Detections
Analytics

RHEL 6 : MRG (RHSA-2017:3295)

medium Nessus Plugin ID 104986

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es) :

* It was found that the timer functionality in the Linux kernel ALSA subsystem is prone to a race condition between read and ioctl system call handlers, resulting in an uninitialized memory disclosure to user space. A local user could use this flaw to read information belonging to other users. (CVE-2017-1000380, Moderate)

Red Hat would like to thank Alexander Potapenko (Google) for reporting this issue.

Bug Fix(es) :

* The current realtime throttling mechanism prevents the starvation of non-realtime tasks by CPU-intensive realtime tasks. When a realtime run queue is throttled, it allows non-realtime tasks to run. If there are not non-realtime tasks, the CPU goes idle. To safely maximize CPU usage by decreasing the CPU idle time, the RT_RUNTIME_GREED scheduler feature has been implemented. When enabled, this feature checks if non-realtime tasks are starving before throttling the realtime task.
The RT_RUNTIME_GREED scheduler option guarantees some run time on all CPUs for the non-realtime tasks, while keeping the realtime tasks running as much as possible. (BZ# 1459275)

* The kernel-rt packages have been upgraded to version 3.10.0-693.11.1.rt56.595, which provides a number of security and bug fixes over the previous version. (BZ#1500036)

* In the realtime kernel, if the rt_mutex locking mechanism was taken in the interrupt context, the normal priority inheritance protocol incorrectly identified a deadlock, and a kernel panic occurred. This update reverts the patch that added rt_mutex in the interrupt context, and the kernel no longer panics due to this behavior. (BZ#1509021)

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2017:3295

https://access.redhat.com/security/cve/cve-2017-1000380

Plugin Details

Severity: Medium

ID: 104986

File Name: redhat-RHSA-2017-3295.nasl

Version: 3.9

Type: local

Agent: unix

Published: 12/4/2017

Updated: 10/24/2019

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:kernel-rt, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64, p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc, p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware, p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace, p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo, p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla, p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo, p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2017

Vulnerability Publication Date: 6/17/2017

Reference Information

CVE: CVE-2017-1000380

RHSA: 2017:3295