Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cloudfoundryCloud FoundryCFOUNDRY:07A2C5122ECAB467878EC7E35D5937B4
HistoryNov 27, 2017 - 12:00 a.m.

USN-3485-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

2017-11-2700:00:00
Cloud Foundry
www.cloudfoundry.org
40

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

34.2%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04

Description

USN-3485-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15265)

Eric Biggers discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is uninstantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)

It was discovered that a race condition existed in the packet fanout implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15649)

Eric Biggers discovered a race condition in the key management subsystem of the Linux kernel around keys in a negative state. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15951)

Andrey Konovalov discovered a use-after-free vulnerability in the USB serial console driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16525)

Andrey Konovalov discovered that the Ultra Wide Band driver in the Linux kernel did not properly check for an error condition. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux kernel did not properly validate USB audio buffer descriptors. A physically proximate attacker could use this cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB unattached storage driver in the Linux kernel contained out-of-bounds error when handling alternative settings. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16530)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB interface association descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB HID descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate CDC metadata. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16534)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did not properly validate USB BOS metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16535)

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • 3421.x versions prior to 3421.32
    • 3445.x versions prior to 3445.17
    • 3468.x versions prior to 3468.11
    • All other stemcells not listed.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends upgrading the following BOSH stemcells:
    • Upgrade 3421.x versions prior to 3421.32
    • Upgrade 3445.x versions prior to 3445.17
    • Upgrade 3468.x versions prior to 3468.11
    • All other stemcells should be upgraded to the latest version available on bosh.io.

References

Related

ubuntu 6
openvas 26
nessus 54
oraclelinux 7
photon 3
osv 1
debian 1
suse 16
prion 13
redhatcve 13
ubuntucve 13
cve 13
debiancve 13
amazon 1
fedora 6
veracode 2
redhat 1
virtuozzo 4
altlinux 1
f5 1
thn 1
exploitpack 1
seebug 1
exploitdb 1
ubuntu
ubuntu
Linux kernel vulnerabilities
2017-11-21 00:00:00
Linux kernel (AWS) vulnerabilities
2017-11-21 00:00:00
Linux kernel (Xenial HWE) vulnerabilities
2017-11-21 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3485-2)
2017-11-22 00:00:00
Ubuntu: Security Advisory (USN-3485-1)
2017-11-22 00:00:00
Ubuntu: Security Advisory (USN-3485-3)
2017-11-22 00:00:00
nessus
nessus
Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3485-1)
2017-11-21 00:00:00
Ubuntu 14.04 LTS : Linux kernel (AWS) vulnerabilities (USN-3485-3)
2017-11-22 00:00:00
Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3485-2)
2017-11-21 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2018-01-03 00:00:00
Unbreakable Enterprise kernel security update
2018-02-26 00:00:00
Unbreakable Enterprise kernel security update
2018-02-26 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2017-0001
2017-11-14 00:00:00
Important Photon OS Security Update - PHSA-2017-0083
2017-11-13 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2017-0043
2017-11-14 00:00:00
osv
osv
linux - security update
2017-12-09 00:00:00
debian
debian
[SECURITY] [DLA 1200-1] linux security update
2017-12-10 22:07:05
suse
suse
Security update for the Linux Kernel (important)
2017-12-04 15:07:06
Security update for the Linux Kernel (important)
2017-12-08 18:11:43
Security update for the Linux Kernel (important)
2017-10-25 15:07:20
prion
prion
Out-of-bounds
2017-11-04 01:29:00
Out-of-bounds
2017-11-04 01:29:00
Design/Logic Flaw
2017-11-04 01:29:00
redhatcve
redhatcve
CVE-2017-16534
2017-11-08 10:19:59
CVE-2017-16530
2020-04-02 08:21:37
CVE-2017-16533
2017-11-08 10:21:48
ubuntucve
ubuntucve
CVE-2017-16534
2017-11-03 00:00:00
CVE-2017-16525
2017-11-03 00:00:00
CVE-2017-16530
2017-11-03 00:00:00
cve
cve
CVE-2017-16530
2017-11-04 01:29:00
CVE-2017-16529
2017-11-04 01:29:00
CVE-2017-16527
2017-11-04 01:29:00
debiancve
debiancve
CVE-2017-16529
2017-11-04 01:29:00
CVE-2017-16526
2017-11-04 01:29:00
CVE-2017-16527
2017-11-04 01:29:00
amazon
amazon
Medium: kernel
2017-11-18 02:03:00
fedora
fedora
[SECURITY] Fedora 27 Update: kernel-4.13.10-300.fc27
2017-11-11 13:52:25
[SECURITY] Fedora 26 Update: kernel-4.13.10-200.fc26
2017-11-03 13:32:01
[SECURITY] Fedora 27 Update: kernel-4.13.8-300.fc27
2017-10-24 05:30:07
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:27:22
Use-After-Free
2019-05-16 02:13:54
redhat
redhat
(RHSA-2018:3823) Moderate: kernel security and bug fix update
2018-12-12 14:22:12
virtuozzo
virtuozzo
Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1, Virtuozzo 6.0 Update 12 Hotfix 18 (6.0.12-3688)
2017-11-20 00:00:00
Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0
2017-11-20 00:00:00
Important kernel security update: CVE-2017-15649; Virtuozzo ReadyKernel patch 36.1 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3
2017-10-30 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 7 package kernel-image-un-def version 1:4.1.44-alt0.M70P.1.1
2017-10-17 00:00:00
f5
f5
K32616738 : Linux kernel vulnerability CVE-2017-15265
2018-08-28 00:00:00
thn
thn
Yet Another Linux Kernel Privilege-Escalation Bug Discovered
2017-10-16 04:02:00
exploitpack
exploitpack
Linux Kernel - AF_PACKET Use-After-Free (2)
2017-10-17 00:00:00
seebug
seebug
Linux Kernel AF_PACKET Use-After-Free(CVE-2017-15649)
2017-10-24 00:00:00
exploitdb
exploitdb
Linux Kernel - 'AF_PACKET' Use-After-Free (2)
2017-10-17 00:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

34.2%

JSON
Related for CFOUNDRY:07A2C5122ECAB467878EC7E35D5937B4
ubuntu6openvas26nessus54oraclelinux7photon3osv1debian1suse16prion13redhatcve13ubuntucve13cve13debiancve13amazon1fedora6veracode2redhat1virtuozzo4altlinux1f51thn1exploitpack1seebug1exploitdb1