Difference between revisions of "SVG:Advisory-SVG-2015-CVE-2015-7613"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restricti...") |
|||
Line 40: | Line 40: | ||
============= | ============= | ||
This issue has been assessed as 'High' risk by 2 members of the EGI SVG Risk Assessment Team and 'Moderate' by 2 others. It is not clear whether this will ever be exploitable in EGI. | This issue has been assessed as 'High' risk by 2 members of the EGI SVG Risk Assessment | ||
Team and 'Moderate' by 2 others. It is not clear whether this will ever be exploitable in EGI. | |||
Line 82: | Line 83: | ||
=============== | =============== | ||
While SVG is not aware of any exploit at present, it is potentially serious if an exploit were to become available which worked in the EGI infrastructure. There is then the possibility that this may escalate to become a 'Critical' risk issue. Hence it is recommended that sites update their systems when it is | While SVG is not aware of any exploit at present, it is potentially serious if an exploit | ||
were to become available which worked in the EGI infrastructure. | |||
There is then the possibility that this may escalate to become a 'Critical' risk issue. | |||
Hence it is recommended that sites update their systems when it is convenient to do so. | |||
Latest revision as of 15:35, 5 January 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-CVE-2015-7613
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-CVE-2015-7613] Title: EGI SVG Advisory 'Moderate/High' RISK - Linux Kernel Vulnerability CVE-2015-7613 Date: 2016-01-05 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-7613 Introduction ============ A number of Linux Kernel vulnerabilities have been found and fixed by the software providers. SVG has looked at these and the one which gives concern for EGI is CVE-2015-7613. [R 1] While there is no exploit available at present, it is potentially serious if an exploit were to become available. Therefore sites are recommended to update when it is practical to do so, and be aware that the risk could rise. These were fixed as part of the Scientific linux release on 15th December. [R 2] Details ======= Details at [R 1], [R 2] and [R 3], [R 4] and [R 5] We are not aware of any exploit for this at present. Risk category ============= This issue has been assessed as 'High' risk by 2 members of the EGI SVG Risk Assessment Team and 'Moderate' by 2 others. It is not clear whether this will ever be exploitable in EGI. Affected software ================= It would appear that this vulnerability affects multiple Linux operating systems. Red Hat and its derivatives are affected. [R 3] For Scientific Linux See [R 2] For Ubuntu See [R 4] For Debian See [R 5] Mitigation ========== N/A. Component installation information ================================== Red Hat see [R 3] Scientific Linux See [R 2] Ubuntu See [R 4] Debian See [R 5] Recommendations =============== While SVG is not aware of any exploit at present, it is potentially serious if an exploit were to become available which worked in the EGI infrastructure. There is then the possibility that this may escalate to become a 'Critical' risk issue. Hence it is recommended that sites update their systems when it is convenient to do so. Credit ====== SVG was alerted to this vulnerability by Ian Neilson of SVG. References ========== [R 1] NVD link https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7613 [R 2] Scientific Linux https://www.scientificlinux.org/sl-errata/slsa-20152636-1/ [R 3] RedHat https://access.redhat.com/security/cve/cve-2015-7613 [R 4] Ubuntu http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7613.html [R 5] Debian https://security-tracker.debian.org/tracker/CVE-2015-7613 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-12-16 SVG alerted to this announcement by Ian Neilson 2015-12-16 SVG members asked to provide risk assessment 2015-12-18 Risk vote evens between Moderate and High 2016-01-05 Advisory sent to sites