Detections
Analytics

Oracle Linux 6 : kernel (ELSA-2015-0864)

high Nessus Plugin ID 82981

Language:

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-0864 advisory.

 - [infiniband] core: Prevent integer overflow in ib_umem_get address arithmetic (Doug Ledford) [1181173 1179327] {CVE-2014-8159}
 - [security] keys: close race between key lookup and freeing (Radomir Vrbovsky) [1179849 1179850] {CVE-2014-9529}
 - [net] sctp: fix slab corruption from use after free on INIT collisions (Daniel Borkmann) [1196587 1135425] {CVE-2015-1421}
 - [x86] kvm: vmx: invalid host cr4 handling across vm entries (Jacob Tanenbaum) [1153326 1153327] {CVE-2014-3690}
 - [fs] isofs: Fix unchecked printing of ER records (Radomir Vrbovsky) [1180481 1180492] {CVE-2014-9584}
 - [media] ttusb-dec: buffer overflow in ioctl (Alexander Gordeev) [1170971 1167115] {CVE-2014-8884}
 - [kernel] trace: insufficient syscall number validation in perf and ftrace subsystems (Jacob Tanenbaum) [1161567 1161568] {CVE-2014-7826 CVE-2014-7825}
 - [mm] memcg: do not allow task about to OOM kill to bypass the limit (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] memcg: do not declare OOM from __GFP_NOFAIL allocations (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [fs] buffer: move allocation failure loop into the allocator (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] memcg: handle non-error OOM situations more gracefully (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] memcg: do not trap chargers with full callstack on OOM (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] memcg: rework and document OOM waiting and wakeup (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] memcg: enable memcg OOM killer only for user faults (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [x86] mm: finish user fault error path with fatal signal (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [mm] pass userspace fault flag to generic fault handler (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [s390] mm: do not invoke OOM killer on kernel fault OOM (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [powerpc] mm: remove obsolete init OOM protection (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [powerpc] mm: invoke oom-killer from remaining unconverted page fault handlers (Johannes Weiner) [1198110 1088334] {CVE-2014-8171}
 - [security] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID (Denys Vlasenko) [1104567 1104568] {CVE-2014-3215}
 - [security] Add PR_<GET, SET>_NO_NEW_PRIVS to prevent execve from granting privs (Denys Vlasenko) [1104567 1104568] {CVE-2014-3215}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2015-0864.html

Plugin Details

Severity: High

ID: 82981

File Name: oraclelinux_ELSA-2015-0864.nasl

Version: 1.21

Type: local

Agent: unix

Published: 4/22/2015

Updated: 10/23/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-1421

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2014-7826

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-abi-whitelists, p-cpe:/a:oracle:linux:kernel-devel, p-cpe:/a:oracle:linux:perf, p-cpe:/a:oracle:linux:kernel-firmware, p-cpe:/a:oracle:linux:python-perf, p-cpe:/a:oracle:linux:kernel-debug-devel, p-cpe:/a:oracle:linux:kernel-debug, p-cpe:/a:oracle:linux:kernel-headers, p-cpe:/a:oracle:linux:kernel, cpe:/o:oracle:linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/OracleLinux

Exploit Ease: No known exploits are available

Patch Publication Date: 4/21/2015

Vulnerability Publication Date: 5/8/2014

Reference Information

CVE: CVE-2014-3215, CVE-2014-3690, CVE-2014-7825, CVE-2014-7826, CVE-2014-8171, CVE-2014-8884, CVE-2014-9529, CVE-2014-9584, CVE-2015-1421

BID: 67341, 70691, 70971, 70972, 71097, 71880, 71883, 72356, 73060, 74293

RHSA: 2015:0864