Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659)

medium Nessus Plugin ID 105247

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2017-3659 advisory.

- net: qmi_wwan: fix divide by 0 on bad descriptors (Bjorn Mork) [Orabug: 27215221] {CVE-2017-16650}
- mm, thp: Do not make page table dirty unconditionally in follow_trans_huge_pmd() (Kirill A. Shutemov) [Orabug: 27200880] {CVE-2017-1000405}
- ALSA: usb-audio: Kill stray URB at exiting (Takashi Iwai) [Orabug: 27148272] {CVE-2017-16527}
- packet: in packet_do_bind, test fanout with bind_lock held (Willem de Bruijn) [Orabug: 27069060] {CVE-2017-15649}
- packet: hold bind lock when rebinding to fanout hook (Willem de Bruijn) [Orabug: 27069060] {CVE-2017-15649}
- net: convert packet_fanout.sk_ref from atomic_t to refcount_t (Reshetova, Elena) [Orabug: 27069060] {CVE-2017-15649}
- packet: fix races in fanout_add() (Eric Dumazet) [Orabug: 27069060] {CVE-2017-15649}
- refcount_t: Introduce a special purpose refcount type (Peter Zijlstra) [Orabug: 27069060] {CVE-2017-15649}
- locking/atomics: Add _{acquire|release|relaxed}() variants of some atomic operations (Will Deacon) [Orabug: 27069060] {CVE-2017-15649}
- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069034] {CVE-2017-12190}
- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069034] {CVE-2017-12190}
- KEYS: prevent KEYCTL_READ on negative key (Eric Biggers) [Orabug: 27050237] {CVE-2017-12192}
- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming) [Orabug: 27036905] {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}
- selinux: fix off-by-one in setprocattr (Stephen Smalley) [Orabug: 27001687] {CVE-2017-2618} {CVE-2017-2618} {CVE-2017-2618}
- udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 26921314] {CVE-2017-1000112}
- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011248] {CVE-2017-7542}
- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly (Xin Long) [Orabug: 26988631] {CVE-2017-14489}
- CVE-2016-10318 missing authorization check fscrypt_process_policy (Jack Vogel) [Orabug: 26989776]
- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26673877] {CVE-2017-10661}
- brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (Tim Tianyang Chen) [Orabug:
26540118] {CVE-2017-7541}
- crypto: ahash - Fix EINPROGRESS notification callback (Herbert Xu) [Orabug: 25882988] {CVE-2017-7618}
- kvm: nVMX: Dont allow L2 to access the hardware CR8 (Jim Mattson) {CVE-2017-12154} {CVE-2017-12154}
- tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (Wei Wang) [Orabug: 26796038] {CVE-2017-14106}
- rxrpc: Fix several cases where a padded len isnt checked in ticket decode (David Howells) [Orabug:
26376434] {CVE-2017-7482} {CVE-2017-7482}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2017-3659.html

Plugin Details

Severity: Medium

ID: 105247

File Name: oraclelinux_ELSA-2017-3659.nasl

Version: 3.19

Type: local

Agent: unix

Published: 12/14/2017

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS Score Source: CVE-2016-10318

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek-debug-devel, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-firmware, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, cpe:/o:oracle:linux:6

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 12/13/2017

Vulnerability Publication Date: 4/4/2017

Reference Information

CVE: CVE-2016-10318