Difference between revisions of "SVG:Advisory-SVG-CVE-2016-5195"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Placeholder for SVG-CVE-2016-5195 </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 Linux | |||
kernel privilege escalation [EGI-SVG-CVE-2016-5195] | |||
Date: 2016-10-20 | |||
Updated: | |||
Affected software and risk | |||
========================== | |||
CRITICAL risk vulnerability concerning Linux kernel | |||
Package : Linux Kernel | |||
CVE ID : CVE-2016-5195 | |||
A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user | |||
to gain write access to otherwise read only mappings and increase their privilege in the system. | |||
At present this is a 'Heads up'. However sites running an OS where patches are available should urgently | |||
install the new version. (Currently Debian and Ubuntu.) | |||
Actions required/recommended | |||
============================ | |||
Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the | |||
new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes, | |||
should be prioritised. At this stage a rolling update and reboot is recommended as sufficient. | |||
Other sites, running an OS where patches are not available yet should prepare the update, which they will | |||
be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate | |||
workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces. | |||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | |||
Affected software details | |||
========================= | |||
See relevant OS providers. | |||
More information | |||
================ | |||
More information is available from RedHat [R 1] | |||
This advisory will be updated when patches become available for more different | |||
operating systems. | |||
Component installation information | |||
================================== | |||
Sites running Debian should see [R 2] | |||
Sites running Ubuntu should see [R 3] | |||
Sites running RedHat should see [R 4] (patch not available at time of writing) | |||
Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing) | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution - see | |||
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195 | |||
Minor updates may be made without re-distribution to the sites | |||
Credit | |||
====== | |||
SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG | |||
References | |||
========== | |||
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344 | |||
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195 | |||
[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html | |||
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195 | |||
[R 5] https://www.scientificlinux.org/ | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195] | |||
2016-10-20 SVG alerted to this issue by Daniel Kouril | |||
2016-10-20 Investigation of vulnerability and relevance to EGI carried out | |||
2016-10-20 EGI SVG Risk Assessment completed | |||
2016-10-20 IRTF/SVG agreed to issue an urgent heads up. | |||
2016-10-20 'Heads up' sent to sites | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> |
Revision as of 16:27, 20 October 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-5195
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 Linux kernel privilege escalation [EGI-SVG-CVE-2016-5195] Date: 2016-10-20 Updated: Affected software and risk ========================== CRITICAL risk vulnerability concerning Linux kernel Package : Linux Kernel CVE ID : CVE-2016-5195 A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user to gain write access to otherwise read only mappings and increase their privilege in the system. At present this is a 'Heads up'. However sites running an OS where patches are available should urgently install the new version. (Currently Debian and Ubuntu.) Actions required/recommended ============================ Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes, should be prioritised. At this stage a rolling update and reboot is recommended as sufficient. Other sites, running an OS where patches are not available yet should prepare the update, which they will be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces. Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Affected software details ========================= See relevant OS providers. More information ================ More information is available from RedHat [R 1] This advisory will be updated when patches become available for more different operating systems. Component installation information ================================== Sites running Debian should see [R 2] Sites running Ubuntu should see [R 3] Sites running RedHat should see [R 4] (patch not available at time of writing) Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing) TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG References ========== [R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344 [R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195 [R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html [R 4] https://access.redhat.com/security/cve/CVE-2016-5195 [R 5] https://www.scientificlinux.org/ Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2016-5195] 2016-10-20 SVG alerted to this issue by Daniel Kouril 2016-10-20 Investigation of vulnerability and relevance to EGI carried out 2016-10-20 EGI SVG Risk Assessment completed 2016-10-20 IRTF/SVG agreed to issue an urgent heads up. 2016-10-20 'Heads up' sent to sites On behalf of the EGI SVG,