Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3597)

high Nessus Plugin ID 102061
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[2.6.39-400.297.5.el6uek]
- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] - RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426]
- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273}
- udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}
- udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}
- udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}
- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710}
- Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710}
- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686}
- xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445]
- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513]
- PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513]
- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465}

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2017-July/007069.html

Plugin Details

Severity: High

ID: 102061

File Name: oraclelinux_ELSA-2017-3597.nasl

Version: 3.9

Type: local

Agent: unix

Published: 7/31/2017

Updated: 1/14/2021

Dependencies: 122878, 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.8

Temporal Score: 5.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, cpe:/o:oracle:linux:6

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2017

Vulnerability Publication Date: 4/5/2015

Reference Information

CVE: CVE-2014-9710, CVE-2015-1465, CVE-2015-2686, CVE-2015-4167, CVE-2017-7273