Difference between revisions of "EGI CSIRT:Alerts/Linux-2014-12-17"
Jump to navigation
Jump to search
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
** WHITE information - Unlimited distribution allowed ** | ** WHITE information - Unlimited distribution allowed ** | ||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | ||
Title: EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] | |||
Title: | |||
Date: 2014-12-17 | Date: 2014-12-17 | ||
Updated: 2014-12- | Updated: 2014-12-22 | ||
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 | URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 | ||
Update Summary | |||
============== | ============== | ||
+ 2014-12-18: Added information about Scientific Linux patches | |||
+ 2014-12-20: Added more details about the vulnerability and fixes | |||
+ 2014-12-22: Corrected information about affected versions | |||
Introduction | Introduction | ||
============ | ============ | ||
Redhat has announced a series of vulnerabilities in the linux kernel which | Redhat has announced a series of vulnerabilities in the linux kernel | ||
have been | which have been fixed. The most severe flaw is marked CVE-2014-9322 and | ||
is believed to provide the possibility to escalate unprivileged users' | |||
rights on the system. | |||
Fixes have been published for RHEL 5 and 6 and their derivates as well | |||
as other Linux distributions. | |||
Details | Details | ||
======= | ======= | ||
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not | |||
properly handle faults associated with the Stack Segment (SS) segment | |||
register, which allows local users to gain privileges by triggering an | |||
IRET instruction that leads to access to a GS Base address from the | |||
wrong space. (quoted from NVD). | |||
Risk category | Risk category | ||
============= | ============= | ||
The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT | |||
and EGI SVG | and EGI SVG Risk Assessment Team. | ||
Affected software | Affected software | ||
================= | ================= | ||
Linux kernel | The Linux kernel is affected. The issue was fixed in the 3.17.5 version | ||
of the mainstream distribution. The fixes were also backported to other | |||
versions by distribution vendors. | |||
In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability | |||
was fixed by version 2.6.18-400.1.1.el5. | |||
In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability | |||
was fixed by version 2.6.32-504.3.3.el6. | |||
Line 69: | Line 64: | ||
N/A | N/A | ||
Component installation information | Component installation information | ||
================================== | ================================== | ||
For many distributions, patched kernel packages are available. Refer to | |||
your distro's information channels. | |||
*NOTE* SITES USING IPoIB (IP over InfiniBand): | *NOTE* SITES USING IPoIB (IP over InfiniBand): | ||
The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that | The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that | ||
Line 86: | Line 82: | ||
Other sites can contact support@nsc.liu.se if they are | Other sites can contact support@nsc.liu.se if they are | ||
interested in our custom kernel. | interested in our custom kernel. | ||
Line 94: | Line 87: | ||
=============== | =============== | ||
Sites should update as soon as possible | Sites should update as soon as possible. | ||
All running resources MUST be either patched or otherwise have a | All running resources MUST be either patched or otherwise have a | ||
Line 102: | Line 94: | ||
In effect, all must update before going on leave for Christmas. | In effect, all must update before going on leave for Christmas. | ||
Credit | Credit | ||
Line 107: | Line 100: | ||
EGI SVG and CSIRT alerted by Leif Nixon. | EGI SVG and CSIRT alerted by Leif Nixon. | ||
IPoIB issues Kent Engström | IPoIB issues announced by Kent Engström. | ||
Line 113: | Line 106: | ||
========== | ========== | ||
+ Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322 | |||
+ Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html | |||
+ Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html | |||
+ Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/ | |||
+ Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ | |||
+ CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html | |||
+ Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322 | |||
+ Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322 | |||
+ NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322 | |||
http:// | |||
Timeline | Timeline |
Latest revision as of 15:07, 22 December 2014
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] Date: 2014-12-17 Updated: 2014-12-22 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 Update Summary ============== + 2014-12-18: Added information about Scientific Linux patches + 2014-12-20: Added more details about the vulnerability and fixes + 2014-12-22: Corrected information about affected versions Introduction ============ Redhat has announced a series of vulnerabilities in the linux kernel which have been fixed. The most severe flaw is marked CVE-2014-9322 and is believed to provide the possibility to escalate unprivileged users' rights on the system. Fixes have been published for RHEL 5 and 6 and their derivates as well as other Linux distributions. Details ======= arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. (quoted from NVD). Risk category ============= The issue CVE-2014-9322 been assessed as CRITICAL risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= The Linux kernel is affected. The issue was fixed in the 3.17.5 version of the mainstream distribution. The fixes were also backported to other versions by distribution vendors. In the 2.* Linux kernels of RedHat 5 and derivatives the vulnerability was fixed by version 2.6.18-400.1.1.el5. In the 2.* Linux kernels of RedHat 6 and derivatives the vulnerability was fixed by version 2.6.32-504.3.3.el6. Mitigation ========== N/A Component installation information ================================== For many distributions, patched kernel packages are available. Refer to your distro's information channels. *NOTE* SITES USING IPoIB (IP over InfiniBand): The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that has not been solved (and there is no indication in the errata of that), just upgrading to the latest 6.6 kernel will not be possible for sites using IPoIB. NSC is currently building a 6.5 kernel with the critical security patch applied. That should enable us to continue running IPoIB. Other sites can contact support@nsc.liu.se if they are interested in our custom kernel. Recommendations =============== Sites should update as soon as possible. All running resources MUST be either patched or otherwise have a work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. In effect, all must update before going on leave for Christmas. Credit ====== EGI SVG and CSIRT alerted by Leif Nixon. IPoIB issues announced by Kent Engström. References ========== + Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9322 + Red Hat EL6: https://rhn.redhat.com/errata/RHSA-2014-1997.html + Red Hat EL5: https://rhn.redhat.com/errata/RHSA-2014-2008.html + Scientific Linux 5: https://www.scientificlinux.org/sl-errata/slsa-20142008-1/ + Scientific Linux 6: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ + CentOS: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html + Debian: https://security-tracker.debian.org/tracker/CVE-2014-9322 + Ubuntu: http://people.canonical.com/~ubuntu-security/cve/CVE-2014-9322 + NIST NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9322 Timeline ======== Yyyy-mm-dd 2014-12-16 Vulnerabilities publicly announced 2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 2014-12-17 CSIRT and SVG assess risk as 'Critical' 2014-12-17 Heads up/Alert sent to sites.