Difference between revisions of "EGI CSIRT:Alerts/Linux-2014-12-17"
Jump to navigation
Jump to search
Line 16: | Line 16: | ||
URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 | URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 | ||
UPDATE-2014-12-18-1 | UPDATE-2014-12-18-1 | ||
=================== | =================== |
Revision as of 10:50, 18 December 2014
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20141217] Title: 'Heads up' EGI SVG/CSIRT Alert/Advisory 'CRITICAL' risk - Linux kernel vulnerabilities [EGI-ADV-20141217] Date: 2014-12-17 Updated: 2014-12-18 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Linux-2014-12-17 UPDATE-2014-12-18-1 =================== Scientific Linux patches available, see: https://www.scientificlinux.org/sl-errata/slsa-20141997-1/ Introduction ============ Redhat has announced a series of vulnerabilities in the linux kernel which have been fixed. Some of these are considered 'Critical' in the EGI environment. These have been fixed in RHEL 6. Not all linux distributions have this fixed yet, in particular we are awaiting a fix for scientific linux This advisory will be updated as more fixes become available. Details ======= Details are available at the Red Hat site [R 1], and at [R 2] for Debian based systems. [R 3] has information on CentOS. Risk category ============= Some of these issues have been assessed as 'Critical' risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= Linux kernel More information will be added later. Mitigation ========== N/A Component installation information ================================== See [R 1], [R 2], [R 3] *NOTE* SITES USING IPoIB (IP over InfiniBand): The 6.6 kernels seem to have problems with IPoIB (IP over InfiniBand). If that has not been solved (and there is no indication in the errata of that), just upgrading to the latest 6.6 kernel will not be possible for sites using IPoIB. NSC is currently building a 6.5 kernel with the critical security patch applied. That should enable us to continue running IPoIB. Other sites can contact support@nsc.liu.se if they are interested in our custom kernel. Further information will be made available later. Recommendations =============== Sites should update as soon as possible, after fixed versions of the version of linux they are using becomes available. All running resources MUST be either patched or otherwise have a work-around in place by 2014-12-24 T21:00+01:00. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. In effect, all must update before going on leave for Christmas. Credit ====== EGI SVG and CSIRT alerted by Leif Nixon. IPoIB issues Kent Engström References ========== [R 1] https://rhn.redhat.com/errata/RHSA-2014-1997.html [R 2] For Debian based systems see: CVE-2012-6657 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2012-6657 http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-6657.html CVE-2014-3673 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-3673 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3673.html CVE-2014-3687 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-3687 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3687.html CVE-2014-3688 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-3688 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3688.html CVE-2014-5471 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-5471 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5471.html CVE-2014-5472 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-5472 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5472.html CVE-2014-6410 is fixed in Debian and Ubuntu https://security-tracker.debian.org/tracker/CVE-2014-6410 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6410.html CVE-2014-9322 is fixed in Debian, needs triage on some Ubuntu versions https://security-tracker.debian.org/tracker/CVE-2014-9322 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9322.html [R 3] announcements for CentOS security updates, check CESA messages on lists.centos.org/pipermail/centos-announce/ for example: http://lists.centos.org/pipermail/centos-announce/2014-December/020838.html Timeline ======== Yyyy-mm-dd 2014-12-16 Vulnerabilities publicly announced 2014-12-17 SVG alerted to vulnerabilities by Leif Nixon 2014-12-17 CSIRT and SVG assess risk as 'Critical' 2014-12-17 Heads up/Alert sent to sites.