condition was found in the Linux kernels     implementation of the floppy disk drive controller     driver software. The impact of this issue is lessened     by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the     permissions on the device have changed the impact     changes greatly. In the default configuration root (or     equivalent) permissions are required to attack this     flaw.(CVE-2021-20261)

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel     before 4.15, local users can cause a denial of service     (NULL pointer dereference and BUG) because a required     mutex is not used.(CVE-2017-18216)

  - The omninet_open function in     drivers/usb/serial/omninet.c in the Linux kernel before     4.10.4 allows local users to cause a denial of service     (tty exhaustion) by leveraging reference count     mishandling.(CVE-2017-8925)

  - A flaw was found in the way memory resources were freed     in the unix_stream_recvmsg function in the Linux kernel     when a signal was pending. This flaw allows an     unprivileged local user to crash the system by     exhausting available memory. The highest threat from     this vulnerability is to system     availability.(CVE-2021-20265)

  - A flaw was found in the JFS filesystem code in the     Linux Kernel which allows a local attacker with the     ability to set extended attributes to panic the system,     causing memory corruption or escalating privileges. The     highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-27815)

  - An out-of-bounds (OOB) memory access flaw was found in     x25_bind in net/x25/af_x25.c in the Linux kernel     version v5.12-rc5. A bounds check failure allows a     local attacker with a user account on the system to     gain access to out-of-bounds memory, leading to a     system crash or a leak of internal kernel information.
    The highest threat from this vulnerability is to     confidentiality, integrity, as well as system     availability.(CVE-2020-35519)

  - There is a flaw reported in the Linux kernel in     versions before 5.9 in     drivers/gpu/drm/nouveau/nouveau_sgdma.c in     nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The     issue results from the lack of validating the existence     of an object prior to performing operations on the     object. An attacker with a local account with a root     privilege, can leverage this vulnerability to escalate     privileges and execute code in the context of the     kernel.(CVE-2021-20292)

  - In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux     kernel through 5.11.8, the RPA PCI Hotplug driver has a     user-tolerable buffer overflow when writing a new     device name to the driver from userspace, allowing     userspace to write data to the kernel stack frame     directly. This occurs because add_slot_store and     remove_slot_store mishandle drc_name '\0' termination,     aka CID-cc7a0bb058b8.(CVE-2021-28972)

  - A race condition was discovered in get_old_root in     fs/btrfs/ctree.c in the Linux kernel through 5.11.8. It     allows attackers to cause a denial of service (BUG)     because of a lack of locking on an extent buffer before     a cloning operation, aka     CID-dbcc7d57bffc.(CVE-2021-28964)

  - An issue was discovered in the Linux kernel before     5.11.7. usbip_sockfd_store in     drivers/usb/usbip/stub_dev.c allows attackers to cause     a denial of service (GPF) because the stub-up sequence     has race conditions during an update of the local and     shared status, aka CID-9380afd6df70.(CVE-2021-29265)

  - BPF JIT compilers in the Linux kernel through 5.11.12     have incorrect computation of branch displacements,     allowing them to execute arbitrary code within the     kernel context. This affects     arch/x86/net/bpf_jit_comp.c and     arch/x86/net/bpf_jit_comp32.c.(CVE-2021-29154)

  - The KVM implementation in the Linux kernel through     4.14.7 allows attackers to obtain potentially sensitive     information from kernel memory, aka a write_mmio     stack-based out-of-bounds read, related to     arch/x86/kvm/x86.c and     include/trace/events/kvm.h.(CVE-2017-17741)

  - An issue was discovered in the Linux kernel before     5.11.3 when a webcam device exists. video_usercopy in     drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak     for large arguments, aka     CID-fb18802a338b.(CVE-2021-30002)

  - An issue was discovered in the Linux kernel through     4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when     mounting a crafted btrfs image, related to removing     reloc rb_trees when reloc control has not been     initialized.(CVE-2018-14609)

  - An issue was discovered in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel     through 4.17.3. A denial of service (memory corruption     and BUG) can occur for a corrupted xfs image upon     encountering an inode that is in extent format, but has     more extents than fit in the inode     fork.(CVE-2018-13095)

  - The vmw_gb_surface_define_ioctl function in     drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux     kernel through 4.10.7 does not validate certain levels     data, which allows local users to cause a denial of     service (system hang) via a crafted ioctl call for a     /dev/dri/renderD* device.(CVE-2017-7346)

  - The klsi_105_get_line_state function in     drivers/usb/serial/kl5kusb105.c in the Linux kernel     before 4.9.5 places uninitialized heap-memory contents     into a log entry upon a failure to read the line     status, which allows local users to obtain sensitive     information by reading the log.(CVE-2017-5549)

  - An integer overflow in the uvesafb_setcmap function in     drivers/video/fbdev/uvesafb.c in the Linux kernel     before 4.17.4 could result in local attackers being     able to crash the kernel or potentially elevate     privileges because kmalloc_array is not     used.(CVE-2018-13406)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x     before 4.9.11 interacts incorrectly with the     CONFIG_VMAP_STACK option, which allows local users to     cause a denial of service (system crash or memory     corruption) or possibly have unspecified other impact     by leveraging use of more than one virtual page for a     DMA scatterlist.(CVE-2017-8069)

  - An issue was discovered in the Linux kernel through     5.11.3. Certain iSCSI data structures do not have     appropriate length constraints or checks, and can     exceed the PAGE_SIZE value. An unprivileged user can     send a Netlink message that is associated with iSCSI,     and has a length up to the maximum length of a Netlink     message.(CVE-2021-27365)

  - A flaw was found in the Nosy driver in the Linux     kernel. This issue allows a device to be inserted twice     into a doubly-linked list, leading to a use-after-free     when one of these devices is removed. The highest     threat from this vulnerability is to confidentiality,     integrity, as well as system availability. Versions     before kernel 5.12-rc6 are affected(CVE-2021-3483)

  - An issue was discovered in the FUSE filesystem     implementation in the Linux kernel before 5.10.6, aka     CID-5d069dbe8aaf. fuse_do_getattr() calls     make_bad_inode() in inappropriate situations, causing a     system crash. NOTE: the original fix for this     vulnerability was incomplete, and its incompleteness is     tracked as CVE-2021-28950.(CVE-2020-36322)

  - An out-of-bounds (OOB) memory write flaw was found in     list_devices in drivers/md/dm-ioctl.c in the     Multi-device driver module in the Linux kernel before     5.12. A bound check failure allows an attacker with     special user (CAP_SYS_ADMIN) privilege to gain access     to out-of-bounds memory leading to a system crash or a     leak of internal kernel information. The highest threat     from this vulnerability is to system     availability.(CVE-2021-31916)

  - A vulnerability was found in Linux Kernel, where a     refcount leak in llcp_sock_connect() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25671)

  - A vulnerability was found in Linux Kernel where     refcount leak in llcp_sock_bind() causing     use-after-free which might lead to privilege     escalations.(CVE-2020-25670)

  - A memory leak vulnerability was found in Linux kernel     in llcp_sock_connect(CVE-2020-25672)

  - The Linux kernel before 5.11.14 has a use-after-free in     cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the     CIPSO and CALIPSO refcounting for the DOI definitions     is mishandled, aka CID-ad5d07f4a9cd. This leads to     writing an arbitrary value.(CVE-2021-33033)

  - Use After Free vulnerability in nfc sockets in the     Linux Kernel before 5.12.4 allows local attackers to     elevate their privileges. In typical configurations,     the issue can only be triggered by a privileged local     user with the CAP_NET_RAW capability.(CVE-2021-23134)

  - A flaw use-after-free in function     hci_sock_bound_ioctl() of the Linux kernel HCI     subsystem was found in the way user detaches bluetooth     dongle or other way triggers unregister bluetooth     device event. A local user could use this flaw to crash     the system or escalate their privileges on the     system.(CVE-2021-3573)

  - An issue was discovered in the Linux kernel through     5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute     code in the kernel, aka     CID-34b1a1ce1458.(CVE-2021-3347)

  - A vulnerability was found in Linux kernel where     non-blocking socket in llcp_sock_connect() leads to     leak and eventually hanging-up the     system.(CVE-2020-25673)

  - net/bluetooth/hci_request.c in the Linux kernel through     5.12.2 has a race condition for removal of the HCI     controller.(CVE-2021-32399)

  - In all Qualcomm products with Android releases from CAF     using the Linux kernel, during DMA allocation, due to     wrong data type of size, allocation size gets truncated     which makes allocation succeed when it should     fail.(CVE-2017-9725)

  - A flaw double-free memory corruption in the Linux     kernel HCI device initialization subsystem was found in     the way user attach malicious HCI TTY Bluetooth device.
    A local user could use this flaw to crash the system.
    This flaw affects all the Linux kernel versions     starting from 3.13.(CVE-2021-3564)

  - A flaw was found in the CAN BCM networking protocol in     the Linux kernel, where a local attacker can abuse a     flaw in the CAN subsystem to corrupt memory, crash the     system or escalate privileges.(CVE-2021-3609)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - An Out-of-Bounds Read was discovered in     arch/arm/mach-footbridge/personal-pci.c in the Linux     kernel through 5.12.11 because of the lack of a check     for a value that shouldn't be negative, e.g., access to     element -2 of an array, aka     CID-298a58e165e4.(CVE-2021-32078)

  - In the Linux kernel before 4.20.8,     kvm_ioctl_create_device in virt/kvm/kvm_main.c     mishandles reference counting because of a race     condition, leading to a use-after-free.(CVE-2019-6974)

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2020-0404)

  - In create_pinctrl of core.c, there is a possible out of     bounds read due to a use after free. This could lead to     local information disclosure with no additional     execution privileges needed. User interaction is not     needed for exploitation.(CVE-2020-0427)

  - In kbd_keycode of keyboard.c, there is a possible out     of bounds write due to a missing bounds check. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-144161459(CVE-2020-0431)

  - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is     a possible use after free due to improper locking. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0433)

  - In various methods of hid-multitouch.c, there is a     possible out of bounds write due to a missing bounds     check. This could lead to local escalation of privilege     with no additional execution privileges needed. User     interaction is not needed for     exploitation.(CVE-2020-0465)

  - A vulnerability was found in the Linux Kernel where the     function sunkbd_reinit having been scheduled by     sunkbd_interrupt before sunkbd being freed. Though the     dangling pointer is set to NULL in sunkbd_disconnect,     there is still an alias in sunkbd_reinit causing Use     After Free.(CVE-2020-25669)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4904-1 advisory.

  - The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr     operations that underspecifies removing extended privilege attributes, which allows local users to cause a     denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by     using chown to remove a capability from the ping or Wireshark dumpcap program. (CVE-2015-1350)

  - The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local     users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the     /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the
    __timer_stats_timer_set_start_info function in kernel/time/timer.c. (CVE-2017-5967)

  - The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11     allows local users to cause a denial of service (improper error handling and system crash) or possibly     have unspecified other impact via a crafted USB device. (CVE-2017-16644)

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference. (CVE-2019-16231)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16232)

  - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-9c0530e898f3. (CVE-2019-19061)

  - A race condition was found in the Linux kernels implementation of the floppy disk drive controller driver     software. The impact of this issue is lessened by the fact that the default permissions on the floppy     device (/dev/fd0) are restricted to root. If the permissions on the device have changed the impact changes     greatly. In the default configuration root (or equivalent) permissions are required to attack this flaw.
    (CVE-2021-20261)

  - An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to     the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be     encountered. In one case, an error encountered earlier might be discarded by later processing, resulting     in the caller assuming successful mapping, and hence subsequent operations trying to access space that     wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery     from the error. This affects drivers/block/xen-blkback/blkback.c. (CVE-2021-26930)

  - An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI     backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially     being at least under the influence of guests (such as out of memory conditions), it isn't correct to     assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running     in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
    (CVE-2021-26931)

  - An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the     netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of     changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior     of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
    (CVE-2021-28038)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4907-1 advisory.

  - An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of     service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is     in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)

  - An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free     during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.
    (CVE-2021-3347)

  - nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-     free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a     certain point during device setup, aka CID-b98e762e3d71. (CVE-2021-3348)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - Kernel: vhost_net: infinite loop while receiving packets     leads to DoS (CVE-2019-3900)

  - Kernel: page cache side channel attacks (CVE-2019-5489)

  - kernel: Buffer overflow in hidp_process_report     (CVE-2018-9363)

  - kernel: l2tp: Race condition between     pppol2tp_session_create() and l2tp_eth_create()     (CVE-2018-9517)

  - kernel: kvm: guest userspace to guest kernel write     (CVE-2018-10853)

  - kernel: use-after-free Read in vhost_transport_send_pkt     (CVE-2018-14625)

  - kernel: use-after-free in ucma_leave_multicast in     drivers/infiniband/core/ucma.c (CVE-2018-14734)

  - kernel: Mishandling of indirect calls weakens Spectre     mitigation for paravirtual guests (CVE-2018-15594)

  - kernel: TLB flush happens too late on mremap     (CVE-2018-18281)

  - kernel: Heap address information leak while using     L2CAP_GET_CONF_OPT (CVE-2019-3459)

  - kernel: Heap address information leak while using     L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

  - kernel: denial of service vector through vfio DMA     mappings (CVE-2019-3882)

  - kernel: fix race condition between     mmget_not_zero()/get_task_mm() and core dumping     (CVE-2019-11599)

  - kernel: a NULL pointer dereference in     drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS     (CVE-2019-11810)

  - kernel: fs/ext4/extents.c leads to information     disclosure (CVE-2019-11833)

  - kernel: Information exposure in fd_locked_ioctl function     in drivers/block/floppy.c (CVE-2018-7755)

  - kernel: Memory leak in     drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl     () can lead to potential denial of service     (CVE-2018-8087)

  - kernel: HID: debug: Buffer overflow in     hid_debug_events_read() in drivers/hid/hid-debug.c     (CVE-2018-9516)

  - kernel: Integer overflow in the alarm_timer_nsleep     function (CVE-2018-13053)

  - kernel: NULL pointer dereference in lookup_slow function     (CVE-2018-13093)

  - kernel: NULL pointer dereference in xfs_da_shrink_inode     function (CVE-2018-13094)

  - kernel: NULL pointer dereference in     fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

  - kernel: Information leak in cdrom_ioctl_drive_status     (CVE-2018-16658)

  - kernel: out-of-bound read in memcpy_fromiovecend()     (CVE-2018-16885)

  - Kernel: KVM: leak of uninitialized stack contents to     guest (CVE-2019-7222)

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900)

* Kernel: page cache side channel attacks (CVE-2019-5489)

* kernel: Buffer overflow in hidp_process_report (CVE-2018-9363)

* kernel: l2tp: Race condition between pppol2tp_session_create() and l2tp_eth_create() (CVE-2018-9517)

* kernel: kvm: guest userspace to guest kernel write (CVE-2018-10853)

* kernel: use-after-free Read in vhost_transport_send_pkt (CVE-2018-14625)

* kernel: use-after-free in ucma_leave_multicast in drivers/infiniband/core/ ucma.c (CVE-2018-14734)

* kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests (CVE-2018-15594)

* kernel: TLB flush happens too late on mremap (CVE-2018-18281)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882)

* kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599)

* kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810)

* kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833)

* kernel: Information exposure in fd_locked_ioctl function in drivers/block/ floppy.c (CVE-2018-7755)

* kernel: Memory leak in drivers/net/wireless/ mac80211_hwsim.c:hwsim_new_radio_nl() can lead to potential denial of service (CVE-2018-8087)

* kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/ hid/hid-debug.c (CVE-2018-9516)

* kernel: Integer overflow in the alarm_timer_nsleep function (CVE-2018-13053)

* kernel: NULL pointer dereference in lookup_slow function (CVE-2018-13093)

* kernel: NULL pointer dereference in xfs_da_shrink_inode function (CVE-2018-13094)

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

* kernel: Information leak in cdrom_ioctl_drive_status (CVE-2018-16658)

* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)

* Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c (CVE-2018-13095)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* [rhel-alt] Could not remove the function from /sys/kernel/debug/tracing/ kprobe_events (BZ#1677171)

* RHEL-ALT-7.6z: usage of stale vma in do_fault() can lead to a crash (BZ# 1679243)

* RHEL-Alt-7.6 - Backport support for software count cache flush Spectre v2 mitigation (BZ#1692682)

* RHEL-Alt-7.6 - [LTC Test][SR-IOV]: Guest with VF pass-through crashes during reboot operation in a loop. (kvm) (libvirt/kernel) (BZ#1693146)

* RHEL-Alt-7.6 - Tolerate new s390x crypto hardware for migration (BZ# 1695643)

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the USB-MIDI Linux kernel driver: a     double-free error could be triggered for the 'umidi'     object. An attacker with physical access to the system     could use this flaw to escalate their     privileges.(CVE-2016-2384i1/4%0

  - A vulnerability was found in Linux kernel. There is an     information leak in file 'sound/core/timer.c' of the     latest mainline Linux kernel, the stack object     aEURoetreadaEUR has a total size of 32 bytes. It contains a     8-bytes padding, which is not initialized but sent to     user via copy_to_user(), resulting a kernel     leak.(CVE-2016-4569i1/4%0

  - The dgram_recvmsg function in net/ieee802154/dgram.c in     the Linux kernel before 3.12.4 updates a certain length     value without ensuring that an associated data     structure has been initialized, which allows local     users to obtain sensitive information from kernel stack     memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg     system call.(CVE-2013-7281i1/4%0

  - The tcp_v6_syn_recv_sock function in     net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11     allows attackers to cause a denial of service (slab     out-of-bounds write) or possibly have unspecified other     impact via vectors involving TLS.(CVE-2018-5703i1/4%0

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel. The     floppy driver will copy a kernel pointer to user memory     in response to the FDGETPRM ioctl. An attacker can send     the FDGETPRM ioctl and use the obtained kernel pointer     to discover the location of kernel code and data and     bypass kernel security protections such as     KASLR.(CVE-2018-7755i1/4%0

  - The usbnet_generic_cdc_bind function in     drivers/net/usb/cdc_ether.c in the Linux kernel through     4.13.11 allows local users to cause a denial of service     (divide-by-zero error and system crash) or possibly     have unspecified other impact via a crafted USB     device.(CVE-2017-16649i1/4%0

  - Heap-based buffer overflow in the wcnss_wlan_write     function in drivers/net/wireless/wcnss/wcnss_wlan.c in     the wcnss_wlan device driver for the Linux kernel 3.x,     as used in Qualcomm Innovation Center (QuIC) Android     contributions for MSM devices and other products,     allows attackers to cause a denial of service or     possibly have unspecified other impact by writing to     /dev/wcnss_wlan with an unexpected amount of     data.(CVE-2016-5342i1/4%0

  - drivers/media/usb/dvb-usb/dib0700_devices.c in the     Linux kernel through 4.13.11 allows local users to     cause a denial of service (BUG and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16646i1/4%0

  - A flaw was found in the TIPC networking subsystem which     could allow for memory corruption and possible     privilege escalation. The flaw involves a system with     an unusually low MTU (60) on networking devices     configured as bearers for the TIPC protocol. An     attacker could create a packet which will overwrite     memory outside of allocated space and allow for     privilege escalation.(CVE-2016-8632i1/4%0

  - An issue was discovered in the XFS filesystem in     fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A     denial of service due to the NULL pointer dereference     can occur for a corrupted xfs image upon encountering     an inode that is in extent format, but has more extents     than fit in the inode fork.(CVE-2018-13095i1/4%0

  - Linux kernel built with the KVM visualization support     (CONFIG_KVM), with nested visualization (nVMX) feature     enabled (nested=1), is vulnerable to a crash due to     disabled external interrupts. As L2 guest could access     (r/w) hardware CR8 register of the host(L0). In a     nested visualization setup, L2 guest user could use     this flaw to potentially crash the host(L0) resulting     in DoS.(CVE-2017-12154i1/4%0

  - The do_double_fault function in arch/x86/kernel/traps.c     in the Linux kernel through 3.17.4 does not properly     handle faults associated with the Stack Segment (SS)     segment register, which allows local users to cause a     denial of service (panic) via a modify_ldt system call,     as demonstrated by sigreturn_32 in the     linux-clock-tests test suite.(CVE-2014-9090i1/4%0

  - A race condition flaw was found in the way the Linux     kernel's mac80211 subsystem implementation handled     synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the     system.(CVE-2014-2706i1/4%0

  - The snd_seq_ioctl_remove_events function in     sound/core/seq/seq_clientmgr.c in the Linux kernel     before 4.4.1 does not verify FIFO assignment before     proceeding with FIFO clearing, which allows local users     to cause a denial of service (NULL pointer dereference     and OOPS) via a crafted ioctl call.(CVE-2016-2543i1/4%0

  - The gtco_probe function in drivers/input/tablet/gtco.c     in the Linux kernel through 4.5.2 allows physically     proximate attackers to cause a denial of service (NULL     pointer dereference and system crash) via a crafted     endpoints value in a USB device     descriptor.(CVE-2016-2187i1/4%0

  - An integer overflow flaw was found in the Linux     kernel's create_elf_tables() function. An unprivileged     local user with access to SUID (or otherwise     privileged) binary could use this flaw to escalate     their privileges on the system.(CVE-2018-14634i1/4%0

  - A use-after-free flaw was found in the Netlink     functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify     function, a local attacker could potentially use this     flaw to escalate their privileges on the     system.(CVE-2017-11176i1/4%0

  - Array index error in the aio_read_events_ring function     in fs/aio.c in the Linux kernel through 3.15.1 allows     local users to obtain sensitive information from kernel     memory via a large head value.(CVE-2014-0206i1/4%0

  - arch/arm/kernel/sys_oabi-compat.c in the Linux kernel     before 4.4 allows local users to gain privileges via a     crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3)     F_OFD_SETLKW command in an fcntl64 system     call.(CVE-2015-8966i1/4%0

  - An issue was discovered in the Linux kernel through     4.17.2. The filter parsing in     kernel/trace/trace_events_filter.c could be called with     no filter, which is an N=0 case when it expected at     least one line to have been read, thus making the N-1     index invalid. This allows attackers to cause a denial     of service (slab out-of-bounds write) or possibly have     unspecified other impact via crafted perf_event_open     and mmap system calls.(CVE-2018-12714i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The v4.17.5 update contains important fixes across the tree

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-14617: Prevent NULL pointer dereference and panic in hfsplus_lookup() when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bsc#1102870)

CVE-2018-14613: Prevent invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, caused by a lack of block group item validation in check_leaf_item (bsc#1102896).

CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104).

CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811)

CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846)

CVE-2018-10878: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (bnc#1099813)

CVE-2018-10879: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (bnc#1099844)

CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (bnc#1099845)

CVE-2018-10881: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099864)

CVE-2018-10882: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (bnc#1099849)

CVE-2018-10883: A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
(bnc#1099863)

CVE-2018-10902: It was found that the raw midi kernel driver did not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation (bnc#1105322).

CVE-2018-10938: A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw (bnc#1106016).

CVE-2018-10940: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bnc#1092903).

CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).

CVE-2018-13093: There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).

CVE-2018-13094: An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).

CVE-2018-13095: A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).

CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).

CVE-2018-14678: The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges (bnc#1102715).

CVE-2018-15572: The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).

CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect calls, which made it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests (bnc#1105348).

CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095).

CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 (bnc#1107689).

CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).

CVE-2018-6554: Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).

CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).

CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).

CVE-2018-9363: A buffer overflow in bluetooth HID report processing could be used by malicious bluetooth devices to crash the kernel or potentially execute code (bnc#1105292). The following security bugs were fixed :

CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 azure kernel was updated to 4.4.155 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001)

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999)

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000)

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922)

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)

CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748)

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748)

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016)

CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517)

CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322).

CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)

CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863)

CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844)

CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813)

CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811)

CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846)

CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864)

CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849)

CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).

CVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).

CVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).

CVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).

CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689).

CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).

CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).

CVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748).

CVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748).

CVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016).

CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517).

CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323).

CVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)

CVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863).

CVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844).

CVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813).

CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811).

CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846).

CVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864).

CVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849).

CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
153271	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-2392)	Nessus	Huawei Local Security Checks	high
148498	Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-4904-1)	Nessus	Ubuntu Local Security Checks	medium
148493	Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4907-1)	Nessus	Ubuntu Local Security Checks	high
128651	CentOS 7 : kernel (CESA-2019:2029)	Nessus	CentOS Local Security Checks	medium
128226	Scientific Linux Security Update : kernel on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	medium
127655	RHEL 7 : kernel-rt (RHSA-2019:2043)	Nessus	Red Hat Local Security Checks	medium
127650	RHEL 7 : kernel (RHSA-2019:2029)	Nessus	Red Hat Local Security Checks	medium
125713	RHEL 7 : kernel-alt (RHSA-2019:1350)	Nessus	Red Hat Local Security Checks	medium
125101	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1513)	Nessus	Huawei Local Security Checks	critical
123329	openSUSE Security Update : the Linux Kernel (openSUSE-2019-769)	Nessus	SuSE Local Security Checks	high
120418	Fedora 28 : kernel (2018-50075276e8)	Nessus	Fedora Local Security Checks	high
120118	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2980-1)	Nessus	SuSE Local Security Checks	high
118034	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3084-1)	Nessus	SuSE Local Security Checks	high
117988	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1140)	Nessus	SuSE Local Security Checks	high
117800	SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2858-1)	Nessus	SuSE Local Security Checks	high
117629	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2776-1)	Nessus	SuSE Local Security Checks	high
117523	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1016)	Nessus	SuSE Local Security Checks	high
111243	Fedora 27 : kernel (2018-8484550fff)	Nessus	Fedora Local Security Checks	high

CVE-2018-13095

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

medium

high

medium

medium

medium

medium

medium

critical

high

high

high

high

high

high

high

high

high