108473

https://bugzilla.redhat.com/show_bug.cgi?id=1715501

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=425aa0e1d01513437668fa3d4a971168bbaa8515

FEDORA-2019-f40bd7826f

FEDORA-2019-7ec378191e

https://lkml.org/lkml/2019/5/25/230

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - An issue was discovered in net/ipv4/sysctl_net_ipv4.c     in the Linux kernel before 5.0.11. There is a     net/ipv4/tcp_input.c signed integer overflow in     tcp_ack_update_rtt() when userspace writes a very large     integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading     to a denial of service or possibly unspecified other     impact, aka CID-19fad20d15a6.(CVE-2019-18805)

  - In the Linux kernel before 5.0, a memory leak exists in     sit_init_net() in net/ipv6/sit.c when register_netdev()     fails to register sitn->fb_tunnel_dev, which may cause     denial of service, aka     CID-07f12b26e21a.(CVE-2019-16994)

  - An issue was discovered in the Linux kernel before     5.0.6. There is a memory leak issue when idr_alloc()     fails in genl_register_family() in     net/netlink/genetlink.c.(CVE-2019-15921)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service.(CVE-2019-15807)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)

  - An out-of-bounds access issue was found in the Linux     kernel, all versions through 5.3, in the way Linux     kernel's KVM hypervisor implements the Coalesced MMIO     write operation. It operates on an MMIO ring buffer     'struct kvm_coalesced_mmio' object, wherein write     indices 'ring->first' and 'ring->last' value could be     supplied by a host user-space process. An unprivileged     host user or process with access to '/dev/kvm' device     could use this flaw to crash the host kernel, resulting     in a denial of service or potentially escalating     privileges on the system.(CVE-2019-14821)

  - ** DISPUTED ** An issue was discovered in ip_ra_control     in net/ipv4/ip_sockglue.c in the Linux kernel through     5.1.5. There is an unchecked kmalloc of new_ra, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system crash). NOTE: this     is disputed because new_ra is never used if it is     NULL.(CVE-2019-12381)

  - ** DISPUTED ** An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure.(CVE-2018-20976)

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled.(CVE-2018-20856)

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x     up to 4.20. An attacker, who is able to mount an     exported NFS filesystem, is able to trigger a null     pointer dereference by using an invalid NFS sequence.
    This can panic the machine and deny access to the NFS     server. Any outstanding disk writes to the NFS server     will be lost.(CVE-2018-16871)

  - An issue was found in the Linux kernel ipv6     implementation of GRE tunnels which allows a remote     attacker to trigger an out-of-bounds access. At this     time we understand no trust barrier has been crossed     and there is no security implications in this     flaw.(CVE-2017-5897)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it     may cause a system memory exhaustion and thus a denial     of service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable.(CVE-2019-3882)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Heap-based buffer overflow     in the udf_load_logicalvol function in fs/udf/super.c     in the Linux kernel before 3.4.5 allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a crafted     UDF filesystem.(CVE-2012-3400)The     mmc_ioctl_cdrom_read_data function in     drivers/cdrom/cdrom.c in the Linux kernel through 3.10     allows local users to obtain sensitive information from     kernel memory via a read operation on a malfunctioning     CD-ROM drive.(CVE-2013-2164)The     sctp_sf_do_5_2_4_dupcook function in     net/sctp/sm_statefuns.c in the SCTP implementation in     the Linux kernel before 3.8.5 does not properly handle     associations during the processing of a duplicate     COOKIE ECHO chunk, which allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via crafted SCTP traffic.(CVE-2013-2206)The (1)     get_user and (2) put_user API functions in the Linux     kernel before 3.5.5 on the v6k and v7 ARM platforms do     not validate certain addresses, which allows attackers     to read or modify the contents of arbitrary kernel     memory locations via a crafted application, as     exploited in the wild against Android devices in     October and November 2013.(CVE-2013-6282)An issue was     discovered in the Linux kernel before 4.20. There is a     race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free.(CVE-2018-20836)The Siemens     R3964 line discipline driver in drivers/tty/n_r3964.c     in the Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The Linux kernel before     5.1-rc5 allows page->_refcount reference count     overflow, with resultant use-after-free issues, if     about 140 GiB of RAM exists. This is related to     fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It     can occur with FUSE requests.(CVE-2019-11487)The     coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly     have unspecified other impact by triggering a race     condition with mmget_not_zero or get_task_mm calls.
    This is related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A     n issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes     a Denial of Service, related to a     use-after-free.(CVE-2019-11810)An issue was discovered     in the Linux kernel before 5.0.4. There is a     use-after-free upon attempted read access to     /proc/ioports after the ipmi_si module is removed,     related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A     flaw was found in the Linux kernel's handle_rx()     function in the [vhost_net] driver. A malicious virtual     guest, under specific conditions, can trigger an     out-of-bounds write in a kmalloc-8 slab on a virtual     host which may lead to a kernel memory corruption and a     system panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out. Versions from     v4.16 and newer are vulnerable.(CVE-2018-16880)An issue     was discovered in rds_tcp_kill_sock in net/rds/tcp.c in     the Linux kernel before 5.0.8. There is a race     condition leading to a use-after-free, related to net     namespace cleanup.(CVE-2019-11815)A flaw was found in     the Linux kernel in the function     hid_debug_events_read() in drivers/hid/hid-debug.c file     which may enter an infinite loop with certain     parameters passed from a userspace. A local privileged     user ('root') can cause a system lock up and a denial     of service. Versions from v4.18 and newer are     vulnerable.(CVE-2019-3819)A flaw was found in the Linux     kernel's vfio interface implementation that permits     violation of the user's locked memory limit. If a     device is bound to a vfio driver, such as vfio-pci, and     the local attacker is administratively granted     ownership of the device, it may cause a system memory     exhaustion and thus a denial of service (DoS). Versions     3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An     infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It     could occur if one end sends packets faster than the     other end can process them. A guest user, maybe remote     one, could use this flaw to stall the vhost_net kernel     thread, resulting in a DoS scenario.(CVE-2019-3900)In     the Linux Kernel before versions 4.20.8 and 4.19.21 a     use-after-free error in the 'sctp_sendmsg()' function     (net/sctp/socket.c) when handling SCTP_SENDALL flag can     be exploited to corrupt memory.(CVE-2019-8956)A flaw     was found in the Linux kernel's implementation of ext4     extent management. The kernel doesn't correctly     initialize memory regions in the extent tree block     which may be exported to a local user to obtain     sensitive information by reading empty/uninitialized     data from the filesystem.(CVE-2019-11833)An issue was     discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)An issue was     discovered in the efi subsystem in the Linux kernel     through 5.1.5. phys_efi_set_virtual_address_map in     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in     arch/x86/platform/efi/efi_64.c mishandle memory     allocation failures. NOTE: This id is disputed as not     being an issue because ?All the code touched by the     referenced commit runs only at boot, before any user     processes are started. Therefore, there is no     possibility for an unprivileged user to control     it.(CVE-2019-12380)An issue was discovered in the Linux     kernel before 5.2.3. An out of bounds access exists in     the function hclge_tm_schd_mode_vnet_base_cfg in the     file drivers     et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019-     15925)An issue was discovered in     dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop-i1/4zname, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     net/ipv4/sysctl_net_ipv4.c in the Linux kernel before     5.0.11. There is a net/ipv4/tcp_input.c signed integer     overflow in tcp_ack_update_rtt() when userspace writes     a very large integer to     /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in     the way PTRACE_TRACEME functionality was handled in the     Linux kernel. The kernel's implementation of ptrace can     inadvertently grant elevated permissions to an attacker     who can then abuse the relationship between the tracer     and the process being traced. This flaw could allow a     local, unprivileged user to increase their privileges     on the system or cause a denial of     service.(CVE-2019-13272)An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)An issue was discovered in     ip_ra_control in net/ipv4/ip_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: this is disputed because new_ra is never used if     it is NULL.(CVE-2019-12381)An issue was discovered in     sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c     in the Linux kernel through 5.1.5. There is an     unchecked kstrndup of derived_name, which might allow     an attacker to cause a denial of service (NULL pointer     dereference and system crash). NOTE: This id is     disputed as not being an issue because 'The memory     allocation that was not checked is part of a code that     only runs at boot time, before user processes are     started. Therefore, there is no possibility for an     unprivileged user to control it, and no denial of     service.'.(CVE-2019-12455)An issue was discovered in     the MPT3COMMAND case in _ctl_ioctl_main in     drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel     through 5.1.5. It allows local users to cause a denial     of service or possibly have unspecified other impact by     changing the value of ioc_number between two kernel     reads of that value, aka a ''double fetch''     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in     the Linux kernel through 5.1.6. There is an unchecked     kstrdup_const of node_info-i1/4zvdev_port.name, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system     crash).(CVE-2019-12615)In parse_hid_report_descriptor     in drivers/input/tablet/gtco.c in the Linux kernel     through 5.2.1, a malicious USB device can send an HID     report that triggers an out-of-bounds write during     generation of debugging messages.(CVE-2019-13631)A     vulnerability was found in the Linux kernelaEURtms floppy     disk driver implementation. A local attacker with     access to the floppy device could call set_geometry in     drivers/block/floppy.c, which does not validate the     sect and head fields, causing an integer overflow and     out-of-bounds read. This flaw may crash the system or     allow an attacker to gather information causing     subsequent successful     attacks.(CVE-2019-14283)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)An issue was discovered in     the Linux kernel before 5.2.6. There is a     use-after-free caused by a malicious USB device in the     drivers/media/v4l2-core/v4l2-dev.c driver because     drivers/media/radio/radio-raremono.c does not properly     allocate memory.(CVE-2019-15211)An issue was discovered     in the Linux kernel before 5.0.10. There is a     use-after-free in the sound subsystem because card     disconnection causes certain data structures to be     deleted too early. This is related to sound/core/init.c     and sound/core/info.c.(CVE-2019-15214)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.2.1. There is a use-after-free     caused by a malicious USB device in the     driverset/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue     was discovered in the Linux kernel before 5.0.9. There     is a use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)An issue was discovered in the     Linux kernel before 5.0.19. There is an out-of-bounds     array access in __xfrm_policy_unlink, which will cause     denial of service, because verify_newpolicy_info in     net/xfrm/xfrm_user.c mishandles directory     validation.(CVE-2019-15666)In the Linux kernel before     5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)An issue was discovered in the     Linux kernel before 5.0.5. There is a use-after-free     issue when hci_uart_register_dev() fails in     hci_uart_set_proto() in     drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue     was discovered in the Linux kernel before 5.0.10.
    SMB2_write in fs/cifs/smb2pdu.c has a     use-after-free.(CVE-2019-15919)An issue was discovered     in the Linux kernel before 5.0.10. SMB2_read in     fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was     not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog,     which documents a memory leak.(CVE-2019-15920)An issue     was discovered in the Linux kernel before 5.0.4. The 9p     filesystem did not protect i_size_write() properly,     which causes an i_size_read() infinite loop and denial     of service on SMP systems.(CVE-2019-16413)An issue was     discovered in can_can_gw_rcv in net/can/gw.c in the     Linux kernel through 4.19.13. The CAN frame     modification rules allow bitwise logical operations     that can be also applied to the can_dlc field. Because     of a missing check, the CAN drivers may write arbitrary     content beyond the data registers in the CAN     controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection     fault).(CVE-2019-3701)A flaw was found in the Linux     kernel's Marvell wifi chip driver. A heap overflow in     mwifiex_update_bss_desc_with_ie function in     marvell/mwifiex/scan.c allows remote attackers to cause     a denial of service(system crash) or execute arbitrary     code.(CVE-2019-3846)A new software page cache side     channel attack scenario was discovered in operating     systems that implement the very common 'page cache'     caching mechanism. A malicious user/process could use     'in memory' page-cache knowledge to infer access     timings to shared memory and gain knowledge which can     be used to reduce effectiveness of cryptographic     strength by monitoring algorithmic behavior, infer     access patterns of memory to determine code paths     taken, and exfiltrate data to a blinded attacker     through page-granularity access times as a     side-channel.(CVE-2019-5489)In the Android kernel in     the video driver there is a kernel pointer leak due to     a WARN_ON statement. This could lead to local     information disclosure with System execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9455)A vulnerability was found     in the arch/x86/lib/insn-eval.c function in the Linux     kernel. An attacker could corrupt the memory due to a     flaw in use-after-free access to an LDT entry caused by     a race condition between modify_ldt() and a #BR     exception for an MPX bounds violation.(CVE-2019-13233)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):A flaw was found in the     Linux kernel's NFS implementation, all versions 3.x and     all versions 4.x up to 4.20. An attacker, who is able     to mount an exported NFS filesystem, is able to trigger     a null pointer dereference by using an invalid NFS     sequence. This can panic the machine and deny access to     the NFS server. Any outstanding disk writes to the NFS     server will be lost.(CVE-2018-16871)An issue was     discovered in the Linux kernel before 4.18.7. In     create_qp_common in drivers/infiniband/hw/mlx5/qp.c,     mlx5_ib_create_qp_resp was never initialized, resulting     in a leak of stack memory to     userspace.(CVE-2018-20855)An issue was discovered in     the Linux kernel before 4.18.7. In block/blk-core.c,     there is an __blk_drain_queue() use-after-free because     a certain error case is mishandled.(CVE-2018-20856)The     Linux kernel 4.x (starting from 4.1) and 5.x before     5.0.8 allows Information Exposure (partial kernel     address disclosure), leading to a KASLR bypass.
    Specifically, it is possible to extract the KASLR     kernel image offset using the IP ID values the kernel     produces for connection-less protocols (e.g., UDP and     ICMP). When such traffic is sent to multiple     destination IP addresses, it is possible to obtain hash     collisions (of indices to the counter array) and     thereby obtain the hashing key (via enumeration). This     key contains enough bits from a kernel address (of a     static variable) so when the key is extracted (via     enumeration), the offset of the kernel image is     exposed. This attack can be carried out remotely, by     the attacker forcing the target device to send UDP or     ICMP (or certain other) traffic to attacker-controlled     IP addresses. Forcing a server to send UDP traffic is     trivial if the server is a DNS server. ICMP traffic is     trivial if the server answers ICMP Echo requests     (ping). For client targets, if the target visits the     attacker's web page, then WebRTC or gQUIC can be used     to force UDP traffic to attacker-controlled IP     addresses. NOTE: this attack against KASLR became     viable in 4.1 because IP ID generation was changed to     have a dependency on an address associated with a     network namespace.(CVE-2019-10639)** DISPUTED ** An     issue was discovered in ip6_ra_control in     net/ipv6/ipv6_sockglue.c in the Linux kernel through     5.1.5. There is an unchecked kmalloc of new_ra, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system crash). NOTE: This     has been disputed as not an     issue.(CVE-2019-12378)**DISPUTED** An issue was     discovered in the efi subsystem in the Linux kernel     through 5.1.5. phys_efi_set_virtual_address_map in     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in     arch/x86/platform/efi/efi_64.c mishandle memory     allocation failures. NOTE: This id is disputed as not     being an issue because ?All the code touched by the     referenced commit runs only at boot, before any user     processes are started. Therefore, there is no     possibility for an unprivileged user to control     it.?.(CVE-2019-12380)** DISPUTED ** An issue was     discovered in ip_ra_control in net/ipv4/ip_sockglue.c     in the Linux kernel through 5.1.5. There is an     unchecked kmalloc of new_ra, which might allow an     attacker to cause a denial of service (NULL pointer     dereference and system crash). NOTE: this is disputed     because new_ra is never used if it is     NULL.(CVE-2019-12381)** DISPUTED ** An issue was     discovered in the MPT3COMMAND case in _ctl_ioctl_main     in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux     kernel through 5.1.5. It allows local users to cause a     denial of service or possibly have unspecified other     impact by changing the value of ioc_number between two     kernel reads of that value, aka a 'double fetch'     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in the     Linux kernel before 4.20.15. The nfc_llcp_build_tlv     function in netfc/llcp_commands.c may return NULL. If     the caller does not check for this, it will trigger a     NULL pointer dereference. This will cause denial of     service. This affects nfc_llcp_build_gb in     netfc/llcp_core.c.(CVE-2019-12818)An issue was     discovered in the Linux kernel before 5.0. The function
    __mdiobus_register() in driverset/phy/mdio_bus.c calls     put_device(), which will trigger a fixed_mdio_bus_init     use-after-free. This will cause a denial of     service.(CVE-2019-12819)A NULL pointer dereference     vulnerability in the function     nfc_genl_deactivate_target() in netfcetlink.c in the     Linux kernel before 5.1.13 can be triggered by a     malicious user-mode program that omits certain NFC     attributes, leading to denial of     service.(CVE-2019-12984)In the Linux kernel before     5.1.17, ptrace_link in kernel/ptrace.c mishandles the     recording of the credentials of a process that wants to     create a ptrace relationship, which allows local users     to obtain root access by leveraging certain scenarios     with a parent-child process relationship, where a     parent drops privileges and calls execve (potentially     allowing control by an attacker). One contributing     factor is an object lifetime issue (which can also     cause a panic). Another contributing factor is     incorrect marking of a ptrace relationship as     privileged, which is exploitable through (for example)     Polkit's pkexec helper with PTRACE_TRACEME. NOTE:
    SELinux deny_ptrace might be a usable workaround in     some environments.(CVE-2019-13272)In     parse_hid_report_descriptor in     drivers/input/tablet/gtco.c in the Linux kernel through     5.2.1, a malicious USB device can send an HID report     that triggers an out-of-bounds write during generation     of debugging messages.(CVE-2019-13631)In the Linux     kernel through 5.2.1 on the powerpc platform, when     hardware transactional memory is disabled, a local user     can cause a denial of service (TM Bad Thing exception     and system crash) via a sigreturn() system call that     sends a crafted signal frame. This affects     arch/powerpc/kernel/signal_32.c and     arch/powerpc/kernel/signal_64.c.(CVE-2019-13648)In the     Linux kernel before 5.2.3, set_geometry in     drivers/block/floppy.c does not validate the sect and     head fields, as demonstrated by an integer overflow and     out-of-bounds read. It can be triggered by an     unprivileged local user when a floppy disk has been     inserted. NOTE: QEMU creates the floppy device by     default.(CVE-2019-14283)In the Linux kernel before     5.2.3, drivers/block/floppy.c allows a denial of     service by setup_format_params division-by-zero. Two     consecutive ioctls can trigger the bug: the first one     should set the drive geometry with .sect and .rate     values that make F_SECT_PER_TRACK be zero. Next, the     floppy format operation should be called. It can be     triggered by an unprivileged local user even when a     floppy disk has not been inserted. NOTE: QEMU creates     the floppy device by default.(CVE-2019-14284)In the     Linux kernel before 4.16.4, a double-locking error in     drivers/usb/dwc3/gadget.c may potentially cause a     deadlock with f_hid.(CVE-2019-14763)An issue was     discovered in the Linux kernel before 5.2.6. There is a     use-after-free caused by a malicious USB device in the     drivers/media/v4l2-core/v4l2-dev.c driver because     drivers/media/radio/radio-raremono.c does not properly     allocate memory.(CVE-2019-15211)An issue was discovered     in the Linux kernel before 5.0.9. There is a     use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)A flaw     was found in the way the sit_init_net function in the     Linux kernel handled resource cleanup on errors. This     flaw allows an attacker to use the error conditions to     crash the system.(CVE-2019-16994)Note:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The xfs_bmap_extents_to_btree function in     fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through     4.16.3 allows local users to cause a denial of service     (xfs_bmapi_write NULL pointer dereference) via a     crafted xfs image.(CVE-2018-10323)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause a use-after-free in     ext4_xattr_set_entry function and a denial of service     or unspecified other impact may occur by renaming a     file in a crafted ext4 filesystem     image.(CVE-2018-10879)

  - A flaw was found in the Linux kernel's ext4 filesystem.
    A local user can cause an out-of-bound write in     jbd2_journal_dirty_metadata(), a denial of service, and     a system crash by mounting and operating on a crafted     ext4 filesystem image. (CVE-2018-10883)

  - The Linux kernel was found vulnerable to an integer     overflow in the     drivers/video/fbdev/uvesafb.c:uvesafb_setcmap()     function. The vulnerability could result in local     attackers being able to crash the kernel or potentially     elevate privileges.(CVE-2018-13406)

  - It was found that paravirt_patch_call/jump() functions     in the arch/x86/kernel/paravirt.c in the Linux kernel     mishandles certain indirect calls, which makes it     easier for attackers to conduct Spectre-v2 attacks     against paravirtualized guests. (CVE-2018-15594)

  - A flaw was found in the Linux kernel's NFS     implementation. An attacker, who is able to mount an     exported NFS filesystem, is able to trigger a null     pointer dereference by using an invalid NFS sequence.
    This can panic the machine and deny access to the NFS     server. Any outstanding disk writes to the NFS server     will be lost. (CVE-2018-16871)

  - A vulnerability was found in the Linux kernelaEURtms     floppy disk driver implementation. A local attacker     with access to the floppy device could call     set_geometry in drivers/block/floppy.c, which does not     validate the sect and head fields, causing an integer     overflow and out-of-bounds read. This flaw may crash     the system or allow an attacker to gather information     causing subsequent successful attacks. (CVE-2019-14283)

  - A vulnerability was found in the Linux kernelaEURtms     floppy disk driver implementation. A local attacker     with access to the floppy disk device file (/dev/fd0     through to /dev/fdN) can create a situation that causes     the kernel to divide by zero. This requires two     consecutive ioctl calls to be issued. The first ioctl     call sets the sector and rate values, and the second     ioctl is the call to format the floppy disk to the     appropriate values. This flaw can cause the system to     divide by zero and panic the host. No media (floppy) is     required to be inserted for this attack to work     properly.(CVE-2019-14284)

  - In the Linux kernel through 5.2.1 on the powerpc     platform, when hardware transactional memory is     disabled, a local user can cause a denial of service     (TM Bad Thing exception and system crash) via a     sigreturn() system call that sends a crafted signal     frame. This affects arch/powerpc/kernel/signal_32.c and     arch/powerpc/kernel/signal_64.c.(CVE-2019-13648)

  - In parse_hid_report_descriptor in     drivers/input/tablet/gtco.c in the Linux kernel through     5.2.1, a malicious USB device can send an HID report     that triggers an out-of-bounds write during generation     of debugging messages. (CVE-2019-13631)

  - An issue was discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference. (CVE-2019-12382)

  - An issue was discovered in dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop-i1/4zname, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash). (CVE-2019-12614)

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled.(CVE-2018-20856)

  - An issue was discovered in ip_ra_control in     net/ipv4/ip_sockglue.c in the Linux kernel through     5.1.5. There is an unchecked kmalloc of new_ra, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system crash). NOTE: this     is disputed because new_ra is never used if it is     NULL.(CVE-2019-12381)

  - An issue was discovered in ip6_ra_control in     net/ipv6/ipv6_sockglue.c in the Linux kernel through     5.1.5. There is an unchecked kmalloc of new_ra, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system crash). NOTE: This     has been disputed as not an issue.(CVE-2019-12378)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4746 advisory.

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the     extent tree block, which might allow local users to obtain sensitive information by reading uninitialized     data in the filesystem. (CVE-2019-11833)

  - ** DISPUTED ** An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel     through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue.
    (CVE-2019-12378)

  - ** DISPUTED ** An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel     through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used     if it is NULL. (CVE-2019-12381)

  - A flaw was found in the Linux kernel's NFS implementation, all versions 3.x and all versions 4.x up to     4.20. An attacker, who is able to mount an exported NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can panic the machine and deny access to the NFS     server. Any outstanding disk writes to the NFS server will be lost. (CVE-2018-16871)

  - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively     access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from     CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)

  - In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a     malicious USB device can send an HID report that triggers an out-of-bounds write during generation of     debugging messages. (CVE-2019-13631)

  - ** DISPUTED ** An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the     Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause     a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as     not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance     for a NULL pointer dereference. (CVE-2019-12382)

  - In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the     credentials of a process that wants to create a ptrace relationship, which allows local users to obtain     root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops     privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an     object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of     a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper     with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
    (CVE-2019-13272)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4729 advisory.

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during     the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the     extent tree block, which might allow local users to obtain sensitive information by reading uninitialized     data in the filesystem. (CVE-2019-11833)

  - ** DISPUTED ** An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel     through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue.
    (CVE-2019-12378)

  - ** DISPUTED ** An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel     through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used     if it is NULL. (CVE-2019-12381)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - x86/speculation: Exclude ATOMs from speculation through     SWAPGS (Thomas Gleixner) [Orabug: 29967571]     (CVE-2019-1125)

  - x86/speculation: Enable Spectre v1 swapgs mitigations     (Josh Poimboeuf) [Orabug: 29967571] (CVE-2019-1125)

  - x86/speculation: Prepare entry code for Spectre v1     swapgs mitigations (Josh Poimboeuf) [Orabug: 29967571]     (CVE-2019-1125)

  - mlx4_core: change log_num_[qp,rdmarc] with scale_profile     (Mukesh Kacker) [Orabug: 30064080]

  - scsi: storvsc: Fix scsi_cmd error assignments in     storvsc_handle_error (Cathy Avery) [Orabug: 30052805]

  - USB: check usb_get_extra_descriptor for proper size     (Mathias Payer) [Orabug: 29755247] (CVE-2018-20169)

  - rds: ib: Fix dereference of conn when NULL and cleanup     thereof (H&aring kon Bugge) [Orabug: 29924849]

  - ext4: zero out the unused memory region in the extent     tree block (Sriram Rajagopalan) [Orabug: 29925523]     (CVE-2019-11833) (CVE-2019-11833)

  - ip_sockglue: Fix missing-check bug in ip_ra_control (Gen     Zhang) [Orabug: 29926005] (CVE-2019-12381)

  - ipv6_sockglue: Fix a missing-check bug in ip6_ra_control     (Gen Zhang) [Orabug: 29926057] (CVE-2019-12378)

  - x86/microcode: fix x86_spec_ctrl_mask on late loading.
    (Mihai Carabas) [Orabug: 29941248]

  - net: rds: fix rds recv memory leak (Zhu Yanjun) [Orabug:
    30034815]

An update of the linux package has been released.

Update to v5.1.7

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Rebase to the v5.1 kernel series

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
134735	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1269)	Nessus	Huawei Local Security Checks	critical
134387	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)	Nessus	Huawei Local Security Checks	critical
131845	EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)	Nessus	Huawei Local Security Checks	critical
130736	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)	Nessus	Huawei Local Security Checks	critical
128929	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1926)	Nessus	Huawei Local Security Checks	critical
128842	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1919)	Nessus	Huawei Local Security Checks	high
127985	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4746)	Nessus	Oracle Linux Local Security Checks	high
127613	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4729)	Nessus	Oracle Linux Local Security Checks	medium
127565	OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0038)	Nessus	OracleVM Local Security Checks	medium
126176	Photon OS 1.0: Linux PHSA-2019-1.0-0240	Nessus	PhotonOS Local Security Checks	high
126106	Photon OS 2.0: Linux PHSA-2019-2.0-0165	Nessus	PhotonOS Local Security Checks	critical
125790	Fedora 30 : kernel / kernel-headers (2019-f40bd7826f)	Nessus	Fedora Local Security Checks	high
125746	Fedora 29 : kernel / kernel-headers / kernel-tools (2019-7ec378191e)	Nessus	Fedora Local Security Checks	high

CVE-2019-12381

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

high

high

medium

medium

high

critical

high

high