Oracle Linux 7 : kernel (ELSA-2017-1615-1) (Stack Clash)

Critical Nessus Plugin ID 101138

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.4

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

- [3.10.0-514.26.1.0.1.el7.OL7]
- [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF='https://oss.oracle.com/mailman/listinfo/el-errata'>alexey.petrenko at oracle.com</A>)
- Update x509.genkey [bug 24817676]

[3.10.0-514.26.1.el7]
- [mm] enlarge stack guard gap (Larry Woodman) [1452732 1452733] {CVE-2017-1000364}
- Revert: [md] dm mirror: use all available legs on multiple failures (Mike Snitzer) [1449176 1383444]

[3.10.0-514.25.1.el7]
- [lib] kobject: grab an extra reference on kobject->sd to allow duplicate deletes (Aristeu Rozanski) [1454851 1427252]
- [kernel] module: When modifying a module's text ignore modules which are going away too (Aaron Tomlin) [1454684 1386313]
- [kernel] module: Ensure a module's state is set accordingly during module coming cleanup code (Aaron Tomlin) [1454684 1386313]
- [net] vxlan: do not output confusing error message (Jiri Benc) [1454636 1445054]
- [net] vxlan: correctly handle ipv6.disable module parameter (Jiri Benc) [1454636 1445054]
- [iommu] vt-d: fix range computation when making room for large pages (Alex Williamson) [1450856 1435612]
- [fs] nfsd: stricter decoding of write-like NFSv2/v3 ops ('J. Bruce Fields') [1449282 1443204] {CVE-2017-7895}
- [fs] nfsd4: minor NFSv2/v3 write decoding cleanup ('J. Bruce Fields') [1449282 1443204] {CVE-2017-7895}
- [md] dm mirror: use all available legs on multiple failures (Mike Snitzer) [1449176 1383444]
- [fs] nfsd: check for oversized NFSv2/v3 arguments ('J. Bruce Fields') [1447642 1442407] {CVE-2017-7645}
- [scsi] ses: don't get power status of SES device slot on probe (Gustavo Duarte) [1446650 1434768]
- [scsi] ipr: do not set DID_PASSTHROUGH on CHECK CONDITION (Steve Best) [1446649 1441747]
- [net] macsec: dynamically allocate space for sglist (Sabrina Dubroca) [1445546 1445545] {CVE-2017-7477}
- [net] macsec: avoid heap overflow in skb_to_sgvec (Sabrina Dubroca) [1445546 1445545] {CVE-2017-7477}
- [fs] gfs2: Allow glocks to be unlocked after withdraw (Robert S Peterson) [1433882 1404005]
- [net] tcp: avoid infinite loop in tcp_splice_read() (Davide Caratti) [1430579 1430580] {CVE-2017-6214}
- [mm] vma_merge: correct false positive from
__vma_unlink->validate_mm_rb (Andrea Arcangeli) [1428840 1374548]
- [mm] vma_merge: fix race vm_page_prot race condition against rmap_walk (Andrea Arcangeli) [1428840 1374548]
- [mm] fix use-after-free if memory allocation failed in vma_adjust() (Andrea Arcangeli) [1428840 1374548]
- [x86] kvm: x86: fix emulation of 'MOV SS, null selector' (Radim Krcmar) [1414742 1414743] {CVE-2017-2583}
- [powerpc] prom: Increase minimum RMA size to 512MB (Gustavo Duarte) [1450041 1411321]
- [pci] pciehp: Prioritize data-link event over presence detect (Myron Stowe) [1450124 1435818]
- [pci] pciehp: Don't re-read Slot Status when queuing hotplug event (Myron Stowe) [1450124 1435818]
- [pci] pciehp: Process all hotplug events before looking for new ones (Myron Stowe) [1450124 1435818]
- [pci] pciehp: Rename pcie_isr() locals for clarity (Myron Stowe) [1450124 1435818]

[3.10.0-514.24.1.el7]
- [scsi] lpfc: Fix panic on BFS configuration (Maurizio Lombardi) [1452044 1443116]
- [vfio] type1: Reduce repetitive calls in vfio_pin_pages_remote() (Alex Williamson) [1450855 1438403]
- [vfio] type1: Remove locked page accounting workqueue (Alex Williamson) [1450855 1438403]
- [fs] nfs: Allow getattr to also report readdirplus cache hits (Dave Wysochanski) [1450851 1442068]
- [fs] nfs: Be more targeted about readdirplus use when doing lookup/revalidation (Dave Wysochanski) [1450851 1442068]
- [fs] nfs: Fix a performance regression in readdir (Dave Wysochanski) [1450851 1442068]
- [x86] xen: do not re-use pirq number cached in pci device msi msg data (Vitaly Kuznetsov) [1450037 1433831]
- [powerpc] mm: Add missing global TLB invalidate if cxl is active (Steve Best) [1449178 1440776]
- [powerpc] boot: Fix zImage TOC alignment (Gustavo Duarte) [1444343 1395838]

[3.10.0-514.23.1.el7]
- [scsi] qla2xxx: Defer marking device lost when receiving an RSCN (Himanshu Madhani) [1446246 1436940]
- [scsi] qla2xxx: Fix typo in driver (Himanshu Madhani) [1446246 1436940]
- [scsi] qla2xxx: Fix crash in qla2xxx_eh_abort on bad ptr (Himanshu Madhani) [1446246 1436940]
- [scsi] qla2xxx: Avoid that issuing a LIP triggers a kernel crash (Himanshu Madhani) [1446246 1436940]
- [scsi] qla2xxx: Add fix to read correct register value for ISP82xx (Himanshu Madhani) [1446246 1436940]
- [scsi] qla2xxx: Disable the adapter and skip error recovery in case of register disconnect (Himanshu Madhani) [1446246 1436940]

[3.10.0-514.22.1.el7]
- [mm] hugetlb: don't use reserved during VM_SHARED mapping cow (Larry Woodman) [1445184 1385473]

Solution

Update the affected kernel packages. Note that the updated package may not be immediately available from the package repository or its mirrors.

See Also

https://oss.oracle.com/pipermail/el-errata/2017-June/007023.html

Plugin Details

Severity: Critical

ID: 101138

File Name: oraclelinux_ELSA-2017-1615-1.nasl

Version: 3.4

Type: local

Agent: unix

Published: 2017/06/30

Updated: 2019/04/10

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 7.4

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 8.4

Temporal Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel, p-cpe:/a:oracle:linux:kernel-abi-whitelists, p-cpe:/a:oracle:linux:kernel-debug, p-cpe:/a:oracle:linux:kernel-debug-devel, p-cpe:/a:oracle:linux:kernel-devel, p-cpe:/a:oracle:linux:kernel-doc, p-cpe:/a:oracle:linux:kernel-headers, p-cpe:/a:oracle:linux:kernel-tools, p-cpe:/a:oracle:linux:kernel-tools-libs, p-cpe:/a:oracle:linux:kernel-tools-libs-devel, p-cpe:/a:oracle:linux:perf, p-cpe:/a:oracle:linux:python-perf, cpe:/o:oracle:linux:7

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/06/29

Exploitable With

Metasploit (rsh_stack_clash_priv_esc.rb)

Reference Information

CVE: CVE-2017-1000364, CVE-2017-2583, CVE-2017-6214, CVE-2017-7477, CVE-2017-7645, CVE-2017-7895

IAVA: 2017-A-0288