[debian-lts-announce] 20181003 [SECURITY] [DLA 1531-1] linux-4.9 security update

https://source.android.com/security/bulletin/pixel/2018-09-01

USN-3871-1

USN-3871-3

USN-3871-4

USN-3871-5

DSA-4308

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319).

CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal).
The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
(bnc#1108498).

CVE-2019-3459, CVE-2019-3460: The Blutooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel could possibly perform an out of bounds write when updating the journal for an inline file. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10883)

It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625)

Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine. (CVE-2018-16882)

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)

Wei Wu discovered that the KVM implementation in the Linux kernel did not properly ensure that ioapics were initialized. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-19407)

It was discovered that the debug interface for the Linux kernel's HID subsystem did not properly perform bounds checking in some situations.
An attacker with access to debugfs could use this to cause a denial of service or possibly gain additional privileges. (CVE-2018-9516).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - rds: congestion updates can be missed when kernel low on     memory (Mukesh Kacker) [Orabug: 28425811]

  - net/rds: ib: Fix endless RNR Retries caused by memory     allocation failures (Venkat Venkatsubra) [Orabug:
    28127993]

  - net: rds: fix excess initialization of the recv SGEs     (Zhu Yanjun) [Orabug: 29004503]

  - xhci: fix usb2 resume timing and races. (Mathias Nyman)     [Orabug: 29028940]

  - xhci: Fix a race in usb2 LPM resume, blocking U3 for     usb2 devices (Mathias Nyman) [Orabug: 29028940]

  - userfaultfd: check VM_MAYWRITE was set after verifying     the uffd is registered (Andrea Arcangeli) [Orabug:
    29163750] (CVE-2018-18397)

  - userfaultfd: shmem/hugetlbfs: only allow to register     VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750]     (CVE-2018-18397)

  - x86/apic/x2apic: set affinity of a single interrupt to     one cpu (Jianchao Wang) [Orabug: 29196396]

  - xen/blkback: rework validate_io_op (Dongli Zhang)     [Orabug: 29199843]

  - xen/blkback: optimize validate_io_op to filter     BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug:
    29199843]

  - xen/blkback: do not BUG for invalid blkif_request from     frontend (Dongli Zhang) [Orabug: 29199843]

  - net/rds: WARNING: at net/rds/recv.c:222     rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra)     [Orabug: 29201779]

  - xen-netback: wake up xenvif_dealloc_kthread when it     should stop (Dongli Zhang) [Orabug: 29217927]

  - Revert 'xfs: remove nonblocking mode from     xfs_vm_writepage' (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: remove xfs_cancel_ioend' (Wengang Wang)     [Orabug: 29279692]

  - Revert 'xfs: Introduce writeback context for writepages'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: xfs_cluster_write is redundant' (Wengang     Wang) [Orabug: 29279692]

  - Revert 'xfs: factor mapping out of xfs_do_writepage'     (Wengang Wang) [Orabug: 29279692]

  - Revert 'xfs: don't chain ioends during writepage     submission' (Wengang Wang) [Orabug: 29279692]

  - mstflint: Fix coding style issues - left with     LINUX_VERSION_CODE (Idan Mehalel) [Orabug: 28878697]

  - mstflint: Fix coding-style issues (Idan Mehalel)     [Orabug: 28878697]

  - mstflint: Fix errors found with checkpatch script (Idan     Mehalel) [Orabug: 28878697]

  - Added support for 5th Gen devices in Secure Boot module     and mtcr (Adham Masarwah) [Orabug: 28878697]

  - Fix typos in mst_kernel (Adham Masarwah) [Orabug:
    28878697]

  - bnxt_en: Report PCIe link properties with     pcie_print_link_status (Brian Maly) [Orabug: 28942099]

  - selinux: Perform both commoncap and selinux xattr checks     (Eric W. Biederman) [Orabug: 28951521]

  - Introduce v3 namespaced file capabilities (Serge E.
    Hallyn) [Orabug: 28951521]

  - rds: ib: Use a delay when reconnecting to the very same     IP address (H&aring kon Bugge) [Orabug: 29138813]

  - Change mincore to count 'mapped' pages rather than     'cached' pages (Linus Torvalds) [Orabug: 29187415]     (CVE-2019-5489)

  - NFSD: Set the attributes used to store the verifier for     EXCLUSIVE4_1 (Kinglong Mee) [Orabug: 29204157]

  - ext4: update i_disksize when new eof exceeds it (Shan     Hai) [Orabug: 28940828]

  - ext4: update i_disksize if direct write past ondisk size     (Eryu Guan) [Orabug: 28940828]

  - ext4: protect i_disksize update by i_data_sem in direct     write path (Eryu Guan) [Orabug: 28940828]

  - ALSA: usb-audio: Fix UAF decrement if card has no live     interfaces in card.c (Hui Peng) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Replace probing flag with active     refcount (Takashi Iwai) [Orabug: 29042981]     (CVE-2018-19824)

  - ALSA: usb-audio: Avoid nested autoresume calls (Takashi     Iwai) [Orabug: 29042981] (CVE-2018-19824)

  - ext4: validate that metadata blocks do not overlap     superblock (Theodore Ts'o) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: update inline int ext4_has_metadata_csum(struct     super_block *sb) (John Donnelly) [Orabug: 29114440]     (CVE-2018-1094)

  - ext4: always initialize the crc32c checksum driver     (Theodore Ts'o) [Orabug: 29114440] (CVE-2018-1094)     (CVE-2018-1094)

  - Revert 'bnxt_en: Reduce default rings on multi-port     cards.' (Brian Maly) [Orabug: 28687746]

  - mlx4_core: Disable P_Key Violation Traps (H&aring kon     Bugge) [Orabug: 27693633]

  - rds: RDS connection does not reconnect after CQ access     violation error (Venkat Venkatsubra) [Orabug: 28733324]

  - KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL     (KarimAllah Ahmed) [Orabug: 28069548]

  - KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL -     reloaded (Mihai Carabas) [Orabug: 28069548]

  - KVM/x86: Add IBPB support (Ashok Raj) [Orabug: 28069548]

  - KVM: x86: pass host_initiated to functions that read     MSRs (Paolo Bonzini) [Orabug: 28069548]

  - KVM: VMX: make MSR bitmaps per-VCPU (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: VMX: introduce alloc_loaded_vmcs (Paolo Bonzini)     [Orabug: 28069548]

  - KVM: nVMX: Eliminate vmcs02 pool (Jim Mattson) [Orabug:
    28069548]

  - KVM: nVMX: fix msr bitmaps to prevent L2 from accessing     L0 x2APIC (Radim Kr&#x10D m&aacute &#x159 ) [Orabug:
    28069548]

  - ocfs2: don't clear bh uptodate for block read (Junxiao     Bi) [Orabug: 28762940]

  - ocfs2: clear journal dirty flag after shutdown journal     (Junxiao Bi) [Orabug: 28924775]

  - ocfs2: fix panic due to unrecovered local alloc (Junxiao     Bi) [Orabug: 28924775]

  - net: rds: fix rds_ib_sysctl_max_recv_allocation error     (Zhu Yanjun) [Orabug: 28947481]

  - x86/speculation: Always disable IBRS in     disable_ibrs_and_friends (Alejandro Jimenez) [Orabug:
    29139710]

  - pinctrl: amd: Use devm_pinctrl_register for pinctrl     registration (Laxman Dewangan) [Orabug: 27539246]     (CVE-2017-18174)

  - mlock: fix mlock count can not decrease in race     condition (Yisheng Xie) [Orabug: 27677611]     (CVE-2017-18221)

  - perf/core: Fix the perf_cpu_time_max_percent check (Tan     Xiaojun) [Orabug: 27823815] (CVE-2017-18255)

  - x86/microcode/intel: Fix a wrong assignment of revision     in _save_mc (Zhenzhong Duan) [Orabug: 28190263]

  - mm: cma: fix incorrect type conversion for size during     dma allocation (Rohit Vaswani) [Orabug: 28407826]     (CVE-2017-9725)

  - x86/speculation: Make enhanced IBRS the default spectre     v2 mitigation (Alejandro Jimenez) [Orabug: 28474851]

  - x86/speculation: Enable enhanced IBRS usage (Alejandro     Jimenez) [Orabug: 28474851]

  - x86/speculation: functions for supporting enhanced IBRS     (Alejandro Jimenez) [Orabug: 28474851]

  - xen/blkback: fix disconnect while I/Os in flight     (Juergen Gross) [Orabug: 28744234]

  - mlx4_vnic: use the mlid while calling ib_detach_mcast     (aru kolappan) [Orabug: 29029705]

  - ext4: fail ext4_iget for root directory if unallocated     (Theodore Ts'o) [Orabug: 29048557] (CVE-2018-1092)     (CVE-2018-1092)

  - Bluetooth: hidp: buffer overflow in hidp_process_report     (Mark Salyzyn) [Orabug: 29121215] (CVE-2018-9363)     (CVE-2018-9363)

  - HID: debug: check length before copy_to_user (Daniel     Rosenberg) [Orabug: 29128165] (CVE-2018-9516)

  - x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug:
    29149888] (CVE-2018-7995)

  - Input: i8042 - fix crash at boot time (Chen Hong)     [Orabug: 29152328] (CVE-2017-18079)

  - base/memory, hotplug: fix a kernel oops in     show_valid_zones (Toshi Kani) [Orabug: 29050538]

  - mm/memory_hotplug.c: check start_pfn in     test_pages_in_a_zone (Toshi Kani) [Orabug: 29050538]

  - drivers/base/memory.c: prohibit offlining of memory     blocks with missing sections (Seth Jennings) [Orabug:
    29050538]

  - mm: Check if section present during memory block     (un)registering (Yinghai Lu) [Orabug: 29050538]

  - hugetlb: take PMD sharing into account when flushing     tlb/caches (Mike Kravetz) [Orabug: 28951854]

  - mm: migration: fix migration of huge PMD shared pages     (Mike Kravetz) [Orabug: 28951854]

  - hugetlbfs: use truncate mutex to prevent pmd sharing     race (Mike Kravetz) [Orabug: 28896255]

  - rds: ib: Improve tracing during failover/back     (H&aring kon Bugge) [Orabug: 28860366]

  - rds: ib: Remove superfluous add of address on fail-back     device (H&aring kon Bugge) [Orabug: 28860366]

  - libiscsi: Fix NULL pointer dereference in     iscsi_eh_session_reset (Fred Herard) [Orabug: 28946207]

  - wil6210: missing length check in wmi_set_ie (Lior David)     [Orabug: 28951265] (CVE-2018-5848)

  - netfilter: xt_osf: Add missing permission checks (Kevin     Cernekee) [Orabug: 29037831] (CVE-2017-17450)

  - x86/speculation: Fix bad argument to rdmsrl in     cpu_set_bug_bits (Alejandro Jimenez) [Orabug: 29044805]

USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel could possibly perform an out of bounds write when updating the journal for an inline file. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10883)

It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625)

Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine. (CVE-2018-16882)

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)

Wei Wu discovered that the KVM implementation in the Linux kernel did not properly ensure that ioapics were initialized. A local attacker could use this to cause a denial of service (system crash).
(CVE-2018-19407)

It was discovered that the debug interface for the Linux kernel's HID subsystem did not properly perform bounds checking in some situations.
An attacker with access to debugfs could use this to cause a denial of service or possibly gain additional privileges. (CVE-2018-9516).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systems with the meta_bg option enabled. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details :

Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879)

Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877)

Wen Xu discovered that an out-of-bounds write vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2018-10878, CVE-2018-10882)

Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash).
(CVE-2018-10880)

Wen Xu discovered that the ext4 file system implementation in the Linux kernel could possibly perform an out of bounds write when updating the journal for an inline file. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10883)

It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625)

Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges in a host machine. (CVE-2018-16882)

Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did not properly flush the TLB when completing, potentially leaving access to a physical page after it has been released to the page allocator. A local attacker could use this to cause a denial of service (system crash), expose sensitive information, or possibly execute arbitrary code.
(CVE-2018-18281)

Wei Wu discovered that the KVM implementation in the Linux kernel did not properly ensure that ioapics were initialized. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-19407)

It was discovered that the debug interface for the Linux kernel's HID subsystem did not properly perform bounds checking in some situations. An attacker with access to debugfs could use this to cause a denial of service or possibly gain additional privileges. (CVE-2018-9516).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.0.101 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1108498).

CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841).

CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743).

CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714).

CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319).

CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

CVE-2017-1000407: Fixed a denial of service, which was caused by flooding the diagnostic port 0x80 an exception leading to a kernel panic (bnc#1071021).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check.
This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
(bnc#1108498).

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).

CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c mishandled sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations (bnc#1108399).

CVE-2018-16597: Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem (bnc#1106512).

CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896).

CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870).

CVE-2018-16276: Local attackers could use user access read/writes with incorrect bounds checking in the yurex USB driver to crash the kernel or potentially escalate privileges (bnc#1106095 bnc#1115593).

CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1087209).

CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c allowed local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure (bnc#1082863).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Description of changes:

kernel-uek [3.8.13-118.29.1.el7uek]
- Copy secure_boot flag in boot params across kexec reboot (Dave Young) [Orabug: 22066352] {CVE-2015-7837}
- ipv6: tcp: add rcu locking in tcp_v6_send_synack() (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- ipv6: add complete rcu protection around np->opt (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841}
- scsi: qla2xxx: Fix an integer overflow in sysfs code (Dan Carpenter) [Orabug: 28220420] {CVE-2017-14051}
- ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 28220433] {CVE-2018-1092} {CVE-2018-1092}
- certs: Add Oracle's new X509 cert into the kernel keyring (Eric Snowberg) [Orabug: 28926205] - ALSA: seq: Fix regression by incorrect ioctl_mutex usages (Takashi Iwai) [Orabug: 29005190] {CVE-2018-1000004}
- netfilter: xt_osf: Add missing permission checks (Kevin Cernekee) [Orabug: 29037832] {CVE-2017-17450}
- wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 29060697] {CVE-2018-5848}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128167] {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han) [Orabug: 29152249] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong) [Orabug: 29152329] {CVE-2017-18079}

Description of changes:

[4.1.12-124.24.1.el7uek]
- pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration (Laxman Dewangan)  [Orabug: 27539246]  {CVE-2017-18174}
- mlock: fix mlock count can not decrease in race condition (Yisheng Xie)  [Orabug: 27677611]  {CVE-2017-18221}
- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) [Orabug: 27823815]  {CVE-2017-18255}
- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc (Zhenzhong Duan)  [Orabug: 28190263] - mm: cma: fix incorrect type conversion for size during dma allocation (Rohit Vaswani)  [Orabug: 28407826]  {CVE-2017-9725}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez)  [Orabug: 28474851] - xen/blkback: fix disconnect while I/Os in flight (Juergen Gross)  [Orabug: 28744234] - mlx4_vnic: use the mlid while calling ib_detach_mcast (aru kolappan)  [Orabug: 29029705] - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts'o) [Orabug: 29048557]  {CVE-2018-1092} {CVE-2018-1092}
- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn)   [Orabug: 29121215]  {CVE-2018-9363} {CVE-2018-9363}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) [Orabug: 29128165]  {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han)  [Orabug: 29149888] {CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong)  [Orabug: 29152328] {CVE-2017-18079}

The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-108.81 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-18281: An issue was discovered in the Linux kernel, the mremap() syscall performs TLB flushes after dropping pagetable locks.
If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769).

CVE-2018-18710: An issue was discovered in the Linux kernel, an information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-18386: drivers/tty/n_tty.c in the Linux kernel allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 4.x allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240).

CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674).

CVE-2017-1000407: An denial of service issue was discovered in the Linux kernel, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021).

CVE-2018-9516: An issue was discovered in the Linux kernel, the copy_to_user() inside the HID code does not correctly check the length before executing (bsc#1108498).

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host.
Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely (bnc#1107829).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.162 to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. (bnc#1107829).

CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769).

CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825).

CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025).

CVE-2018-18710: An issue was discovered in the Linux kernel An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751).

CVE-2018-9516: A lack of certain checks in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file might have resulted in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. (bnc#1108498).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2018-6554

A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption).

CVE-2018-6555

A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash).

CVE-2018-7755

Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data.

CVE-2018-9363

It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution.

CVE-2018-9516

It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.
However, by default debugfs is only accessible by the root user.

CVE-2018-10902

It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation.

CVE-2018-10938

Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang).

CVE-2018-13099

Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.

CVE-2018-14609

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount arbitrary F2FS volumes could use this to cause a denial of service (crash).

CVE-2018-14617

Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount arbitrary HFS+ volumes could use this to cause a denial of service (crash).

CVE-2018-14633

Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target.

CVE-2018-14678

M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash).

CVE-2018-14734

A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation.

CVE-2018-15572

Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users.

CVE-2018-15594

Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel.

CVE-2018-16276

Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation.

CVE-2018-16658

It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash).

CVE-2018-17182

Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation.

For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-3+deb9u5~deb8u1.

We recommend that you upgrade your linux-4.9 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  - CVE-2018-6554     A memory leak in the irda_bind function in the irda     subsystem was discovered. A local user can take     advantage of this flaw to cause a denial of service     (memory consumption).

  - CVE-2018-6555     A flaw was discovered in the irda_setsockopt function in     the irda subsystem, allowing a local user to cause a     denial of service (use-after-free and system crash).

  - CVE-2018-7755     Brian Belleville discovered a flaw in the     fd_locked_ioctl function in the floppy driver in the     Linux kernel. The floppy driver copies a kernel pointer     to user memory in response to the FDGETPRM ioctl. A     local user with access to a floppy drive device can take     advantage of this flaw to discover the location kernel     code and data.

  - CVE-2018-9363     It was discovered that the Bluetooth HIDP implementation     did not correctly check the length of received report     messages. A paired HIDP device could use this to cause a     buffer overflow, leading to denial of service (memory     corruption or crash) or potentially remote code     execution.

  - CVE-2018-9516     It was discovered that the HID events interface in     debugfs did not correctly limit the length of copies to     user buffers. A local user with access to these files     could use this to cause a denial of service (memory     corruption or crash) or possibly for privilege     escalation. However, by default debugfs is only     accessible by the root user.

  - CVE-2018-10902     It was discovered that the rawmidi kernel driver does     not protect against concurrent access which leads to a     double-realloc (double free) flaw. A local attacker can     take advantage of this issue for privilege escalation.

  - CVE-2018-10938     Yves Younan from Cisco reported that the Cipso IPv4     module did not correctly check the length of IPv4     options. On custom kernels with CONFIG_NETLABEL enabled,     a remote attacker could use this to cause a denial of     service (hang).

  - CVE-2018-13099     Wen Xu from SSLab at Gatech reported a use-after-free     bug in the F2FS implementation. An attacker able to     mount a crafted F2FS volume could use this to cause a     denial of service (crash or memory corruption) or     possibly for privilege escalation.

  - CVE-2018-14609     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the F2FS implementation. An     attacker able to mount a crafted F2FS volume could use     this to cause a denial of service (crash).

  - CVE-2018-14617     Wen Xu from SSLab at Gatech reported a potential NULL     pointer dereference in the HFS+ implementation. An     attacker able to mount a crafted HFS+ volume could use     this to cause a denial of service (crash).

  - CVE-2018-14633     Vincent Pelletier discovered a stack-based buffer     overflow flaw in the chap_server_compute_md5() function     in the iSCSI target code. An unauthenticated remote     attacker can take advantage of this flaw to cause a     denial of service or possibly to get a non-authorized     access to data exported by an iSCSI target.

  - CVE-2018-14678     M. Vefa Bicakci and Andy Lutomirski discovered a flaw in     the kernel exit code used on amd64 systems running as     Xen PV guests. A local user could use this to cause a     denial of service (crash).

  - CVE-2018-14734     A use-after-free bug was discovered in the InfiniBand     communication manager. A local user could use this to     cause a denial of service (crash or memory corruption)     or possible for privilege escalation.

  - CVE-2018-15572     Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu     Song, and Nael Abu-Ghazaleh, from University of     California, Riverside, reported a variant of Spectre     variant 2, dubbed SpectreRSB. A local user may be able     to use this to read sensitive information from processes     owned by other users.

  - CVE-2018-15594     Nadav Amit reported that some indirect function calls     used in paravirtualised guests were vulnerable to     Spectre variant 2. A local user may be able to use this     to read sensitive information from the kernel.

  - CVE-2018-16276     Jann Horn discovered that the yurex driver did not     correctly limit the length of copies to user buffers. A     local user with access to a yurex device node could use     this to cause a denial of service (memory corruption or     crash) or possibly for privilege escalation.

  - CVE-2018-16658     It was discovered that the cdrom driver does not     correctly validate the parameter to the     CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom     device could use this to read sensitive information from     the kernel or to cause a denial of service (crash).

  - CVE-2018-17182     Jann Horn discovered that the vmacache_flush_all     function mishandles sequence number overflows. A local     user can take advantage of this flaw to trigger a     use-after-free, causing a denial of service (crash or     memory corruption) or privilege escalation.

ID	Name	Product	Family	Severity
122343	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0439-1)	Nessus	SuSE Local Security Checks	high
122052	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : linux-azure vulnerabilities (USN-3871-5)	Nessus	Ubuntu Local Security Checks	high
121605	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)	Nessus	OracleVM Local Security Checks	high
121594	Ubuntu 16.04 LTS : linux-hwe, linux-aws-hwe, linux-gcp vulnerabilities (USN-3871-4)	Nessus	Ubuntu Local Security Checks	high
121593	Ubuntu 18.04 LTS : linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities (USN-3871-3)	Nessus	Ubuntu Local Security Checks	high
121592	Ubuntu 18.04 LTS : linux regression (USN-3871-2)	Nessus	Ubuntu Local Security Checks	high
121469	Ubuntu 18.04 LTS : linux vulnerabilities (USN-3871-1)	Nessus	Ubuntu Local Security Checks	high
121468	SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13937-1)	Nessus	SuSE Local Security Checks	high
121208	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0095-1)	Nessus	SuSE Local Security Checks	high
120977	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316)	Nessus	Oracle Linux Local Security Checks	high
120976	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)	Nessus	Oracle Linux Local Security Checks	high
119077	openSUSE Security Update : the Linux Kernel (openSUSE-2018-1427)	Nessus	SuSE Local Security Checks	high
118952	SUSE SLES11 Security Update : kernel (SUSE-SU-2018:3746-1)	Nessus	SuSE Local Security Checks	high
118882	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:3689-1)	Nessus	SuSE Local Security Checks	high
117908	Debian DLA-1531-1 : linux-4.9 security update	Nessus	Debian Local Security Checks	high
117862	Debian DSA-4308-1 : linux - security update	Nessus	Debian Local Security Checks	high

CVE-2018-9516

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins