From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Title:       EGI SVG 'ADVISORY' [TLP:WHITE]  'MODERATE' risk - multiple vulnerabilities in the Linux kernel 
             (incl. CVE-2018-8897, CVE-2018-1087, CVE-2017-16939) [EGI-SVG-CVE-2018-8897] 

Date:        2018-05-16

Affected software and risk

Multiple vulnerabilities in the Linux kernel have been patched. 

The patched version, kernel-3.10.0-862(.2.3) is released together with the release of RHEL 7.5

Package : Linux Kernel
CVE ID  : CVE-2018-8897, CVE-2018-1087, CVE-2017-16939

- A vulnerability in the Linux kernel exception handling can allow an unprivileged user to crash the system and 
cause a Denial of Service (DoS) (CVE-2018-8897).  

- A  vulnerability concerning the Linux kernel's KVM hypervisor exception handling can allow an unprivileged 
KVM guest user to crash the guest or, potentially, escalate their privileges in the guest (CVE-2018-1087).  

- The 'use-after-free' vulnerability flaw in XFRM mentioned in a previous alert [EGI-SVG-CVE-2017-16939] can, 
in some circumstances, lead to privilege escalation. 

None at present are considered by the SVG to be more than 'Moderate'. 

Actions required/recommended

Sites are recommended to update their linux kernel at their first convenient opportunity, in particular:-- 

- WN & UI should be updated for CVE-2018-8897

- WN & UI with Singularity in non-suid mode should be updated for CVE-2017-16939

- Hypervisors should be updated for CVE-2018-1087

Note that a re-boot is required. 

More information

These vulnerabilities mentioned above are the ones which are most relevant to EGI and have been 
assessed as unlikely to pose more than 'Moderate' Risk for the EGI infrastructure. 

For a full list vulnerabilities which are fixed in this release see [R 1] 

There is the possibility that the risk could be elevated to 'High', particularly for CVE-2018-1087 
if a privilege escalation exploit were to become available.

Since the exception handling vulnerability has been highly publicised, see e.g. [R 2], sites should update 
as soon as convenient.

Also see [R 3], [R 4], [R 5], [R 6]

Component installation information

Sites running RedHat should see [R 1]

Sites running Scientific Linux should see [R 7]

Sites running CentOS should see [R 8]

Sites running Ubuntu should see [R 9] 

Sites running Debian should see [R 10]


** WHITE information - Unlimited distribution 
- see for distribution restrictions**                       


Minor updates may be made without re-distribution to the sites


Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 11]  

Note that this has been updated and the latest version approved by the Operations Management Board in November 2017


[R 1]

[R 2]

[R 3] 

[R 4]

[R 5]

[R 6]

[R 7]

[R 8]

[R 9]  

[R 10]

[R 11]


SVG was alerted to CVE-2018-8897 by Martin Bly from STFC 
SVG was alerted to CVE-2018-1087 by Mischa Salle from Nikhef

Yyyy-mm-dd  [EGI-SVG-2018-CVE-2018-8897] 

2018-05-09 SVG alerted to CVE-2018-8897 by Martin Bly from STFC
2018-05-09 Acknowledgement from the EGI SVG to the reporter
2018-05-09 Investigation of vulnerability and relevance to EGI carried out 
2018-05-09 EGI SVG Risk Assessment completed
2018-05-16 Advisory sent to sites


This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 11]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments 
depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI Software Vulnerability Group

On behalf of the EGI SVG,