SVG:Advisory-SVG-CVE-2016-7117

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-CVE-2016-7117



Title:       EGI SVG Advisory **UPDATE**[TLP:WHITE] 'HIGH' risk CVE-2016-7117 Linux kernel vulnerability  
             [EGI-SVG-CVE-2016-7117]  

Date:        2016-11-10
Updated:     2016-12-14, 2017-01-13, 2017-01-18

Affected software and risk
==========================

**UPDATE 2017-01-18** Patches are now available for RedHat 7 and Scientific Linux 7

**UPDATE 2017-01-13** Patches now available for RedHat 6 and Scientific Linux 6.

**UPDATE 2016-12-14** Downgraded from 'CRITICAL' risk to 'HIGH' risk.

'HIGH' risk vulnerability concerning the Linux kernel Use-after-free in the recvmmsg exit path.

Package : Linux Kernel 
CVE ID  : CVE-2016-7117

A 'use after free' vulnerability was found in the kernels socket recvmmsg subsystem. 
This may allow a local root exploit and potentially also remote arbitrary code execution.   

Updates are available for most Linux distributions except RedHat and its derivatives.

**UPDATE 2016-12-14** This has been downgraded to 'HIGH' risk thanks to lack of news on exploit attempts.

Actions required/recommended
============================

**UPDATE 2017-01-18**

Sites should apply vendor kernel updates as soon as possible if they have not done so already. 

Patches are now available for all Operating systems relevant to EGI.

It is not necessary for sites to reply to this Advisory.


Affected software details
=========================

All Linux distributions, see relevant OS providers.

More information
================

For more information see [R 1], [R 2], [R 3]

**Original Heads up on 2016-11-10** At present no working root exploit has been made public.  
This is a mitigating circumstance. Some members of SVG consider it likely that one may be made 
public at any time, hence the assessment of 'Critical'.  
For this reason we recommend sites update as soon as possible.

**UPDATE 2016-12-14** No exploit has become available as far as EGI SVG is aware, so this has been 
downgraded to 'HIGH' risk. Sites should still update as soon as possible if they are running a 
vulnerable version of linux and a non-vulnerable version has been released.


Mitigation
==========

There is no recommended mitigation to prevent this vulnerability being exploited.

Component installation information
==================================

Sites running Debian should see [R 5]

Sites running Ubuntu should see [R 6]

Sites running RedHat should see [R 2], [R 4] 

Sites running Scientific Linux (SL) should see [R 7] 

TLP and URL
===========

** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***          

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-7117    

Minor updates may be made without re-distribution to the sites

Credit
======

SVG was alerted to this vulnerability by Sebastien Gadrat. 

References
==========

[R 1] https://blog.lizzie.io/notes-about-cve-2016-7117.html

[R 2] https://bugzilla.redhat.com/show_bug.cgi?id=1382268

[R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7117

[R 4] https://access.redhat.com/security/cve/cve-2016-7117 

[R 5] https://security-tracker.debian.org/tracker/CVE-2016-7117

[R 6] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7117.html

[R 7] https://www.scientificlinux.org/  


Comments and questions
======================

Questions about the operational follow up of this vulnerability should be sent to 

abuse@egi.eu

Comments or questions about the vulnerability itself should be sent to svg-rat  at  

mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look.  


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-CVE-2016-7117] 

2016-10-20 SVG alerted to this issue by Sebastien Gadrat. 
2016-10-20 Acknowledgement from the EGI SVG to the reporter
2016-10--- Investigation of vulnerability and relevance to EGI carried out.
2016-11-07 EGI SVG Risk Assessment completed. 
2016-11-10 'Heads up' sent to sites
2016-12-12 Suggested at EGI IRTF meeting that risk should be downgraded to 'High' due to lack of exploit
2016-12-12 Asked SVG for any objections to the downgrade.
2016-12-14 No objections, so downgraded the risk, and sent update to sites
2017-01-13 Patches available for RedHat 6, and SL6
2017-01-18 Patches available for RedHat 7 and SL7

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export