Virtuozzo 7 : readykernel-patch (VZA-2020-015)

High Nessus Plugin ID 133952

Synopsis

The remote Virtuozzo host is missing a security update.

Description

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerability :

- [3.10.0-862.9.1.vz7.63.3 to 3.10.0-1062.4.2.vz7.116.7] xfs: potential denial of service caused by missing unlock operation in xfs_setattr_nonsize(). It was discovered that xfs_setattr_nonsize() would not unlock 'ILOCK' lock if the user or group were out of their disk quota. As a result, any subsequent operation, which needed to take 'ILOCK', would get stuck, leading to a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the readykernel patch.

See Also

https://virtuozzosupport.force.com/s/article/VZA-2020-015

https://access.redhat.com/security/cve/cve-2019-15538

http://www.nessus.org/u?859747e7

http://www.nessus.org/u?14581295

http://www.nessus.org/u?6e5a0ac5

http://www.nessus.org/u?1ca60cde

http://www.nessus.org/u?0e6efe3d

http://www.nessus.org/u?e2ad6828

http://www.nessus.org/u?060c2d8c

http://www.nessus.org/u?94b61465

Plugin Details

Severity: High

ID: 133952

File Name: Virtuozzo_VZA-2020-015.nasl

Version: 1.3

Type: local

Published: 2020/02/24

Updated: 2020/03/04

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:virtuozzo:virtuozzo:readykernel, cpe:/o:virtuozzo:virtuozzo:7

Required KB Items: Host/local_checks_enabled, Host/Virtuozzo/release, Host/Virtuozzo/rpm-list, Host/readykernel-info

Exploit Ease: No known exploits are available

Patch Publication Date: 2020/02/21

Reference Information

CVE: CVE-2019-15538