USN-2751-1 Linux Kernel (Vivid HWE) Vulnerability

Medium to Low

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 14.04 LTS

Description

Several security issues were fixed in the kernel.

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252)

Affected Products and Versions

_Severity is medium unless otherwise noted.
_

• BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry Deployments using BOSH stemcell v3093 or earlier upgrade to v3094 or later, which contain the patched versions of the Linux kernel to resolve the aforementioned CVE.

Credit

Benjamin Randazzo and Marc-André Lureau

References

• <http://www.ubuntu.com/usn/usn-2751-1/&gt;
• <https://bosh.io/stemcells&gt;
• <https://github.com/cloudfoundry/cf-release&gt;