Dear Server Administrators,

As part of our commitment to provide premier infrastructure services, we are informing you of a critical security vulnerability affecting linux servers. Please read the details below carefully as action will be required on your end:

Kernel Local Privilege Escalation - CVE-2016-5195
https://access.redhat.com/security/vulnerabilities/2706661

Action to be taken:
It is important that you install the most recent kernel updates which include the necessary security patch on your server(s). This kernel update will require the server to be rebooted as soon as possible.

=====================================================

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Find out more about CVE-2016-5195 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG 2.x. This issue has been rated as having Important security impact. Updates for each affected version are in progress and will be released as soon as possible.

Shipping versions of Fedora are affected and Fedora is aware of this flaw.

For additional information about this flaw, please see https://access.redhat.com/security/vulnerabilities/2706661

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score

6.9

Base Metrics

AV:L/AC:M/Au:N/C:C/I:C/A:C

Access Vector

Local

Access Complexity

Medium

Authentication

None

Confidentiality Impact

Complete

Integrity Impact

Complete

Availability Impact

Complete

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score

7.8

CVSS3 Base Metrics

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity Impact

High

Availability Impact

High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

?xml version="1.0"?

Platform

Errata

Release Date

Red Hat Enterprise Linux Extended Update Support 7.1 (kernel)

RHSA-2016:2118

2016-10-26

Other (kernel)

RHSA-2016:2120

2016-10-27

Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt)

RHSA-2016:2110

2016-10-26

Red Hat Enterprise Linux Extended Update Support 6.7 (kernel)

RHSA-2016:2106

2016-10-26

Red Hat Enterprise Linux 6 (kernel)

RHSA-2016:2105

2016-10-26

MRG Grid for RHEL 6 Server v.2 (kernel-rt)

RHSA-2016:2107

2016-10-26

Red Hat Enterprise Linux Advanced Update Support 6.5 (kernel)

RHSA-2016:2120

2016-10-27

Red Hat Enterprise Linux 7 (kernel)

RHSA-2016:2098

2016-10-24

Affected Packages State

?xml version="1.0"?

Platform

Package

State

Red Hat Enterprise MRG 2

realtime-kernel

Affected

Red Hat Enterprise Linux 5

kernel

Affected

Acknowledgements

Red Hat would like to thank Phil Oester for reporting this issue.

Mitigation

Please see bug 1384344 comment #13 (https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13) for details on how to mitigate this issue.

 



Thursday, October 27, 2016





« Back