SVG:Advisory-SVG-CVE-2018-8897

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-CVE-2018-8897



Title:       EGI SVG 'ADVISORY' [TLP:WHITE]  'MODERATE' risk - multiple vulnerabilities in the Linux kernel 
             (incl. CVE-2018-8897, CVE-2018-1087, CVE-2017-16939) [EGI-SVG-CVE-2018-8897] 

Date:        2018-05-16
Updated:     

Affected software and risk
==========================

Multiple vulnerabilities in the Linux kernel have been patched. 

The patched version, kernel-3.10.0-862(.2.3) is released together with the release of RHEL 7.5

Package : Linux Kernel
CVE ID  : CVE-2018-8897, CVE-2018-1087, CVE-2017-16939

- A vulnerability in the Linux kernel exception handling can allow an unprivileged user to crash the system and 
cause a Denial of Service (DoS) (CVE-2018-8897).  

- A  vulnerability concerning the Linux kernel's KVM hypervisor exception handling can allow an unprivileged 
KVM guest user to crash the guest or, potentially, escalate their privileges in the guest (CVE-2018-1087).  

- The 'use-after-free' vulnerability flaw in XFRM mentioned in a previous alert [EGI-SVG-CVE-2017-16939] can, 
in some circumstances, lead to privilege escalation. 

None at present are considered by the SVG to be more than 'Moderate'. 

Actions required/recommended
============================

Sites are recommended to update their linux kernel at their first convenient opportunity, in particular:-- 

- WN & UI should be updated for CVE-2018-8897

- WN & UI with Singularity in non-suid mode should be updated for CVE-2017-16939

- Hypervisors should be updated for CVE-2018-1087

Note that a re-boot is required. 

More information
================

These vulnerabilities mentioned above are the ones which are most relevant to EGI and have been 
assessed as unlikely to pose more than 'Moderate' Risk for the EGI infrastructure. 

For a full list vulnerabilities which are fixed in this release see [R 1] 

There is the possibility that the risk could be elevated to 'High', particularly for CVE-2018-1087 
if a privilege escalation exploit were to become available.

Since the exception handling vulnerability has been highly publicised, see e.g. [R 2], sites should update 
as soon as convenient.

Also see [R 3], [R 4], [R 5], [R 6]


Component installation information
==================================

Sites running RedHat should see [R 1]

Sites running Scientific Linux should see [R 7]

Sites running CentOS should see [R 8]

Sites running Ubuntu should see [R 9] 

Sites running Debian should see [R 10]


TLP and URL
===========

** WHITE information - Unlimited distribution 
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions**                       

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2018-8897    

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 11]  

Note that this has been updated and the latest version approved by the Operations Management Board in November 2017


References
==========

[R 1] https://access.redhat.com/errata/RHSA-2018:1318

[R 2] http://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/

[R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8897 

[R 4] https://access.redhat.com/security/cve/cve-2018-8897

[R 5] https://access.redhat.com/security/cve/cve-2018-1087

[R 6] https://access.redhat.com/Security/cve/cve-2017-16939

[R 7] https://www.scientificlinux.org/?s=cve-2018-8897

[R 8] https://lists.centos.org/pipermail/centos-announce/2018-May/022829.html

[R 9] http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8897.html  

[R 10] https://security-tracker.debian.org/tracker/CVE-2018-8897

[R 11] https://documents.egi.eu/public/ShowDocument?docid=3145


Credit
======

SVG was alerted to CVE-2018-8897 by Martin Bly from STFC 
SVG was alerted to CVE-2018-1087 by Mischa Salle from Nikhef

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2018-CVE-2018-8897] 

2018-05-09 SVG alerted to CVE-2018-8897 by Martin Bly from STFC
2018-05-09 Acknowledgement from the EGI SVG to the reporter
2018-05-09 Investigation of vulnerability and relevance to EGI carried out 
2018-05-09 EGI SVG Risk Assessment completed
2018-05-16 Advisory sent to sites

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 11]  
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, 
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments 
depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group



On behalf of the EGI SVG,




Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export