The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-CVE-2018-8897
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2018-8897
Title: EGI SVG 'ADVISORY' [TLP:WHITE] 'MODERATE' risk - multiple vulnerabilities in the Linux kernel
(incl. CVE-2018-8897, CVE-2018-1087, CVE-2017-16939) [EGI-SVG-CVE-2018-8897]
Date: 2018-05-16
Updated:
Affected software and risk
==========================
Multiple vulnerabilities in the Linux kernel have been patched.
The patched version, kernel-3.10.0-862(.2.3) is released together with the release of RHEL 7.5
Package : Linux Kernel
CVE ID : CVE-2018-8897, CVE-2018-1087, CVE-2017-16939
- A vulnerability in the Linux kernel exception handling can allow an unprivileged user to crash the system and
cause a Denial of Service (DoS) (CVE-2018-8897).
- A vulnerability concerning the Linux kernel's KVM hypervisor exception handling can allow an unprivileged
KVM guest user to crash the guest or, potentially, escalate their privileges in the guest (CVE-2018-1087).
- The 'use-after-free' vulnerability flaw in XFRM mentioned in a previous alert [EGI-SVG-CVE-2017-16939] can,
in some circumstances, lead to privilege escalation.
None at present are considered by the SVG to be more than 'Moderate'.
Actions required/recommended
============================
Sites are recommended to update their linux kernel at their first convenient opportunity, in particular:--
- WN & UI should be updated for CVE-2018-8897
- WN & UI with Singularity in non-suid mode should be updated for CVE-2017-16939
- Hypervisors should be updated for CVE-2018-1087
Note that a re-boot is required.
More information
================
These vulnerabilities mentioned above are the ones which are most relevant to EGI and have been
assessed as unlikely to pose more than 'Moderate' Risk for the EGI infrastructure.
For a full list vulnerabilities which are fixed in this release see [R 1]
There is the possibility that the risk could be elevated to 'High', particularly for CVE-2018-1087
if a privilege escalation exploit were to become available.
Since the exception handling vulnerability has been highly publicised, see e.g. [R 2], sites should update
as soon as convenient.
Also see [R 3], [R 4], [R 5], [R 6]
Component installation information
==================================
Sites running RedHat should see [R 1]
Sites running Scientific Linux should see [R 7]
Sites running CentOS should see [R 8]
Sites running Ubuntu should see [R 9]
Sites running Debian should see [R 10]
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions**
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-8897
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 11]
Note that this has been updated and the latest version approved by the Operations Management Board in November 2017
References
==========
[R 1] https://access.redhat.com/errata/RHSA-2018:1318
[R 2] http://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/
[R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8897
[R 4] https://access.redhat.com/security/cve/cve-2018-8897
[R 5] https://access.redhat.com/security/cve/cve-2018-1087
[R 6] https://access.redhat.com/Security/cve/cve-2017-16939
[R 7] https://www.scientificlinux.org/?s=cve-2018-8897
[R 8] https://lists.centos.org/pipermail/centos-announce/2018-May/022829.html
[R 9] http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8897.html
[R 10] https://security-tracker.debian.org/tracker/CVE-2018-8897
[R 11] https://documents.egi.eu/public/ShowDocument?docid=3145
Credit
======
SVG was alerted to CVE-2018-8897 by Martin Bly from STFC
SVG was alerted to CVE-2018-1087 by Mischa Salle from Nikhef
Timeline
========
Yyyy-mm-dd [EGI-SVG-2018-CVE-2018-8897]
2018-05-09 SVG alerted to CVE-2018-8897 by Martin Bly from STFC
2018-05-09 Acknowledgement from the EGI SVG to the reporter
2018-05-09 Investigation of vulnerability and relevance to EGI carried out
2018-05-09 EGI SVG Risk Assessment completed
2018-05-16 Advisory sent to sites
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 11]
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group,
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments
depending on how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
On behalf of the EGI SVG,