Difference between revisions of "SVG:Advisory-SVG-CVE-2018-8897"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] 'MODERATE' risk - multiple vulnerabilities in the Linux kernel (incl. CVE-2018-8897, CVE-2018-10...") |
imported>Cornwall (Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] 'MODERATE' risk - multiple vulnerabilities in the Linux kernel (incl. CVE-2018-8897, CVE-2018-10...") |
(No difference)
|
Revision as of 15:21, 16 May 2018
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2018-8897
Title: EGI SVG 'ADVISORY' [TLP:WHITE] 'MODERATE' risk - multiple vulnerabilities in the Linux kernel (incl. CVE-2018-8897, CVE-2018-1087, CVE-2017-16939) [EGI-SVG-CVE-2018-8897] Date: 2018-05-16 Updated: Affected software and risk ========================== Multiple vulnerabilities in the Linux kernel have been patched. The patched version, kernel-3.10.0-862(.2.3) is released together with the release of RHEL 7.5 Package : Linux Kernel CVE ID : CVE-2018-8897, CVE-2018-1087, CVE-2017-16939 - A vulnerability in the Linux kernel exception handling can allow an unprivileged user to crash the system and cause a Denial of Service (DoS) (CVE-2018-8897). - A vulnerability concerning the Linux kernel's KVM hypervisor exception handling can allow an unprivileged KVM guest user to crash the guest or, potentially, escalate their privileges in the guest (CVE-2018-1087). - The 'use-after-free' vulnerability flaw in XFRM mentioned in a previous alert [EGI-SVG-CVE-2017-16939] can, in some circumstances, lead to privilege escalation. None at present are considered by the SVG to be more than 'Moderate'. Actions required/recommended ============================ Sites are recommended to update their linux kernel at their first convenient opportunity, in particular:-- - WN & UI should be updated for CVE-2018-8897 - WN & UI with Singularity in non-suid mode should be updated for CVE-2017-16939 - Hypervisors should be updated for CVE-2018-1087 Note that a re-boot is required. More information ================ These vulnerabilities mentioned above are the ones which are most relevant to EGI and have been assessed as unlikely to pose more than 'Moderate' Risk for the EGI infrastructure. For a full list vulnerabilities which are fixed in this release see [R 1] There is the possibility that the risk could be elevated to 'High', particularly for CVE-2018-1087 if a privilege escalation exploit were to become available. Since the exception handling vulnerability has been highly publicised, see e.g. [R 2], sites should update as soon as convenient. Also see [R 3], [R 4], [R 5], [R 6] Component installation information ================================== Sites running RedHat should see [R 1] Sites running Scientific Linux should see [R 7] Sites running CentOS should see [R 8] Sites running Ubuntu should see [R 9] Sites running Debian should see [R 10] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-8897 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 11] Note that this has been updated and the latest version approved by the Operations Management Board in November 2017 References ========== [R 1] https://access.redhat.com/errata/RHSA-2018:1318 [R 2] http://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/ [R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8897 [R 4] https://access.redhat.com/security/cve/cve-2018-8897 [R 5] https://access.redhat.com/security/cve/cve-2018-1087 [R 6] https://access.redhat.com/Security/cve/cve-2017-16939 [R 7] https://www.scientificlinux.org/?s=cve-2018-8897 [R 8] https://lists.centos.org/pipermail/centos-announce/2018-May/022829.html [R 9] http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8897.html [R 10] https://security-tracker.debian.org/tracker/CVE-2018-8897 [R 11] https://documents.egi.eu/public/ShowDocument?docid=3145 Credit ====== SVG was alerted to CVE-2018-8897 by Martin Bly from STFC SVG was alerted to CVE-2018-1087 by Mischa Salle from Nikhef Timeline ======== Yyyy-mm-dd [EGI-SVG-2018-CVE-2018-8897] 2018-05-09 SVG alerted to CVE-2018-8897 by Martin Bly from STFC 2018-05-09 Acknowledgement from the EGI SVG to the reporter 2018-05-09 Investigation of vulnerability and relevance to EGI carried out 2018-05-09 EGI SVG Risk Assessment completed 2018-05-16 Advisory sent to sites Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 11] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. Others may re-use this information provided they:- 1) Respect the provided TLP classification 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group On behalf of the EGI SVG,