Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4208)

High Nessus Plugin ID 112283

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[4.1.12-124.18.9.el7uek]
- rebuild bumping release

[4.1.12-124.18.8.el7uek]
- Cipso: cipso_v4_optptr enter infinite loop (yujuan.qi) [Orabug: 28563992] {CVE-2018-10938}
- Btrfs: fix list_add corruption and soft lockups in fsync (Liu Bo) [Orabug: 28119834]
- x86/paravirt: Fix spectre-v2 mitigations for paravirt guests (Peter Zijlstra) [Orabug: 28474643] {CVE-2018-15594}
- sym53c8xx: fix NULL pointer dereference panic in sym_int_sir() in sym_hipd.c (George Kennedy) [Orabug: 28481893]
- md/raid1: Avoid raid1 resync getting stuck (Jes Sorensen) [Orabug: 28529228]
- x86/spectrev2: Don't set mode to SPECTRE_V2_NONE when retpoline is available. (Boris Ostrovsky) [Orabug: 28540376]

[4.1.12-124.18.7.el7uek]
- ext4: avoid deadlock when expanding inode size (Jan Kara) [Orabug: 25718971]
- ext4: properly align shifted xattrs when expanding inodes (Jan Kara) [Orabug: 25718971]
- ext4: fix xattr shifting when expanding inodes part 2 (Jan Kara) [Orabug: 25718971]
- ext4: fix xattr shifting when expanding inodes (Jan Kara) [Orabug: 25718971]
- uek-rpm: Enable perf stripped binary (Victor Erminpour) [Orabug: 27801171]
- nfsd: give out fewer session slots as limit approaches (J. Bruce Fields) [Orabug: 28023821]
- nfsd: increase DRC cache limit (J. Bruce Fields) [Orabug: 28023821]
- uek-rpm: config-debug: Turn off torture testing by default (Knut Omang) [Orabug: 28261886]
- ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() (Junichi Nomura)
- x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs (Yazen Ghannam) [Orabug: 28416303]
- Fix up non-directory creation in SGID directories (Linus Torvalds) [Orabug: 28459477] {CVE-2018-13405}
- scsi: libsas: defer ata device eh commands to libata (Jason Yan) [Orabug: 28459685] {CVE-2018-10021}
- PCI: Allocate ATS struct during enumeration (Bjorn Helgaas) [Orabug: 28460092]

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2018-September/008011.html

https://oss.oracle.com/pipermail/el-errata/2018-September/008012.html

Plugin Details

Severity: High

ID: 112283

File Name: oraclelinux_ELSA-2018-4208.nasl

Version: 1.8

Type: local

Agent: unix

Published: 2018/09/05

Updated: 2019/09/27

Dependencies: 12634, 122878

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, cpe:/o:oracle:linux:6, cpe:/o:oracle:linux:7

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/09/04

Vulnerability Publication Date: 2018/04/11

Reference Information

CVE: CVE-2018-10021, CVE-2018-10938, CVE-2018-13405, CVE-2018-15594