The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-CVE-2016-7117"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Title: EGI SVG 'Heads up' [TLP:WHITE ] CRITICAL risk CVE-2016-7117 Linux kernel vulnerability [EGI-SVG-CVE-2016-7117] Date: 2016-11-10 Upd...") |
|||
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG 'Heads up' [TLP:WHITE ] | Title: EGI SVG 'Heads up' **UPDATE**[TLP:WHITE] 'HIGH' risk CVE-2016-7117 Linux | ||
kernel vulnerability [EGI-SVG-CVE-2016-7117] | |||
Date: 2016-11-10 | Date: 2016-11-10 | ||
Updated: | Updated: 2016-12-14 | ||
Affected software and risk | Affected software and risk | ||
========================== | ========================== | ||
'CRITICAL' risk vulnerability concerning the Linux kernel Use-after-free in the recvmmsg exit path. | **UPDATE 2016-12-14** Downgraded from 'CRITICAL' risk to 'HIGH' risk. | ||
'HIGH' risk vulnerability concerning the Linux kernel Use-after-free in the recvmmsg exit path. | |||
Package : Linux Kernel | Package : Linux Kernel | ||
CVE ID : CVE-2016-7117 | CVE ID : CVE-2016-7117 | ||
| Line 19: | Line 23: | ||
This may allow a local root exploit and potentially also remote arbitrary code execution. | This may allow a local root exploit and potentially also remote arbitrary code execution. | ||
Updates are available for most Linux distributions except RedHat and its derivatives. | Updates are available for most Linux distributions except RedHat and its derivatives. | ||
**UPDATE 2016-12-14** This has been downgraded to 'HIGH' risk thanks to lack of news on exploit attempts. | |||
Actions required/recommended | Actions required/recommended | ||
============================ | ============================ | ||
**UPDATE 2016-12-14** changed from "as soon as [...] available" to "as soon as possible" | |||
Sites should apply vendor kernel updates as soon as possible if patches are available for the | |||
operating system they are running. | |||
EGI CSIRT monitors sites for High Risk and Critical risk vulnerabilities, and it is important | It is not necessary for sites to reply to this 'Heads up' EGI CSIRT monitors sites for High Risk and | ||
that you respond to any request from EGI CSIRT directed to your site. | Critical risk vulnerabilities, and it is important that you respond to any request from EGI CSIRT directed to your site. | ||
Sites failing to act on requests from the EGI CSIRT team risk suspension. | Sites failing to act on requests from the EGI CSIRT team risk suspension. | ||
| Line 46: | Line 51: | ||
For more information see [R 1], [R 2], [R 3] | For more information see [R 1], [R 2], [R 3] | ||
At present no working root exploit has been made public. This is a mitigating circumstance. | **Original Heads up on 2016-11-10** At present no working root exploit has been made public. | ||
Some members of SVG consider it likely that one may be made public at any time, hence the assessment | This is a mitigating circumstance. Some members of SVG consider it likely that one may be made | ||
of 'Critical'. For this reason we recommend sites update as soon as possible. | public at any time, hence the assessment of 'Critical'. | ||
For this reason we recommend sites update as soon as possible. | |||
**UPDATE 2016-12-14** No exploit has become available as far as EGI SVG is aware, so this has been | |||
downgraded to 'HIGH' risk. Sites should still update as soon as possible if they are running a | |||
vulnerable version of linux and a non-vulnerable version has been released. | |||
| Line 55: | Line 65: | ||
There is no recommended mitigation to prevent this vulnerability being exploited. | There is no recommended mitigation to prevent this vulnerability being exploited. | ||
Component installation information | Component installation information | ||
| Line 67: | Line 76: | ||
Sites running Scientific Linux (SL) should see [R 7] (Patch is not available yet.) | Sites running Scientific Linux (SL) should see [R 7] (Patch is not available yet.) | ||
TLP and URL | TLP and URL | ||
=========== | =========== | ||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** | ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** | ||
| Line 106: | Line 113: | ||
====================== | ====================== | ||
Questions about the operational follow up of this vulnerability should be sent to | Questions about the operational follow up of this vulnerability should be sent to | ||
Comments or questions about the vulnerability itself should be sent to svg-rat at mailman.egi.eu | abuse@egi.eu | ||
Comments or questions about the vulnerability itself should be sent to svg-rat at | |||
mailman.egi.eu | |||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | ||
| Line 126: | Line 137: | ||
2016-11-07 EGI SVG Risk Assessment completed. | 2016-11-07 EGI SVG Risk Assessment completed. | ||
2016-11-10 'Heads up' sent to sites | 2016-11-10 'Heads up' sent to sites | ||
2016-12-12 Suggested at EGI IRTF meeting that risk should be downgraded to 'High' due to lack of exploit | |||
2016-12-12 Asked SVG for any objections to the downgrade. | |||
2016-12-14 No objections, so downgraded the risk, and sent update to sites | |||
</pre> | </pre> | ||
Revision as of 11:47, 14 December 2016
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-7117
Title: EGI SVG 'Heads up' **UPDATE**[TLP:WHITE] 'HIGH' risk CVE-2016-7117 Linux kernel vulnerability [EGI-SVG-CVE-2016-7117] Date: 2016-11-10 Updated: 2016-12-14 Affected software and risk ========================== **UPDATE 2016-12-14** Downgraded from 'CRITICAL' risk to 'HIGH' risk. 'HIGH' risk vulnerability concerning the Linux kernel Use-after-free in the recvmmsg exit path. Package : Linux Kernel CVE ID : CVE-2016-7117 A 'use after free' vulnerability was found in the kernels socket recvmmsg subsystem. This may allow a local root exploit and potentially also remote arbitrary code execution. Updates are available for most Linux distributions except RedHat and its derivatives. **UPDATE 2016-12-14** This has been downgraded to 'HIGH' risk thanks to lack of news on exploit attempts. Actions required/recommended ============================ **UPDATE 2016-12-14** changed from "as soon as [...] available" to "as soon as possible" Sites should apply vendor kernel updates as soon as possible if patches are available for the operating system they are running. It is not necessary for sites to reply to this 'Heads up' EGI CSIRT monitors sites for High Risk and Critical risk vulnerabilities, and it is important that you respond to any request from EGI CSIRT directed to your site. Sites failing to act on requests from the EGI CSIRT team risk suspension. Affected software details ========================= All Linux distributions, see relevant OS providers. More information ================ For more information see [R 1], [R 2], [R 3] **Original Heads up on 2016-11-10** At present no working root exploit has been made public. This is a mitigating circumstance. Some members of SVG consider it likely that one may be made public at any time, hence the assessment of 'Critical'. For this reason we recommend sites update as soon as possible. **UPDATE 2016-12-14** No exploit has become available as far as EGI SVG is aware, so this has been downgraded to 'HIGH' risk. Sites should still update as soon as possible if they are running a vulnerable version of linux and a non-vulnerable version has been released. Mitigation ========== There is no recommended mitigation to prevent this vulnerability being exploited. Component installation information ================================== Sites running Debian should see [R 5] Sites running Ubuntu should see [R 6] Sites running RedHat should see [R 2], [R 4] (Patch is not available yet.) Sites running Scientific Linux (SL) should see [R 7] (Patch is not available yet.) TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-7117 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by Sebastien Gadrat. References ========== [R 1] https://blog.lizzie.io/notes-about-cve-2016-7117.html [R 2] https://bugzilla.redhat.com/show_bug.cgi?id=1382268 [R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7117 [R 4] https://access.redhat.com/security/cve/cve-2016-7117 [R 5] https://security-tracker.debian.org/tracker/CVE-2016-7117 [R 6] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7117.html [R 7] https://www.scientificlinux.org/ Comments and questions ====================== Questions about the operational follow up of this vulnerability should be sent to abuse@egi.eu Comments or questions about the vulnerability itself should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2016-7117] 2016-10-20 SVG alerted to this issue by Sebastien Gadrat. 2016-10-20 Acknowledgement from the EGI SVG to the reporter 2016-10--- Investigation of vulnerability and relevance to EGI carried out. 2016-11-07 EGI SVG Risk Assessment completed. 2016-11-10 'Heads up' sent to sites 2016-12-12 Suggested at EGI IRTF meeting that risk should be downgraded to 'High' due to lack of exploit 2016-12-12 Asked SVG for any objections to the downgrade. 2016-12-14 No objections, so downgraded the risk, and sent update to sites