https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1acb8f2a7a9f10543868ddd737e37424d5c36cf4

The remote OracleVM system is missing necessary patches to address critical security updates :

  - KVM: x86: Remove spurious semicolon (Joao Martins)     [Orabug: 31413782]

  - genirq: Use rcu in kstat_irqs_usr (Eric Dumazet)

  - genirq: Make sparse_irq_lock protect what it should     protect (Thomas Gleixner) [Orabug: 30953676]

  - genirq: Free irq_desc with rcu (Thomas Gleixner)     [Orabug: 30953676]

  - qla2xxx: Update driver version to 9.00.00.00.42.0-k1-v2     (Arun Easi) [Orabug: 30372266]

  - qla2xxx: Fix device discovery when FCP2 device is lost.
    (Arun Easi) [Orabug: 30372266]

  - brcmfmac: add subtype check for event handling in data     path (John Donnelly) [Orabug: 30776354] (CVE-2019-9503)

  - percpu-refcount: fix reference leak during percpu-atomic     transition (Douglas Miller) [Orabug: 30867060]

  - blk-mq: Allow timeouts to run while queue is freezing     (Gabriel Krisman Bertazi) [Orabug: 30867060]

  - fs/dcache.c: fix spin lockup issue on nlru->lock     (Junxiao Bi) [Orabug: 30953290]

  - jbd2: disable CONFIG_JBD2_DEBUG (Junxiao Bi) [Orabug:
    31234664]

  - mwifiex: pcie: Fix memory leak in     mwifiex_pcie_alloc_cmdrsp_buf (Navid Emamdoost) [Orabug:
    31246302] (CVE-2019-19056)

  - drm/vmwgfx: limit the number of mip levels in     vmw_gb_surface_define_ioctl (Vladis Dronov) [Orabug:
    31262557] (CVE-2017-7346)

  - i40e: Increment the driver version for FW API update     (Jack Vogel) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: Update FW API version to 1.9 (Piotr Azarewicz)     [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139)     (CVE-2019-0144)

  - i40e: Changed maximum supported FW API version to 1.8     (Adam Ludkiewicz) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: Stop dropping 802.1ad tags - eth proto 0x88a8     (Scott Peterson) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: fix reading LLDP configuration (Mariusz Stachura)     [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139)     (CVE-2019-0144)

  - i40e: Add capability flag for stopping FW LLDP     (Krzysztof Galazka) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: refactor FW version checking (Mitch Williams)     [Orabug: 31051191] (CVE-2019-0140) (CVE-2019-0139)     (CVE-2019-0144)

  - i40e: shutdown all IRQs and disable MSI-X when suspended     (Jacob Keller) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: prevent service task from running while we're     suspended (Jacob Keller) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - i40e: don't clear suspended state until we finish     resuming (Jacob Keller) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - i40e: use newer generic PM support instead of legacy PM     callbacks (Jacob Keller) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - i40e: use separate state bit for miscellaneous IRQ setup     (Jacob Keller) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: fix for flow director counters not wrapping as     expected (Mariusz Stachura) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - i40e: relax warning message in case of version mismatch     (Mariusz Stachura) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: simplify member variable accesses (Sudheer     Mogilappagari) [Orabug: 31051191] (CVE-2019-0140)     (CVE-2019-0139) (CVE-2019-0144)

  - i40e: Fix link down message when interface is brought up     (Sudheer Mogilappagari) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - i40e: Fix unqualified module message while bringing link     up (Sudheer Mogilappagari) [Orabug: 31051191]     (CVE-2019-0140) (CVE-2019-0139) (CVE-2019-0144)

  - HID: Fix assumption that devices have inputs (Alan     Stern) [Orabug: 31208622] (CVE-2019-19532)

  - qla2xxx: DBG: disable 3D mailbox. (Quinn Tran) [Orabug:
    30890687]

  - scsi: qla2xxx: Fix mtcp dump collection failure (Quinn     Tran) [Orabug: 30890687]

  - scsi: qla2xxx: Add Serdes support for ISP27XX (Joe     Carnuccio) [Orabug: 30890687]

  - vgacon: Fix a UAF in vgacon_invert_region (Zhang Xiaoxu)     [Orabug: 31143947] (CVE-2020-8649) (CVE-2020-8647)     (CVE-2020-8647) (CVE-2020-8649) (CVE-2020-8649)     (CVE-2020-8647)

  - HID: hiddev: do cleanup in failure of opening a device     (Hillf Danton) [Orabug: 31206360] (CVE-2019-19527)

  - HID: hiddev: avoid opening a disconnected device (Hillf     Danton) [Orabug: 31206360] (CVE-2019-19527)

  - USB: adutux: fix use-after-free on disconnect (Johan     Hovold) [Orabug: 31233769] (CVE-2019-19523)

  - ipv4: implement support for NOPREFIXROUTE ifa flag for     ipv4 address (Paolo Abeni) [Orabug: 30292825]

  - vt: selection, push sel_lock up (Jiri Slaby) [Orabug:
    30923298] (CVE-2020-8648)

  - vt: selection, push console lock down (Jiri Slaby)     [Orabug: 30923298] (CVE-2020-8648)

  - vt: selection, close sel_buffer race (Jiri Slaby)     [Orabug: 30923298] (CVE-2020-8648) (CVE-2020-8648)

  - xfs: stop searching for free slots in an inode chunk     when there are none (Carlos Maiolino) [Orabug: 31030659]

  - xfs: fix up xfs_swap_extent_forks inline extent handling     (Eric Sandeen) [Orabug: 31032831]

  - xfs: validate sb_logsunit is a multiple of the fs     blocksize (Darrick J. Wong) [Orabug: 31034071]

  - mwifiex: Fix three heap overflow at parsing element in     cfg80211_ap_settings (Wen Huang) [Orabug: 31104481]     (CVE-2019-14814) (CVE-2019-14815) (CVE-2019-14816)     (CVE-2019-14814) (CVE-2019-14815) (CVE-2019-14816)

  - rds: fix an infoleak in rds_inc_info_copy (Kangjie Lu)     [Orabug: 30770962] (CVE-2016-5244)

  - xfs: do async inactivation only when fs freezed (Junxiao     Bi) [Orabug: 30944736]

  - xfs: fix deadlock between shrinker and fs freeze     (Junxiao Bi) [Orabug: 30944736]

  - xfs: increase the default parallelism levels of pwork     clients (Junxiao Bi) [Orabug: 30944736]

  - xfs: decide if inode needs inactivation (Junxiao Bi)     [Orabug: 30944736]

  - xfs: refactor the predicate part of xfs_free_eofblocks     (Junxiao Bi) [Orabug: 30944736]

  - floppy: check FDC index for errors before assigning it     (Linus Torvalds) [Orabug: 31067516] (CVE-2020-9383)

  - KVM: x86: clear stale x86_emulate_ctxt->intercept value     (Vitaly Kuznetsov) [Orabug: 31118691]

  - slcan: Don't transmit uninitialized stack data in     padding (Richard Palethorpe) [Orabug: 31136753]     (CVE-2020-11494)

  - rds: transport module should be auto loaded when     transport is set (Rao Shoaib) [Orabug: 31031928]

  - KVM: X86: Fix NULL deref in vcpu_scan_ioapic (Wanpeng     Li) [Orabug: 31078882]

  - vhost: Check docket sk_family instead of call getname     (Eugenio P&eacute rez) [Orabug: 31085993]     (CVE-2020-10942)

  - Revert 'oled: give panic handler chance to run before     kexec' (Wengang Wang) [Orabug: 31098797]

  - kernel: cpu.c: fix return in void function     cpu_smt_disable (Mihai Carabas) [Orabug: 31047871]

  - net: qlogic: Fix memory leak in ql_alloc_large_buffers     (Navid Emamdoost) [Orabug: 31055327] (CVE-2019-18806)

  - swiotlb: clean up reporting (Kees Cook) [Orabug:
    31085017] (CVE-2018-5953)

  - KVM: x86: Expose more Intel AVX512 feature to guest     (Luwei Kang) [Orabug: 31085086]

  - x86/cpufeature: Enable new AVX-512 features (Fenghua Yu)     [Orabug: 31085086]

  - xenbus: req->err should be updated before req->state     (Dongli Zhang) [Orabug: 30705030]

  - xenbus: req->body should be updated before req->state     (Dongli Zhang) [Orabug: 30705030]

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):In the Linux kernel     5.0.21, mounting a crafted ext4 filesystem image,     performing some operations, and unmounting can lead to     a use-after-free in ext4_put_super in fs/ext4/super.c,     related to dump_orphan_list in     fs/ext4/super.c.(CVE-2019-19447)Linux kernel CIFS     implementation, version 4.9.0 is vulnerable to a     relative paths injection in directory entry     lists.(CVE-2019-10220)** DISPUTED ** In kernel/compat.c     in the Linux kernel before 3.17, as used in Google     Chrome OS and other products, there is a possible     out-of-bounds read. restart_syscall uses uninitialized     data when restarting compat_sys_nanosleep. NOTE: this     is disputed because the code path is     unreachable.(CVE-2014-3180)In the Linux kernel before     5.0.6, there is a NULL pointer dereference in     drop_sysctl_table() in fs/proc/proc_sysctl.c, related     to put_links, aka     CID-23da9588037e(CVE-2019-20054)pointer dereference in     drivers/scsi/libsas/sas_discover.c because of     mishandling of port disconnection during discovery,     related to a PHY down race condition, aka     CID-f70267f379b5.(CVE-2019-19965)'In the Linux kernel     before 5.2.10, there is a race condition bug that can     be caused by a malicious USB device in the USB     character device driver layer, aka CID-303911cfc5b9.
    This affects     drivers/usb/core/file.c.(CVE-2019-19537)Linux Linux     kernel version at least v4.8 onwards, probably well     before contains a Insufficient input validation     vulnerability in bnx2x network card driver that can     result in DoS: Network card firmware assertion takes     card off-line. This attack appear to be exploitable via     An attacker on a must pass a very large, specially     crafted packet to the bnx2x card. This can be done from     an untrusted guest     VM..(CVE-2018-1000026)drivers/scsi/qla2xxx/qla_os.c in     the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)The SCTP socket buffer used     by a userspace application is not accounted by the     cgroups subsystem. An attacker can use this flaw to     cause a denial of service attack. Kernel 3.10.x and     4.18.x branches are believed to be     vulnerable.(CVE-2019-3874)fs/ext4/extents.c in the     Linux kernel through 5.1.2 does not zero out the unused     memory region in the extent tree block, which might     allow local users to obtain sensitive information by     reading uninitialized data in the     filesystem.(CVE-2019-11833)A memory leak in the     ql_alloc_large_buffers() function in     driverset/ethernet/qlogic/qla3xxx.c in the Linux kernel     before 5.3.5 allows local users to cause a denial of     service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)An issue was     discovered in the Linux kernel before 5.0.11.
    fm10k_init_module in     driverset/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)An issue was     discovered in the Linux kernel before 5.0.1. There is a     memory leak in register_queue_kobjects() in     net/coreet-sysfs.c, which will cause denial of     service.(CVE-2019-15916)An issue was discovered in the     Linux kernel before 5.0.14. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/yurex.c driver.(CVE-2019-15216)An     issue was discovered in the Linux kernel before 5.1.8.
    There is a double-free caused by a malicious USB device     in the drivers/usb/misc/rio500.c     driver.(CVE-2019-15212)An issue was discovered in     drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before     5.1.12. In the qedi_dbg_* family of functions, there is     an out-of-bounds read.(CVE-2019-15090)An issue was     discovered in the Linux kernel before 5.0. The function
    __mdiobus_register() in driverset/phy/mdio_bus.c calls     put_device(), which will trigger a fixed_mdio_bus_init     use-after-free. This will cause a denial of     service.(CVE-2019-12819)** DISPUTED ** An issue was     discovered in the MPT3COMMAND case in _ctl_ioctl_main     in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux     kernel through 5.1.5. It allows local users to cause a     denial of service or possibly have unspecified other     impact by changing the value of ioc_number between two     kernel reads of that value, aka a 'double fetch'     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)In the Linux Kernel     before version 4.15.8, 4.14.25, 4.9.87, 4.4.121,     4.1.51, and 3.2.102, an error in the     '_sctp_make_chunk()' function     (net/sctp/sm_make_chunk.c) when handling SCTP packets     length can be exploited to cause a kernel     crash.(CVE-2018-5803)An issue was discovered in the     Linux kernel before 4.14.11. A double free may be     caused by the function allocate_trace_buffer in the     file kernel/trace/trace.c.(CVE-2017-18595)An issue was     discovered in drivers/i2c/i2c-core-smbus.c in the Linux     kernel before 4.14.15. There is an out of bounds write     in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was     discovered in drivers/scsi/aacraid/commctrl.c in the     Linux kernel before 4.13. There is potential exposure     of kernel stack memory because aac_get_hba_info does     not initialize the hbainfo structure.(CVE-2017-18550)An     issue was discovered in drivers/scsi/aacraid/commctrl.c     in the Linux kernel before 4.13. There is potential     exposure of kernel stack memory because     aac_send_raw_srb does not initialize the reply     structure.(CVE-2017-18549)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5649 advisory.

  - The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg data from a software IO TLB printk call.
    (CVE-2018-5953)

  - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel stack corruption via crafted system calls.
    (CVE-2020-10942)

  - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the     Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by     triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)

  - A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux     kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka     CID-2289adbfa559. (CVE-2019-18809)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-5645 advisory.

  - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the     Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by     triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5644 advisory.

  - The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg data from a software IO TLB printk call.
    (CVE-2018-5953)

  - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the     Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by     triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5642 advisory.

  - The swiotlb_print_info function in lib/swiotlb.c in the Linux kernel through 4.14.14 allows local users to     obtain sensitive address information by reading dmesg data from a software IO TLB printk call.
    (CVE-2018-5953)

  - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family     field, which might allow attackers to trigger kernel stack corruption via crafted system calls.
    (CVE-2020-10942)

  - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the     Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by     triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f. (CVE-2019-18806)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc. Security Fix(es):An issue was discovered     in the Linux kernel before 5.2.3. There is a     use-after-free caused by a malicious USB device in the     drivers/media/usb/dvb-usb/dvb-usb-init.c     driver.(CVE-2019-15213)An issue was discovered in the     Linux kernel before 5.2.6. There is a use-after-free     caused by a malicious USB device in the     drivers/media/usb/cpia2/cpia2_usb.c     driver.(CVE-2019-15215)An issue was discovered in the     Linux kernel before 5.2.3. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/media/usb/zr364xx/zr364xx.c     driver.(CVE-2019-15217)An issue was discovered in the     Linux kernel before 5.1.8. There is a double-free     caused by a malicious USB device in the     drivers/usb/misc/rio500.c driver.(CVE-2019-15212)An     issue was discovered in the Linux kernel before 5.0.14.
    There is a NULL pointer dereference caused by a     malicious USB device in the drivers/usb/misc/yurex.c     driver.(CVE-2019-15216)An issue was discovered in     drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before     5.1.12. In the qedi_dbg_* family of functions, there is     an out-of-bounds read.(CVE-2019-15090)An issue was     discovered in the Linux kernel before 5.0.9. There is a     NULL pointer dereference for a cd data structure if     alloc_disk fails in     drivers/block/paride/pf.c.(CVE-2019-15923)An issue was     discovered in the Linux kernel before 5.0.10.
    SMB2_negotiate in fs/cifs/smb2pdu.c has an     out-of-bounds read because data structures are     incompletely updated after a change from smb30 to     smb21.(CVE-2019-15918)An issue was discovered in the     Linux kernel before 5.0.9. There is a NULL pointer     dereference for a pf data structure if alloc_disk fails     in drivers/block/paride/pf.c.(CVE-2019-15922)An issue     was discovered in the Linux kernel before 5.2.3. Out of     bounds access exists in the functions     ath6kl_wmi_pstream_timeout_event_rx and     ath6kl_wmi_cac_event_rx in the file     driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An     issue was discovered in the Linux kernel before 5.0.11.
    fm10k_init_module in     driverset/ethernet/intel/fm10k/fm10k_main.c has a NULL     pointer dereference because there is no -ENOMEM upon an     alloc_workqueue failure.(CVE-2019-15924)A buffer     overflow flaw was found, in versions from 2.6.34 to     5.2.x, in the way Linux kernel's vhost functionality     that translates virtqueue buffers to IOVs, logged the     buffer descriptors during migration. A privileged guest     user able to pass descriptors with invalid length to     the host when migration is underway, could use this     flaw to increase their privileges on the     host.(CVE-2019-14835)In the Linux kernel through 5.2.14     on the powerpc platform, a local user can read vector     registers of other users' processes via an interrupt.
    To exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process,     because MSR_TM_ACTIVE is misused in     arch/powerpc/kernel/process.c.(CVE-2019-15031)In the     Linux kernel through 5.2.14 on the powerpc platform, a     local user can read vector registers of other users'     processes via a Facility Unavailable exception. To     exploit the venerability, a local user starts a     transaction (via the hardware transactional memory     instruction tbegin) and then accesses vector registers.
    At some point, the vector registers will be corrupted     with the values from a different local Linux process     because of a missing arch/powerpc/kernel/process.c     check.(CVE-2019-15030)There is heap-based buffer     overflow in kernel, all versions up to, excluding 5.3,     in the marvell wifi chip driver in Linux kernel, that     allows local users to cause a denial of service(system     crash) or possibly execute arbitrary     code.(CVE-2019-14816)A vulnerability was found in Linux     Kernel, where a Heap Overflow was found in     mwifiex_set_wmm_params() function of Marvell Wifi     Driver.(CVE-2019-14815)There is heap-based buffer     overflow in Linux kernel, all versions up to, excluding     5.3, in the marvell wifi chip driver in Linux kernel,     that allows local users to cause a denial of     service(system crash) or possibly execute arbitrary     code.(CVE-2019-14814)driverset/wireless/ath/ath10k/usb.
    c in the Linux kernel through 5.2.8 has a NULL pointer     dereference via an incomplete address in an endpoint     descriptor.(CVE-2019-15099)driverset/wireless/ath/ath6k     l/usb.c in the Linux kernel through 5.2.8 has a NULL     pointer dereference via an incomplete address in an     endpoint     descriptor.(CVE-2019-15098)driverset/wireless/rsi/rsi_9     1x_usb.c in the Linux kernel through 5.2.9 has a Double     Free via crafted USB device traffic (which may be     remote via usbip or usbredir).CVE-2019-15504)In the     Linux kernel before 5.2.14, rds6_inc_info_copy in     net/rds/recv.c allows attackers to obtain sensitive     information from kernel stack memory because tos and     flags fields are not     initialized.(CVE-2019-16714)drivers/scsi/qla2xxx/qla_os     .c in the Linux kernel 5.2.14 does not check the     alloc_workqueue return value, leading to a NULL pointer     dereference.(CVE-2019-16233)An issue was discovered in     the Linux kernel through 5.2.13. nbd_genl_status in     drivers/blockbd.c does not check the     nla_nest_start_noflag return     value.(CVE-2019-16089)llcp_sock_create in     netfc/llcp_sock.c in the AF_NFC network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)atalk_create in     net/appletalk/ddp.c in the AF_APPLETALK network module     in the Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)ieee802154_create in     net/ieee802154/socket.c in the AF_IEEE802154 network     module in the Linux kernel through 5.3.2 does not     enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)ax25_create in     net/ax25/af_ax25.c in the AF_AX25 network module in the     Linux kernel through 5.3.2 does not enforce     CAP_NET_RAW, which means that unprivileged users can     create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)An issue was     discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)rtl_p2p_noa_ie in     driverset/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)In the     Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid     in net/wireless/wext-sme.c does not reject a long SSID     IE, leading to a Buffer Overflow.(CVE-2019-17133)An     issue was discovered in net/wirelessl80211.c in the     Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)Insufficient     access control in the Intel(R) PROSet/Wireless WiFi     Software driver before version 21.10 may allow an     unauthenticated user to potentially enable denial of     service via adjacent     access.(CVE-2019-0136)driverset/wireless/intel/iwlwifi/     pcie/trans.c in the Linux kernel 5.2.14 does not check     the alloc_workqueue return value, leading to a NULL     pointer dereference.(CVE-2019-16234)A memory leak in     the ql_alloc_large_buffers() function in     driverset/ethernet/qlogic/qla3xxx.c in the Linux kernel     before 5.3.5 allows local users to cause a denial of     service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)A memory leak in the     dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)A memory leak in the     af9005_identify_state() function in     drivers/media/usb/dvb-usb/af9005.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)fs/btrfs/volumes.c in     the Linux kernel before 5.1 allows a     btrfs_verify_dev_extents NULL pointer dereference via a     crafted btrfs image because fs_devices->devices is     mishandled within find_device, aka     CID-09ba3bc9dd15.(CVE-2019-18885)A memory leak in the     ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)A memory leak in the     bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)Note:
    kernel-4.19.36-vhulk1907.1.0.h529 and earlier versions     in EulerOS Virtualization for ARM 64 3.0.2.0 return     incorrect time information when executing the uname -a     command.

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux     kernel through 5.2.9 has a Double Free via crafted USB     device traffic (which may be remote via usbip or     usbredir).(CVE-2019-15504)

  - In the Linux kernel before 5.2.14, rds6_inc_info_copy     in net/rds/recv.c allows attackers to obtain sensitive     information from kernel stack memory because tos and     flags fields are not initialized.(CVE-2019-16714)

  - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel     5.2.14 does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16233)

  - An issue was discovered in the Linux kernel through     5.2.13. nbd_genl_status in drivers/block/nbd.c does not     check the nla_nest_start_noflag return     value.(CVE-2019-16089)

  - llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)

  - atalk_create in net/appletalk/ddp.c in the AF_APPLETALK     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel     through 5.3.2 does not enforce CAP_NET_RAW, which means     that unprivileged users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)

  - ax25_create in net/ax25/af_ax25.c in the AF_AX25     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - A memory leak in the dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)

  - A memory leak in the af9005_identify_state() function     in drivers/media/usb/dvb-usb/af9005.c in the Linux     kernel through 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - A memory leak in the ath9k_wmi_cmd() function in     drivers/net/wireless/ath/ath9k/wmi.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-728c1e2a05e4.(CVE-2019-19074)

  - A vulnerability in the web server of Cisco Integrated     Management Controller (IMC) could allow an     authenticated, remote attacker to set sensitive     configuration values and gain elevated privileges. The     vulnerability is due to improper handling of substring     comparison operations that are performed by the     affected software. An attacker could exploit this     vulnerability by sending a crafted HTTP request to the     affected software. A successful exploit could allow the     attacker with read-only privileges to gain     administrator privileges.(CVE-2019-19073)

  - Two memory leaks in the rtl_usb_probe() function in     drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux     kernel through 5.3.11 allow attackers to cause a denial     of service (memory consumption), aka     CID-3f9361695113.(CVE-2019-19063)

  - Two memory leaks in the mwifiex_pcie_init_evt_ring()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-d10dcb615c8e.(CVE-2019-19057)

  - A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf()     function in drivers/net/wireless/marvell/mwifiex/pcie.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mwifiex_map_pci_memory() failures, aka     CID-db8fd2cde932.(CVE-2019-19056)

  - A memory leak in the gs_can_open() function in     drivers/net/can/usb/gs_usb.c in the Linux kernel before     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering usb_submit_urb()     failures, aka CID-fb5be6a7b486.(CVE-2019-19052)

  - An issue was discovered in the Linux kernel through     5.3.9. There is a use-after-free when aa_label_parse()     fails in aa_audit_rule_init() in     security/apparmor/audit.c.(CVE-2019-18814)

  - Memory leaks in *clock_source_create() functions under     drivers/gpu/drm/amd/display/dc in the Linux kernel     before 5.3.8 allow attackers to cause a denial of     service (memory consumption). This affects the     dce112_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c     , the dce100_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c     , the dcn10_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c,     the dcn20_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c,     the dce120_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c     , the dce110_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c     , and the dce80_clock_source_create() function in     drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c,     aka CID-055e547478a1.(CVE-2019-19083)

  - Memory leaks in *create_resource_pool() functions under     drivers/gpu/drm/amd/display/dc in the Linux kernel     through 5.3.11 allow attackers to cause a denial of     service (memory consumption). This affects the     dce120_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c     , the dce110_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c     , the dce100_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c     , the dcn10_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c,     and the dce112_create_resource_pool() function in     drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c     , aka CID-104c307147ad.(CVE-2019-19082)

  - A memory leak in the nfp_flower_spawn_vnic_reprs()     function in     drivers/net/ethernet/netronome/nfp/flower/main.c in the     Linux kernel before 5.3.4 allows attackers to cause a     denial of service (memory consumption), aka     CID-8ce39eb5a67a.(CVE-2019-19081)

  - Four memory leaks in the nfp_flower_spawn_phy_reprs()     function in     drivers/net/ethernet/netronome/nfp/flower/main.c in the     Linux kernel before 5.3.4 allow attackers to cause a     denial of service (memory consumption), aka     CID-8572cea1461a.(CVE-2019-19080)

  - A memory leak in the qrtr_tun_write_iter() function in     net/qrtr/tun.c in the Linux kernel before 5.3 allows     attackers to cause a denial of service (memory     consumption), aka CID-a21b7f0cff19.(CVE-2019-19079)

  - A memory leak in the ath10k_usb_hif_tx_sg() function in     drivers/net/wireless/ath/ath10k/usb.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     usb_submit_urb() failures, aka     CID-b8d17e7d93d2.(CVE-2019-19078)

  - A memory leak in the bnxt_re_create_srq() function in     drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     copy to udata failures, aka     CID-4a9d46a9fe14.(CVE-2019-19077)

  - A memory leak in the ca8210_probe() function in     drivers/net/ieee802154/ca8210.c in the Linux kernel     before 5.3.8 allows attackers to cause a denial of     service (memory consumption) by triggering     ca8210_get_platform_data() failures, aka     CID-6402939ec86e.(CVE-2019-19075)

  - A memory leak in the rsi_send_beacon() function in     drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     rsi_prepare_beacon() failures, aka     CID-d563131ef23c.(CVE-2019-19071)

  - A memory leak in the rtl8xxxu_submit_int_urb() function     in     drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c     in the Linux kernel through 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering usb_submit_urb() failures, aka     CID-a2cdd07488e6.(CVE-2019-19068)

  - ** DISPUTED ** Four memory leaks in the acp_hw_init()     function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in     the Linux kernel before 5.3.8 allow attackers to cause     a denial of service (memory consumption) by triggering     mfd_add_hotplug_devices() or pm_genpd_add_device()     failures, aka CID-57be09c6e874. NOTE: third parties     dispute the relevance of this because the attacker must     already have privileges for module     loading.(CVE-2019-19067)

  - A memory leak in the sdma_init() function in     drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption) by triggering     rhashtable_init() failures, aka     CID-34b3be18a04e.(CVE-2019-19065)

  - Multiple memory leaks in the     iwl_pcie_ctxt_info_gen3_init() function in     drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.
    c in the Linux kernel through 5.3.11 allow attackers to     cause a denial of service (memory consumption) by     triggering iwl_pcie_init_fw_sec() or     dma_alloc_coherent() failures, aka     CID-0f4f199443fa.(CVE-2019-19059)

  - A memory leak in the alloc_sgtable() function in     drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the     Linux kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     alloc_page() failures, aka     CID-b4b814fec1a5.(CVE-2019-19058)

  - A memory leak in the i2400m_op_rfkill_sw_toggle()     function in drivers/net/wimax/i2400m/op-rfkill.c in the     Linux kernel before 5.3.11 allows attackers to cause a     denial of service (memory consumption), aka     CID-6f3ef5c25cc7.(CVE-2019-19051)

  - A memory leak in the mlx5_fpga_conn_create_cq()     function in     drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in     the Linux kernel before 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7.(CVE-2019-19045)

  - A memory leak in the predicate_parse() function in     kernel/trace/trace_events_filter.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption), aka     CID-96c5c6e6a5b6.(CVE-2019-19072)

  - ** DISPUTED ** A memory leak in the spi_gpio_probe()     function in drivers/spi/spi-gpio.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     devm_add_action_or_reset() failures, aka     CID-d3b0ffa1d75d. NOTE: third parties dispute the     relevance of this because the system must have already     been out of memory before the probe     began.(CVE-2019-19070)

  - ** DISPUTED ** A memory leak in the unittest_data_add()     function in drivers/of/unittest.c in the Linux kernel     before 5.3.10 allows attackers to cause a denial of     service (memory consumption) by triggering     of_fdt_unflatten_tree() failures, aka CID-e13de8fe0d6a.
    NOTE: third parties dispute the relevance of this     because unittest.c can only be reached during     boot.(CVE-2019-19049)

  - In the Linux kernel through 5.3.8, f->fmt.sdr.reserved     is uninitialized in rcar_drif_g_fmt_sdr_cap in     drivers/media/platform/rcar_drif.c, which could cause a     memory disclosure problem.(CVE-2019-18786)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - An issue was discovered in drivers/media/platform/vivid     in the Linux kernel through 5.3.8. It is exploitable     for privilege escalation on some Linux distributions     where local users have /dev/video0 access, but only if     the driver happens to be loaded. There are multiple     race conditions during streaming stopping in this     driver (part of the V4L2 subsystem). These issues are     caused by wrong mutex locking in     vivid_stop_generating_vid_cap(),     vivid_stop_generating_vid_out(),     sdr_cap_stop_streaming(), and the corresponding     kthreads. At least one of these race conditions leads     to a use-after-free.(CVE-2019-18683)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The powermate_probe function in     drivers/input/misc/powermate.c in the Linux kernel     before 4.5.1 allows physically proximate attackers to     cause a denial of service (NULL pointer dereference and     system crash) via a crafted endpoints value in a USB     device descriptor.(CVE-2016-2186)

  - The snd_compr_tstamp function in     sound/core/compress_offload.c in the Linux kernel     through 4.7, as used in Android before 2016-08-05 on     Nexus 5 and 7 (2013) devices, does not properly     initialize a timestamp data structure, which allows     attackers to obtain sensitive information via a crafted     application, aka Android internal bug 28770164 and     Qualcomm internal bug CR568717.(CVE-2014-9892)

  - A memory leak in the cx23888_ir_probe() function in     drivers/media/pci/cx23885/cx23888-ir.c in the Linux     kernel through 5.3.11 allows attackers to cause a     denial of service (memory consumption) by triggering     kfifo_alloc() failures, aka     CID-a7b2df76b42b.(CVE-2019-19054)

  - A memory leak in the adis_update_scan_mode() function     in drivers/iio/imu/adis_buffer.c in the Linux kernel     before 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-ab612b1daf41.(CVE-2019-19060)

  - A memory leak in the adis_update_scan_mode_burst()     function in drivers/iio/imu/adis_buffer.c in the Linux     kernel before 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-9c0530e898f3.(CVE-2019-19061)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - A memory leak in the ccp_run_sha_cmd() function in     drivers/crypto/ccp/ccp-ops.c in the Linux kernel     through 5.3.9 allows attackers to cause a denial of     service (memory consumption), aka     CID-128c66429247.(CVE-2019-18808)

  - In ashmem_ioctl of ashmem.c, there is an out-of-bounds     write due to insufficient locking when accessing asma.
    This could lead to a local elevation of privilege     enabling code execution as a privileged process with no     additional execution privileges needed. User     interaction is not needed for exploitation. Product:
    Android. Versions: Android kernel. Android ID:
    A-66954097.(CVE-2017-13216)

  - A certain backport in the TCP Fast Open implementation     for the Linux kernel before 3.18 does not properly     maintain a count value, which allow local users to     cause a denial of service (system crash) via the Fast     Open feature, as demonstrated by visiting the     chrome://flags/#enable-tcp-fast-open URL when using     certain 3.10.x through 3.16.x kernel builds, including     longterm-maintenance releases and ckt (aka Canonical     Kernel Team) builds.(CVE-2015-3332)

  - The rtnl_fill_link_ifmap function in     net/core/rtnetlink.c in the Linux kernel before 4.5.5     does not initialize a certain data structure, which     allows local users to obtain sensitive information from     kernel stack memory by reading a Netlink     message.(CVE-2016-4486)

  - The ip6gre_err function in net/ipv6/ip6_gre.c in the     Linux kernel allows remote attackers to have     unspecified impact via vectors involving GRE flags in     an IPv6 packet, which trigger an out-of-bounds     access.(CVE-2017-5897)

  - In the Linux kernel before version 4.12, Kerberos 5     tickets decoded when using the RXRPC keys incorrectly     assumes the size of a field. This could lead to the     size-remaining variable wrapping and the data pointer     going over the end of the buffer. This could possibly     lead to memory corruption and possible privilege     escalation.(CVE-2017-7482)

  - A flaw was found in the Linux Kernel where an attacker     may be able to have an uncontrolled read to     kernel-memory from within a vm guest. A race condition     between connect() and close() function may allow an     attacker using the AF_VSOCK protocol to gather a 4 byte     information leak or possibly intercept or corrupt     AF_VSOCK messages destined to other     clients.(CVE-2018-14625)

  - drivers/net/usb/asix_devices.c in the Linux kernel     through 4.13.11 allows local users to cause a denial of     service (NULL pointer dereference and system crash) or     possibly have unspecified other impact via a crafted     USB device.(CVE-2017-16647)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - An issue was discovered in the fd_locked_ioctl function     in drivers/block/floppy.c in the Linux kernel through     4.15.7. The floppy driver will copy a kernel pointer to     user memory in response to the FDGETPRM ioctl. An     attacker can send the FDGETPRM ioctl and use the     obtained kernel pointer to discover the location of     kernel code and data and bypass kernel security     protections such as KASLR.(CVE-2018-7755)

  - The usbvision driver in the Linux kernel package     3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red     Hat Enterprise Linux (RHEL) 7.1 allows physically     proximate attackers to cause a denial of service     (panic) via a nonzero bInterfaceNumber value in a USB     device descriptor.(CVE-2015-7833)

  - A flaw that allowed an attacker to corrupt memory and     possibly escalate privileges was found in the mwifiex     kernel module while connecting to a malicious wireless     network.(CVE-2019-3846)

  - drivers/net/wireless/marvell/libertas/if_sdio.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16232)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14     does not check the alloc_workqueue return value,     leading to a NULL pointer dereference.(CVE-2019-16231)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based     buffer overflow in mwifiex_uap_parse_tail_ies function     in drivers/net/wireless/marvell/mwifiex/ie.c might lead     to memory corruption and possibly other     consequences.(CVE-2019-10126)

  - The Bluetooth BR/EDR specification up to and including     version 5.1 permits sufficiently low encryption key     length and does not prevent an attacker from     influencing the key length negotiation. This allows     practical brute-force attacks (aka 'KNOB') that can     decrypt traffic and inject arbitrary ciphertext without     the victim noticing.(CVE-2019-9506)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the hidp_process_report in bluetooth, there is an     integer overflow. This could lead to an out of bounds     write with no additional execution privileges needed.
    User interaction is not needed for exploitation.
    Product: Android Versions: Android kernel Android ID:
    A-65853588 References: Upstream kernel.(CVE-2018-9363)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - arch/arm/mm/dma-mapping.c in the Linux kernel before     3.13 on ARM platforms, as used in Android before     2016-08-05 on Nexus 5 and 7 (2013) devices, does not     prevent executable DMA mappings, which might allow     local users to gain privileges via a crafted     application, aka Android internal bug 28803642 and     Qualcomm internal bug CR642735.(CVE-2014-9888)

  - An issue was discovered in drivers/i2c/i2c-core-smbus.c     in the Linux kernel before 4.14.15. There is an out of     bounds write in the function     i2c_smbus_xfer_emulated.(CVE-2017-18551)

  - The rds_ib_xmit function in net/rds/ib_send.c in the     Reliable Datagram Sockets (RDS) protocol implementation     in the Linux kernel 3.7.4 and earlier allows local     users to cause a denial of service (BUG_ON and kernel     panic) by establishing an RDS connection with the     source IP address equal to the IPoIB interface's own IP     address, as demonstrated by rds-ping.(CVE-2012-2372)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - A memory leak in the bfad_im_get_stats() function in     drivers/scsi/bfa/bfad_attr.c in the Linux kernel     through 5.3.11 allows attackers to cause a denial of     service (memory consumption) by triggering     bfa_port_get_stats() failures, aka     CID-0e62395da2bd.(CVE-2019-19066)

  - The kernel in Android before 2016-08-05 on Nexus 7     (2013) devices allows attackers to gain privileges via     a crafted application, aka internal bug     28522518.(CVE-2016-3857)

  - arch/arm64/kernel/sys.c in the Linux kernel before 4.0     allows local users to bypass the 'strict page     permissions' protection mechanism and modify the     system-call table, and consequently gain privileges, by     leveraging write access.(CVE-2015-8967)

  - arch/arm64/kernel/perf_event.c in the Linux kernel     before 4.1 on arm64 platforms allows local users to     gain privileges or cause a denial of service (invalid     pointer dereference) via vectors involving events that     are mishandled during a span of multiple HW     PMUs.(CVE-2015-8955)

  - The __clear_user function in     arch/arm64/lib/clear_user.S in the Linux kernel before     3.17.4 on the ARM64 platform allows local users to     cause a denial of service (system crash) by reading one     byte beyond a /dev/zero page boundary.(CVE-2014-7843)

  - The x86/fpu (Floating Point Unit) subsystem in the     Linux kernel before 4.13.5, when a processor supports     the xsave feature but not the xsaves feature, does not     correctly handle attempts to set reserved bits in the     xstate header via the ptrace() or rt_sigreturn() system     call, allowing local users to read the FPU registers of     other processes on the system, related to     arch/x86/kernel/fpu/regset.c and     arch/x86/kernel/fpu/signal.c.(CVE-2017-15537)

  - The Linux kernel before 3.11 on ARM platforms, as used     in Android before 2016-08-05 on Nexus 5 and 7 (2013)     devices, does not properly consider user-space access     to the TPIDRURW register, which allows local users to     gain privileges via a crafted application, aka Android     internal bug 28749743 and Qualcomm internal bug     CR561044.(CVE-2014-9870)

  - ** DISPUTED ** Race condition in the     store_int_with_restart() function in     arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel     through 4.15.7 allows local users to cause a denial of     service (panic) by leveraging root access to write to     the check_interval file in a     /sys/devices/system/machinecheck/machinecheck     directory. NOTE: a third party has indicated that this     report is not security relevant.(CVE-2018-7995)

  - arch/x86/kernel/entry_32.S in the Linux kernel through     3.15.1 on 32-bit x86 platforms, when syscall auditing     is enabled and the sep CPU feature flag is set, allows     local users to cause a denial of service (OOPS and     system crash) via an invalid syscall number, as     demonstrated by number 1000.(CVE-2014-4508)

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS)     implementation in the Linux kernel through 3.18.1     allows local users to bypass the espfix protection     mechanism, and consequently makes it easier for local     users to bypass the ASLR protection mechanism, via a     crafted application that makes a set_thread_area system     call and later reads a 16-bit value.(CVE-2014-8133)

  - arch/mips/include/asm/thread_info.h in the Linux kernel     before 3.14.8 on the MIPS platform does not configure
    _TIF_SECCOMP checks on the fast system-call path, which     allows local users to bypass intended PR_SET_SECCOMP     restrictions by executing a crafted application without     invoking a trace or audit subsystem.(CVE-2014-4157)

  - Integer signedness error in the oz_hcd_get_desc_cnf     function in drivers/staging/ozwpan/ozhcd.c in the     OZWPAN driver in the Linux kernel through 4.0.5 allows     remote attackers to cause a denial of service (system     crash) or possibly execute arbitrary code via a crafted     packet.(CVE-2015-4001)

  - drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 does not ensure that     certain length values are sufficiently large, which     allows remote attackers to cause a denial of service     (system crash or large loop) or possibly execute     arbitrary code via a crafted packet, related to the (1)     oz_usb_rx and (2) oz_usb_handle_ep_data     functions.(CVE-2015-4002)

  - The oz_usb_handle_ep_data function in     drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver     in the Linux kernel through 4.0.5 allows remote     attackers to cause a denial of service (divide-by-zero     error and system crash) via a crafted     packet.(CVE-2015-4003)

  - The OZWPAN driver in the Linux kernel through 4.0.5     relies on an untrusted length field during packet     parsing, which allows remote attackers to obtain     sensitive information from kernel memory or cause a     denial of service (out-of-bounds read and system crash)     via a crafted packet.(CVE-2015-4004)

  - Race condition in the sclp_ctl_ioctl_sccb function in     drivers/s390/char/sclp_ctl.c in the Linux kernel before     4.6 allows local users to obtain sensitive information     from kernel memory by changing a certain length value,     aka a 'double fetch' vulnerability.(CVE-2016-6130)

  - The print_binder_transaction_ilocked function in     drivers/android/binder.c in the Linux kernel 4.14.90     allows local users to obtain sensitive address     information by reading '*from *code *flags' lines in a     debugfs file.(CVE-2018-20510)

  - In the Linux kernel before 4.1.4, a buffer overflow     occurs when checking userspace params in     drivers/media/dvb-frontends/cx24116.c. The maximum size     for a DiSEqC command is 6, according to the userspace     API. However, the code allows larger values such as     23.(CVE-2015-9289)

  - The saa7164_bus_get function in     drivers/media/pci/saa7164/saa7164-bus.c in the Linux     kernel through 4.11.5 allows local users to cause a     denial of service (out-of-bounds array access) or     possibly have unspecified other impact by changing a     certain sequence-number value, aka a 'double fetch'     vulnerability.(CVE-2017-8831)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A memory leak in the af9005_identify_state() function     in drivers/media/usb/dvb-usb/af9005.c in the Linux     kernel through 5.3.9 allows attackers to cause a denial     of service (memory consumption), aka     CID-2289adbfa559.(CVE-2019-18809)

  - A memory leak in the dwc3_pci_probe() function in     drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through     5.3.9 allows attackers to cause a denial of service     (memory consumption) by triggering     platform_device_add_properties() failures, aka     CID-9bbfceea12a8.(CVE-2019-18813)

  - A memory leak in the ql_alloc_large_buffers() function     in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux     kernel before 5.3.5 allows local users to cause a     denial of service (memory consumption) by triggering     pci_dma_mapping_error() failures, aka     CID-1acb8f2a7a9f.(CVE-2019-18806)

  - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the     Linux kernel 5.2.14 does not check the alloc_workqueue     return value, leading to a NULL pointer     dereference.(CVE-2019-16234)

  - Insufficient access control in the Intel(R)     PROSet/Wireless WiFi Software driver before version     21.10 may allow an unauthenticated user to potentially     enable denial of service via adjacent     access.(CVE-2019-0136)

  - An issue was discovered in net/wireless/nl80211.c in     the Linux kernel through 5.2.17. It does not check the     length of variable elements in a beacon head, leading     to a buffer overflow.(CVE-2019-16746)

  - In the Linux kernel through 5.3.2,     cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c     does not reject a long SSID IE, leading to a Buffer     Overflow.(CVE-2019-17133)

  - rtl_p2p_noa_ie in     drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux     kernel through 5.3.6 lacks a certain upper-bound check,     leading to a buffer overflow.(CVE-2019-17666)

  - An issue was discovered in write_tpt_entry in     drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel     through 5.3.2. The cxgb4 driver is directly calling     dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of     Service, exploitable if this driver is used on an     architecture for which this stack/DMA interaction has     security relevance.(CVE-2019-17075)

  - ax25_create in net/ax25/af_ax25.c in the AF_AX25     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-0614e2b73768.(CVE-2019-17052)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel     through 5.3.2 does not enforce CAP_NET_RAW, which means     that unprivileged users can create a raw socket, aka     CID-e69dbd4619e7.(CVE-2019-17053)

  - atalk_create in net/appletalk/ddp.c in the AF_APPLETALK     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-6cc03e8aa36c.(CVE-2019-17054)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21.(CVE-2019-17055)

  - llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC     network module in the Linux kernel through 5.3.2 does     not enforce CAP_NET_RAW, which means that unprivileged     users can create a raw socket, aka     CID-3a359798b176.(CVE-2019-17056)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
137128	OracleVM 3.4 : Unbreakable / etc (OVMSA-2020-0019)	Nessus	OracleVM Local Security Checks	high
135614	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1452)	Nessus	Huawei Local Security Checks	high
135574	Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5649)	Nessus	Oracle Linux Local Security Checks	medium
135525	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)	Nessus	Huawei Local Security Checks	critical
135433	Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2020-5645)	Nessus	Oracle Linux Local Security Checks	medium
135432	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5644)	Nessus	Oracle Linux Local Security Checks	medium
135381	Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5642)	Nessus	Oracle Linux Local Security Checks	medium
134486	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1197)	Nessus	Huawei Local Security Checks	critical
132796	EulerOS Virtualization for ARM 64 3.0.5.0 : kernel (EulerOS-SA-2020-1042)	Nessus	Huawei Local Security Checks	critical
131805	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)	Nessus	Huawei Local Security Checks	high
131349	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2019-2283)	Nessus	Huawei Local Security Checks	high

CVE-2019-18806

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

medium

critical

medium

medium

medium

critical

critical

high

high