The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-CVE-2016-5195
Jump to navigation
Jump to search
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-5195
Title: EGI SVG 'Heads up'[TLP:WHITE ] 'CRITICAL' Risk CVE-2016-5195 Linux
kernel privilege escalation [EGI-SVG-CVE-2016-5195]
Date: 2016-10-20
Updated:
Affected software and risk
==========================
CRITICAL risk vulnerability concerning Linux kernel
Package : Linux Kernel
CVE ID : CVE-2016-5195
A kernel vulnerability has been found concerning a race condition allowing an unprivileged local user
to gain write access to otherwise read only mappings and increase their privilege in the system.
At present this is a 'Heads up'. However sites running an OS where patches are available should urgently
install the new version. (Currently Debian and Ubuntu.)
Actions required/recommended
============================
Sites running an OS where patches are available (currently Debian and Ubuntu) are advised to install the
new version within the next 7 days. Machines allowing unprivileged user access, such as Grid Worker Nodes,
should be prioritised. At this stage a rolling update and reboot is recommended as sufficient.
Other sites, running an OS where patches are not available yet should prepare the update, which they will
be required to apply within 7 days when new version will be available. Sites are also encouraged to investigate
workarounds (e.g. systemtap) for systems with direct unprivileged user access, such as User Interfaces.
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
Affected software details
=========================
See relevant OS providers.
More information
================
More information is available from RedHat [R 1]
This advisory will be updated when patches become available for more different
operating systems.
Component installation information
==================================
Sites running Debian should see [R 2]
Sites running Ubuntu should see [R 3]
Sites running RedHat should see [R 4] (patch not available at time of writing)
Sites running Scientific Linux (SL) should see [R 5] (patch not available at time of writing)
TLP and URL
===========
** WHITE information - Unlimited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-5195
Minor updates may be made without re-distribution to the sites
Credit
======
SVG was alerted to this vulnerability by Daniel Kouril who is a member of SVG
References
==========
[R 1] https://bugzilla.redhat.com/show_bug.cgi?id=1384344
[R 2] https://security-tracker.debian.org/tracker/CVE-2016-5195
[R 3] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[R 4] https://access.redhat.com/security/cve/CVE-2016-5195
[R 5] https://www.scientificlinux.org/
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-CVE-2016-5195]
2016-10-20 SVG alerted to this issue by Daniel Kouril
2016-10-20 Investigation of vulnerability and relevance to EGI carried out
2016-10-20 EGI SVG Risk Assessment completed
2016-10-20 IRTF/SVG agreed to issue an urgent heads up.
2016-10-20 'Heads up' sent to sites
On behalf of the EGI SVG,