DATABASE RESOURCES PRICING ABOUT US

{"id": "DEBIANCVE:CVE-2020-14305", "vendorId": null, "type": "debiancve", "bulletinFamily": "info", "title": "CVE-2020-14305", "description": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "published": "2020-12-02T01:15:00", "modified": "2020-12-02T01:15:00", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "baseScore": 8.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 8.5, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://security-tracker.debian.org/tracker/CVE-2020-14305", "reporter": "Debian Security Bug Tracker", "references": [], "cvelist": ["CVE-2020-14305"], "immutableFields": [], "lastseen": "2022-06-23T06:00:17", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "androidsecurity", "idList": ["ANDROID:2021-06-01"]}, {"type": "centos", "idList": ["CESA-2020:4060"]}, {"type": "cve", "idList": ["CVE-2020-14305"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2420-1:692E7", "DEBIAN:DLA-2420-2:175D1"]}, {"type": "f5", "idList": ["F5:K00194184"]}, {"type": "ibm", "idList": ["F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/DEBIAN-CVE-2020-14305/"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2020-4060.NASL", "DEBIAN_DLA-2420.NASL", "EULEROS_SA-2021-1079.NASL", "EULEROS_SA-2021-1311.NASL", "EULEROS_SA-2021-1684.NASL", "EULEROS_SA-2021-2040.NASL", "NEWSTART_CGSL_NS-SA-2021-0169_KERNEL.NASL", "ORACLELINUX_ELSA-2021-9002.NASL", "ORACLEVM_OVMSA-2021-0001.NASL", "REDHAT-RHSA-2020-4060.NASL", "REDHAT-RHSA-2020-4062.NASL", "SL_20201001_KERNEL_ON_SL7_X.NASL", "SUSE_SU-2021-3929-1.NASL", "SUSE_SU-2021-3935-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-4060", "ELSA-2021-9002"]}, {"type": "photon", "idList": ["PHSA-2020-0288", "PHSA-2020-0309", "PHSA-2020-1.0-0309"]}, {"type": "redhat", "idList": ["RHSA-2020:4060", "RHSA-2020:4062"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-14305"]}, {"type": "threatpost", "idList": ["THREATPOST:C408DF21547B7B4327FBAB82B97A4C96"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-14305"]}], "rev": 4}, "score": {"value": 5.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "androidsecurity", "idList": ["ANDROID:2021-06-01"]}, {"type": "centos", "idList": ["CESA-2020:4060"]}, {"type": "cve", "idList": ["CVE-2020-14305"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2420-1:692E7", "DEBIAN:DLA-2420-2:175D1"]}, {"type": "f5", "idList": ["F5:K00194184"]}, {"type": "ibm", "idList": ["F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/DEBIAN-CVE-2020-14305/"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2020-4060.NASL", "REDHAT-RHSA-2020-4062.NASL", "SUSE_SU-2021-3929-1.NASL", "SUSE_SU-2021-3935-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-4060"]}, {"type": "photon", "idList": ["PHSA-2020-1.0-0309"]}, {"type": "redhat", "idList": ["RHSA-2020:4062"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-14305"]}, {"type": "threatpost", "idList": ["THREATPOST:C408DF21547B7B4327FBAB82B97A4C96"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-14305"]}]}, "exploitation": null, "vulnersScore": 5.0}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "affectedPackage": [{"OS": "Debian", "OSVersion": "12", "arch": "all", "packageFilename": "linux_5.18.5-1_all.deb", "packageVersion": "5.18.5-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "11", "arch": "all", "packageFilename": "linux_5.10.106-1_all.deb", "packageVersion": "5.10.106-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "10", "arch": "all", "packageFilename": "linux_4.19.235-1_all.deb", "packageVersion": "4.19.235-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "999", "arch": "all", "packageFilename": "linux_5.18.5-1_all.deb", "packageVersion": "5.18.5-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "packageFilename": "linux_4.9.228-1_all.deb", "packageVersion": "4.9.228-1", "operator": "lt", "status": "resolved", "packageName": "linux"}]}

{"ubuntucve": [{"lastseen": "2021-11-22T21:24:14", "description": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s\nVoice Over IP H.323 connection tracking functionality handled connections\non ipv6 port 1720. This flaw allows an unauthenticated remote user to crash\nthe system, causing a denial of service. The highest threat from this\nvulnerability is to confidentiality, integrity, as well as system\navailability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | fixed in 4.11 and newer with 9f0f3ebeda47a5518817f33c40f6d3ea9c0275b8\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-14305", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14305"], "modified": "2020-12-02T00:00:00", "id": "UB:CVE-2020-14305", "href": "https://ubuntu.com/security/CVE-2020-14305", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "f5": [{"lastseen": "2022-02-01T00:00:00", "description": "An out-of-bounds memory write flaw was found in how the Linux kernel&amp;#8217;s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. ([CVE-2020-14305](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14305>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-02T10:19:00", "type": "f5", "title": "Linux kernel Voice Over IP H.323 vulnerability CVE-2020-14305", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14305"], "modified": "2021-11-02T10:19:00", "id": "F5:K00194184", "href": "https://support.f5.com/csp/article/K00194184", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:06:19", "description": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-02T01:15:00", "type": "cve", "title": "CVE-2020-14305", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14305"], "modified": "2020-12-10T23:15:00", "cpe": ["cpe:/o:linux:linux_kernel:4.11.12", "cpe:/o:linux:linux_kernel:4.12"], "id": "CVE-2020-14305", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14305", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.11.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.12:-:*:*:*:*:*:*"]}], "redhatcve": [{"lastseen": "2022-06-08T08:07:10", "description": "An out-of-bounds memory write flaw was found in how the Linux kernel\u2019s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.\n#### Mitigation\n\nA mitigation to this flaw would be to no longer use IPV6 on affected hardware until the kernel has been updated or to disable Voice Over IP H.323 module. Existing systems that have h323-conntrack-nat kernel module loaded will need to unload the &quot;nf_conntrack_h323&quot; kernel module and blacklist it ( See <https://access.redhat.com/solutions/41278> for a guide on how to blacklist modules). \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-24T21:50:29", "type": "redhatcve", "title": "CVE-2020-14305", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14305"], "modified": "2022-06-08T07:32:13", "id": "RH:CVE-2020-14305", "href": "https://access.redhat.com/security/cve/cve-2020-14305", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "osv": [{"lastseen": "2022-05-20T07:09:56", "description": "Bulletin has no description", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-01T00:00:00", "type": "osv", "title": "In nf_conntrack_helper_q931 of nf_conntrack_h323_main.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14305"], "modified": "2021-06-01T00:00:00", "id": "OSV:ASB-A-174904512", "href": "https://osv.dev/vulnerability/ASB-A-174904512", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "nessus": [{"lastseen": "2022-06-16T14:52:41", "description": "The remote OracleVM system is missing necessary patches to address security updates:\n\n - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)\n\n - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c. (CVE-2019-20934)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)\n\n - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. (CVE-2020-12652)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14351)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op. (CVE-2020-25668)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version (CVE-2020-25705)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-11T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : kernel-uek (OVMSA-2021-0001)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14895", "CVE-2019-19037", "CVE-2019-19447", "CVE-2019-20934", "CVE-2020-10711", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-14305", "CVE-2020-14351", "CVE-2020-15436", "CVE-2020-25668", "CVE-2020-25705", "CVE-2020-28915", "CVE-2020-28974"], "modified": "2022-05-11T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2021-0001.NASL", "href": "https://www.tenable.com/plugins/nessus/144837", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were\n# extracted from OracleVM Security Advisory OVMSA-2021-0001.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144837);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2019-14895\",\n \"CVE-2019-19037\",\n \"CVE-2019-19447\",\n \"CVE-2019-20934\",\n \"CVE-2020-10711\",\n \"CVE-2020-12464\",\n \"CVE-2020-12652\",\n \"CVE-2020-14305\",\n \"CVE-2020-14351\",\n \"CVE-2020-15436\",\n \"CVE-2020-25668\",\n \"CVE-2020-25705\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\"\n );\n\n script_name(english:\"OracleVM 3.4 : kernel-uek (OVMSA-2021-0001)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address security updates:\n\n - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before\n 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection\n negotiation during the handling of the remote devices country settings. This could allow the remote device\n to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)\n\n - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference\n because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka\n CID-16d51a590a8c. (CVE-2019-20934)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into\n the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO\n restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate\n that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer\n dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network\n user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because\n a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)\n\n - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows\n local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a\n double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this\n bug is not as bad as it could have been because these operations are all privileged and root already has\n enormous destructive power. (CVE-2020-12652)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem\n allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate\n privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-14351)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly\n synchronized leading to a use after free in con_font_op. (CVE-2020-25668)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw\n allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that\n relies on UDP source port randomization are indirectly affected as well on the Linux Based Products\n (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,\n SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE\n W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All\n versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7\n LTE EU: Version (CVE-2020-25705)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to\n read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-14895.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19037.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-19447.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2019-20934.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-10711.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12464.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12652.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-14305.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-14351.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-15436.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-25668.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-25705.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-28915.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-28974.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/OVMSA-2021-0001.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-14895\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.46.3.el6uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2021-0001');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-16T14:51:07", "description": "The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9002 advisory.\n\n - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)\n\n - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this bug is not as bad as it could have been because these operations are all privileged and root already has enormous destructive power. (CVE-2020-12652)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernels Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op. (CVE-2020-25668)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c. (CVE-2019-20934)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14351)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version (CVE-2020-25705)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-07T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14895", "CVE-2019-19037", "CVE-2019-19447", "CVE-2019-20934", "CVE-2020-10711", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-14305", "CVE-2020-14351", "CVE-2020-15436", "CVE-2020-25668", "CVE-2020-25705", "CVE-2020-28915", "CVE-2020-28974"], "modified": "2022-05-11T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2021-9002.NASL", "href": "https://www.tenable.com/plugins/nessus/144802", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9002.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144802);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/11\");\n\n script_cve_id(\n \"CVE-2019-14895\",\n \"CVE-2019-19037\",\n \"CVE-2019-19447\",\n \"CVE-2019-20934\",\n \"CVE-2020-10711\",\n \"CVE-2020-12464\",\n \"CVE-2020-12652\",\n \"CVE-2020-14305\",\n \"CVE-2020-14351\",\n \"CVE-2020-15436\",\n \"CVE-2020-25668\",\n \"CVE-2020-25705\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\"\n );\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2021-9002 advisory.\n\n - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before\n 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection\n negotiation during the handling of the remote devices country settings. This could allow the remote device\n to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)\n\n - A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7.\n This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into\n the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO\n restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate\n that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer\n dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network\n user to crash the system kernel, resulting in a denial of service. (CVE-2020-10711)\n\n - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because\n a transfer occurs without a reference, aka CID-056ad39ee925. (CVE-2020-12464)\n\n - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows\n local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a\n double fetch vulnerability, aka CID-28d76df18f0a. NOTE: the vendor states The security impact of this\n bug is not as bad as it could have been because these operations are all privileged and root already has\n enormous destructive power. (CVE-2020-12652)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference\n because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero. (CVE-2019-19037)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernels Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in Linux Kernel because access to the global variable fg_console is not properly\n synchronized leading to a use after free in con_font_op. (CVE-2020-25668)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka CID-6735b4632def. (CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to\n read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height. (CVE-2020-28974)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka\n CID-16d51a590a8c. (CVE-2019-20934)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging improper access to a certain error field.\n (CVE-2020-15436)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem\n allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate\n privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as\n system availability. (CVE-2020-14351)\n\n - A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw\n allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that\n relies on UDP source port randomization are indirectly affected as well on the Linux Based Products\n (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4,\n SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE\n W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All\n versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7\n LTE EU: Version (CVE-2020-25705)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9002.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-14895\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.46.3.el6uek', '4.1.12-124.46.3.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2021-9002');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.46.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.46.3.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.46.3.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'},\n {'reference':'kernel-uek-4.1.12-124.46.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.46.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.46.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.46.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.46.3.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.46.3.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-16T14:54:48", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-25656)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14351)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.(CVE-2020-27777)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.(CVE-2019-20934)\n\n - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)\n\n - A stack information leak flaw was found in s390/s390x in the Linux kernel's memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.(CVE-2020-10773)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14305)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.(CVE-2020-15437)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.(CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)\n\n - In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:\n Android-10Android ID: A-153467744(CVE-2020-0305)\n\n - Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.(CVE-2020-12352)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-22T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-20934", "CVE-2019-9456", "CVE-2020-0305", "CVE-2020-10773", "CVE-2020-12114", "CVE-2020-12352", "CVE-2020-14305", "CVE-2020-14351", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-25656", "CVE-2020-27777", "CVE-2020-27786", "CVE-2020-28915", "CVE-2020-28974", "CVE-2020-29371", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-36158"], "modified": "2021-02-24T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:kernel-debug-devel", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1311.NASL", "href": "https://www.tenable.com/plugins/nessus/146701", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146701);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/24\");\n\n script_cve_id(\n \"CVE-2019-20934\",\n \"CVE-2019-9456\",\n \"CVE-2020-0305\",\n \"CVE-2020-10773\",\n \"CVE-2020-12114\",\n \"CVE-2020-12352\",\n \"CVE-2020-14305\",\n \"CVE-2020-14351\",\n \"CVE-2020-15436\",\n \"CVE-2020-15437\",\n \"CVE-2020-25656\",\n \"CVE-2020-27777\",\n \"CVE-2020-27786\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\",\n \"CVE-2020-29371\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\",\n \"CVE-2020-36158\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2021-1311)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - mwifiex_cmd_802_11_ad_hoc_start in\n drivers/net/wireless/marvell/mwifiex/join.c in the\n Linux kernel through 5.10.4 might allow remote\n attackers to execute arbitrary code via a long SSID\n value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - A flaw was found in the Linux kernel. A use-after-free\n was found in the way the console subsystem was using\n ioctls KDGKBSENT and KDSKBSENT. A local user could use\n this flaw to get read memory access out of bounds. The\n highest threat from this vulnerability is to data\n confidentiality.(CVE-2020-25656)\n\n - A flaw was found in the Linux kernel. A use-after-free\n memory flaw was found in the perf subsystem allowing a\n local attacker with permission to monitor perf events\n to corrupt memory and possibly escalate privileges. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-14351)\n\n - A flaw was found in the way RTAS handled memory\n accesses in userspace to kernel communication. On a\n locked down (usually due to Secure Boot) guest system\n running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to\n further increase their privileges to that of a running\n kernel.(CVE-2020-27777)\n\n - A locking issue was discovered in the tty subsystem of\n the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free\n attack against TIOCSPGRP, aka\n CID-54ffccbf053b.(CVE-2020-29661)\n\n - A locking inconsistency issue was discovered in the tty\n subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may\n allow a read-after-free attack against TIOCGSID, aka\n CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - An issue was discovered in the Linux kernel before\n 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault\n statistics are inappropriately freed, aka\n CID-16d51a590a8c.(CVE-2019-20934)\n\n - A flaw was found in the Linux kernels implementation of\n MIDI, where an attacker with a local account and the\n permissions to issue an ioctl commands to midi devices,\n could trigger a use-after-free. A write to this\n specific memory while freed and before use could cause\n the flow of execution to change and possibly allow for\n memory corruption or privilege\n escalation.(CVE-2020-27786)\n\n - An issue was discovered in romfs_dev_read in\n fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka\n CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - In the Android kernel in Pixel C USB monitor driver\n there is a possible OOB write due to a missing bounds\n check. This could lead to local escalation of privilege\n with System execution privileges needed. User\n interaction is not needed for\n exploitation.(CVE-2019-9456)\n\n - A stack information leak flaw was found in s390/s390x\n in the Linux kernel's memory manager functionality,\n where it incorrectly writes to the\n /proc/sys/vm/cmm_timeout file. This flaw allows a local\n user to see the kernel data.(CVE-2020-10773)\n\n - A pivot_root race condition in fs/namespace.c in the\n Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before\n 4.19.119, and 5.x before 5.3 allows local users to\n cause a denial of service (panic) by corrupting a\n mountpoint reference counter.(CVE-2020-12114)\n\n - An out-of-bounds memory write flaw was found in how the\n Linux kernel's Voice Over IP H.323 connection tracking\n functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to\n crash the system, causing a denial of service. The\n highest threat from this vulnerability is to\n confidentiality, integrity, as well as system\n availability.(CVE-2020-14305)\n\n - Use-after-free vulnerability in fs/block_dev.c in the\n Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging\n improper access to a certain error\n field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a\n NULL pointer dereference in\n drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of\n service by using the p->serial_in pointer which\n uninitialized.(CVE-2020-15437)\n\n - A buffer over-read (at the framebuffer layer) in the\n fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka\n CID-6735b4632def.(CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel\n before 5.9.7 could be used by local attackers to read\n privileged information or potentially crash the kernel,\n aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for\n manipulations such as font height.(CVE-2020-28974)\n\n - In cdev_get of char_dev.c, there is a possible\n use-after-free due to a race condition. This could lead\n to local escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation.Product: AndroidVersions:\n Android-10Android ID: A-153467744(CVE-2020-0305)\n\n - Improper access control in BlueZ may allow an\n unauthenticated user to potentially enable information\n disclosure via adjacent access.(CVE-2020-12352)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1311\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a5285fd5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-327.62.59.83.h255\",\n \"kernel-debug-3.10.0-327.62.59.83.h255\",\n \"kernel-debug-devel-3.10.0-327.62.59.83.h255\",\n \"kernel-debuginfo-3.10.0-327.62.59.83.h255\",\n \"kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h255\",\n \"kernel-devel-3.10.0-327.62.59.83.h255\",\n \"kernel-headers-3.10.0-327.62.59.83.h255\",\n \"kernel-tools-3.10.0-327.62.59.83.h255\",\n \"kernel-tools-libs-3.10.0-327.62.59.83.h255\",\n \"perf-3.10.0-327.62.59.83.h255\",\n \"python-perf-3.10.0-327.62.59.83.h255\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-05-13T15:09:22", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2020-0543)\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.(CVE-2019-3900)\n\n - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931.(CVE-2018-9517)\n\n - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism.\n But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.(CVE-2019-19338)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files. The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode.(CVE-2020-10690)\n\n - Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.(CVE-2020-12351)\n\n - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)\n\n - use-after-free read in sunkbd_reinit in drivers/input/keyboard/sunkbd.c(CVE-2020-25669)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.(CVE-2020-27777)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14305)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.(CVE-2019-20934)\n\n - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID:\n 189296.(CVE-2020-4788)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.(CVE-2020-25704)\n\n - An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.(CVE-2020-28915)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.(CVE-2020-15437)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-24T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1684)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-9517", "CVE-2019-11135", "CVE-2019-19338", "CVE-2019-20934", "CVE-2019-3900", "CVE-2020-0543", "CVE-2020-10690", "CVE-2020-12351", "CVE-2020-14305", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-27777", "CVE-2020-27786", "CVE-2020-28915", "CVE-2020-28974", "CVE-2020-29370", "CVE-2020-29371", "CVE-2020-29660", "CVE-2020-29661", "CVE-2020-36158", "CVE-2020-4788"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1684.NASL", "href": "https://www.tenable.com/plugins/nessus/148041", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148041);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2018-9517\",\n \"CVE-2019-3900\",\n \"CVE-2019-19338\",\n \"CVE-2019-20934\",\n \"CVE-2020-0543\",\n \"CVE-2020-4788\",\n \"CVE-2020-10690\",\n \"CVE-2020-12351\",\n \"CVE-2020-14305\",\n \"CVE-2020-15436\",\n \"CVE-2020-15437\",\n \"CVE-2020-25669\",\n \"CVE-2020-25704\",\n \"CVE-2020-27777\",\n \"CVE-2020-27786\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\",\n \"CVE-2020-29370\",\n \"CVE-2020-29371\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\",\n \"CVE-2020-36158\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2021-1684)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - mwifiex_cmd_802_11_ad_hoc_start in\n drivers/net/wireless/marvell/mwifiex/join.c in the\n Linux kernel through 5.10.4 might allow remote\n attackers to execute arbitrary code via a long SSID\n value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - Incomplete cleanup from specific special register read\n operations in some Intel(R) Processors may allow an\n authenticated user to potentially enable information\n disclosure via local access.(CVE-2020-0543)\n\n - An infinite loop issue was found in the vhost_net\n kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in\n handle_rx(). It could occur if one end sends packets\n faster than the other end can process them. A guest\n user, maybe remote one, could use this flaw to stall\n the vhost_net kernel thread, resulting in a DoS\n scenario.(CVE-2019-3900)\n\n - In pppol2tp_connect, there is possible memory\n corruption due to a use after free. This could lead to\n local escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation. Product: Android. Versions: Android\n kernel. Android ID: A-38159931.(CVE-2018-9517)\n\n - A flaw was found in the fix for CVE-2019-11135, in the\n Linux upstream kernel versions before 5.5 where, the\n way Intel CPUs handle speculative execution of\n instructions when a TSX Asynchronous Abort (TAA) error\n occurs. When a guest is running on a host CPU affected\n by the TAA flaw (TAA_NO=0), but is not affected by the\n MDS issue (MDS_NO=1), the guest was to clear the\n affected buffers by using a VERW instruction mechanism.\n But when the MDS_NO=1 bit was exported to the guests,\n the guests did not use the VERW mechanism to clear the\n affected buffers. This issue affects guests running on\n Cascade Lake CPUs and requires that host has 'TSX'\n enabled. Confidentiality of data is the highest threat\n associated with this vulnerability.(CVE-2019-19338)\n\n - There is a use-after-free in kernel versions before 5.5\n due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a\n (high privileged) process allocates a ptp device file\n (like /dev/ptpX) and voluntarily goes to sleep. During\n this time if the underlying device is removed, it can\n cause an exploitable condition as the process wakes up\n to terminate and clean all attached files. The system\n crashes due to the cdev structure being invalid (as\n already freed) which is pointed to by the\n inode.(CVE-2020-10690)\n\n - Improper input validation in BlueZ may allow an\n unauthenticated user to potentially enable escalation\n of privilege via adjacent access.(CVE-2020-12351)\n\n - A flaw was found in the Linux kernels implementation of\n MIDI, where an attacker with a local account and the\n permissions to issue an ioctl commands to midi devices,\n could trigger a use-after-free. A write to this\n specific memory while freed and before use could cause\n the flow of execution to change and possibly allow for\n memory corruption or privilege\n escalation.(CVE-2020-27786)\n\n - use-after-free read in sunkbd_reinit in\n drivers/input/keyboard/sunkbd.c(CVE-2020-25669)\n\n - A flaw was found in the way RTAS handled memory\n accesses in userspace to kernel communication. On a\n locked down (usually due to Secure Boot) guest system\n running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to\n further increase their privileges to that of a running\n kernel.(CVE-2020-27777)\n\n - A locking inconsistency issue was discovered in the tty\n subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may\n allow a read-after-free attack against TIOCGSID, aka\n CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - A locking issue was discovered in the tty subsystem of\n the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free\n attack against TIOCSPGRP, aka\n CID-54ffccbf053b.(CVE-2020-29661)\n\n - An out-of-bounds memory write flaw was found in how the\n Linux kernel's Voice Over IP H.323 connection tracking\n functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to\n crash the system, causing a denial of service. The\n highest threat from this vulnerability is to\n confidentiality, integrity, as well as system\n availability.(CVE-2020-14305)\n\n - An issue was discovered in the Linux kernel before\n 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault\n statistics are inappropriately freed, aka\n CID-16d51a590a8c.(CVE-2019-20934)\n\n - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors\n could allow a local user to obtain sensitive\n information from the data in the L1 cache under\n extenuating circumstances. IBM X-Force ID:\n 189296.(CVE-2020-4788)\n\n - A flaw memory leak in the Linux kernel performance\n monitoring subsystem was found in the way if using\n PERF_EVENT_IOC_SET_FILTER. A local user could use this\n flaw to starve the resources causing denial of\n service.(CVE-2020-25704)\n\n - An issue was discovered in kmem_cache_alloc_bulk in\n mm/slub.c in the Linux kernel before 5.5.11. The\n slowpath lacks the required TID increment, aka\n CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel\n before 5.9.7 could be used by local attackers to read\n privileged information or potentially crash the kernel,\n aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for\n manipulations such as font height.(CVE-2020-28974)\n\n - A buffer over-read (at the framebuffer layer) in the\n fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka\n CID-6735b4632def.(CVE-2020-28915)\n\n - An issue was discovered in romfs_dev_read in\n fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka\n CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - Use-after-free vulnerability in fs/block_dev.c in the\n Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging\n improper access to a certain error\n field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a\n NULL pointer dereference in\n drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of\n service by using the p->serial_in pointer which\n uninitialized.(CVE-2020-15437)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1684\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0a74b185\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12351\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"kernel-devel-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"kernel-headers-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"kernel-tools-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"kernel-tools-libs-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"perf-3.10.0-862.14.1.5.h520.eulerosv2r7\",\n \"python-perf-3.10.0-862.14.1.5.h520.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-23T15:12:42", "description": "This update corrects a regression in some Xen virtual machine environments. For reference the original advisory text follows.\n\nSeveral vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.\n\nCVE-2019-9445\n\nA potential out-of-bounds read was discovered in the F2FS implementation. A user permitted to mount and access arbitrary filesystems could potentially use this to cause a denial of service (crash) or to read sensitive information.\n\nCVE-2019-19073, CVE-2019-19074\n\nNavid Emamdoost discovered potential memory leaks in the ath9k and ath9k_htc drivers. The security impact of these is unclear.\n\nCVE-2019-19448\n\n'Team bobfuzzer' reported a bug in Btrfs that could lead to a use-after-free, and could be triggered by crafted filesystem images. A user permitted to mount and access arbitrary filesystems could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2020-12351\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker within a short distance, knowing the victim's Bluetooth device address, can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges.\n\nCVE-2020-12352\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets.\nA remote attacker within a short distance, knowing the victim's Bluetooth device address address, can retrieve kernel stack information.\n\nCVE-2020-12655\n\nZheng Bin reported that crafted XFS volumes could trigger a system hang. An attacker able to mount such a volume could use this to cause a denial of service.\n\nCVE-2020-12771\n\nZhiqiang Liu reported a bug in the bcache block driver that could lead to a system hang. The security impact of this is unclear.\n\nCVE-2020-12888\n\nIt was discovered that the PCIe Virtual Function I/O (vfio-pci) driver allowed users to disable a device's memory space while it was still mapped into a process. On some hardware platforms, local users or guest virtual machines permitted to access PCIe Virtual Functions could use this to cause a denial of service (hardware error and crash).\n\nCVE-2020-14305\n\nVasily Averin of Virtuozzo discovered a potential heap buffer overflow in the netfilter nf_contrack_h323 module. When this module is used to perform connection tracking for TCP/IPv6, a remote attacker could use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.\n\nCVE-2020-14314\n\nA bug was discovered in the ext4 filesystem that could lead to an out-of-bound read. A local user permitted to mount and access arbitrary filesystem images could use this to cause a denial of service (crash).\n\nCVE-2020-14331\n\nA bug was discovered in the VGA console driver's soft-scrollback feature that could lead to a heap buffer overflow. On a system with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2020-14356, CVE-2020-25220\n\nA bug was discovered in the cgroup subsystem's handling of socket references to cgroups. In some cgroup configurations, this could lead to a use-after-free. A local user might be able to use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nThe original fix for this bug introudced a new security issue, which is also addressed in this update.\n\nCVE-2020-14386\n\nOr Cohen discovered a bug in the packet socket (AF_PACKET) implementation which could lead to a heap buffer overflow. A local user with the CAP_NET_RAW capability (in any user namespace) could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nCVE-2020-14390\n\nMinh Yuan discovered a bug in the framebuffer console driver's scrollback feature that could lead to a heap buffer overflow. On a system using framebuffer consoles, a local user with access to a console could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation.\n\nThe scrollback feature has been disabled for now, as no other fix was available for this issue.\n\nCVE-2020-15393\n\nKyungtae Kim reported a memory leak in the usbtest driver. The security impact of this is unclear.\n\nCVE-2020-16166\n\nAmit Klein reported that the random number generator used by the network stack might not be re-seeded for long periods of time, making e.g. client port number allocations more predictable. This made it easier for remote attackers to carry out some network- based attacks such as DNS cache poisoning or device tracking.\n\nCVE-2020-24490\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation that can lead to a heap buffer overflow. On systems with a Bluetooth 5 hardware interface, a remote attacker within a short distance can use this to cause a denial of service (crash or memory corruption) or possibly for remote code execution with kernel privilege.\n\nCVE-2020-25211\n\nA flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service.\n\nCVE-2020-25212\n\nA bug was discovered in the NFSv4 client implementation that could lead to a heap buffer overflow. A malicious NFS server could use this to cause a denial of service (crash or memory corruption) or possibly to execute arbitrary code on the client.\n\nCVE-2020-25284\n\nIt was discovered that the Rados block device (rbd) driver allowed tasks running as uid 0 to add and remove rbd devices, even if they dropped capabilities. On a system with the rbd driver loaded, this might allow privilege escalation from a container with a task running as root.\n\nCVE-2020-25285\n\nA race condition was discovered in the hugetlb filesystem's sysctl handlers, that could lead to stack corruption. A local user permitted to write to hugepages sysctls could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. By default only the root user can do this.\n\nCVE-2020-25641\n\nThe syzbot tool found a bug in the block layer that could lead to an infinite loop. A local user with access to a raw block device could use this to cause a denial of service (unbounded CPU use and possible system hang).\n\nCVE-2020-25643\n\nChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure.\n\nCVE-2020-26088\n\nIt was discovered that the NFC (Near Field Communication) socket implementation allowed any user to create raw sockets. On a system with an NFC interface, this allowed local users to evade local network security policy.\n\nFor Debian 9 stretch, these problems have been fixed in version 4.9.240-1. This update additionally includes many more bug fixes from stable updates 4.9.229-4.9.240 inclusive.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-02T00:00:00", "type": "nessus", "title": "Debian DLA-2420-2 : linux regression update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19448", "CVE-2019-9445", "CVE-2020-12351", "CVE-2020-12352", "CVE-2020-12655", "CVE-2020-12771", "CVE-2020-12888", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14356", "CVE-2020-14386", "CVE-2020-14390", "CVE-2020-15393", "CVE-2020-16166", "CVE-2020-24490", "CVE-2020-25211", "CVE-2020-25212", "CVE-2020-25220", "CVE-2020-25284", "CVE-2020-25285", "CVE-2020-25641", "CVE-2020-25643", "CVE-2020-26088"], "modified": "2022-05-12T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:hyperv-daemons", "p-cpe:/a:debian:debian_linux:libcpupower-dev", "p-cpe:/a:debian:debian_linux:libcpupower1", "p-cpe:/a:debian:debian_linux:libusbip-dev", "p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-arm", "p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-s390", "p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-x86", "p-cpe:/a:debian:debian_linux:linux-cpupower", "p-cpe:/a:debian:debian_linux:linux-doc-4.9", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-4kc-malta", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-5kc-malta", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-686", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-arm64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-armel", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-armhf", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-i386", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mips", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mips64el", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mipsel", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-ppc64el", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-s390x", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-arm64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-armmp", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-common", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-common-rt", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-loongson-3", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-marvell", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-octeon", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-powerpc64le", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-s390x", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-4kc-malta", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-4kc-malta-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-5kc-malta", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-5kc-malta-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-arm64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-arm64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-lpae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-lpae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-loongson-3", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-loongson-3-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-marvell", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-marvell-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-octeon", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-octeon-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-powerpc64le", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-powerpc64le-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-686-pae", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-686-pae-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-amd64", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-amd64-dbg", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-s390x", "p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-s390x-dbg", "p-cpe:/a:debian:debian_linux:linux-kbuild-4.9", "p-cpe:/a:debian:debian_linux:linux-libc-dev", "p-cpe:/a:debian:debian_linux:linux-manual-4.9", "p-cpe:/a:debian:debian_linux:linux-perf-4.9", "p-cpe:/a:debian:debian_linux:linux-source-4.9", "p-cpe:/a:debian:debian_linux:linux-support-4.9.0-9", "p-cpe:/a:debian:debian_linux:usbip", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2420.NASL", "href": "https://www.tenable.com/plugins/nessus/142176", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2420-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(142176);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/12\");\n\n script_cve_id(\"CVE-2019-19073\", \"CVE-2019-19074\", \"CVE-2019-19448\", \"CVE-2019-9445\", \"CVE-2020-12351\", \"CVE-2020-12352\", \"CVE-2020-12655\", \"CVE-2020-12771\", \"CVE-2020-12888\", \"CVE-2020-14305\", \"CVE-2020-14314\", \"CVE-2020-14331\", \"CVE-2020-14356\", \"CVE-2020-14386\", \"CVE-2020-14390\", \"CVE-2020-15393\", \"CVE-2020-16166\", \"CVE-2020-24490\", \"CVE-2020-25211\", \"CVE-2020-25212\", \"CVE-2020-25220\", \"CVE-2020-25284\", \"CVE-2020-25285\", \"CVE-2020-25641\", \"CVE-2020-25643\", \"CVE-2020-26088\");\n\n script_name(english:\"Debian DLA-2420-2 : linux regression update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update corrects a regression in some Xen virtual machine\nenvironments. For reference the original advisory text follows.\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to the execution of arbitrary code, privilege escalation,\ndenial of service or information leaks.\n\nCVE-2019-9445\n\nA potential out-of-bounds read was discovered in the F2FS\nimplementation. A user permitted to mount and access arbitrary\nfilesystems could potentially use this to cause a denial of service\n(crash) or to read sensitive information.\n\nCVE-2019-19073, CVE-2019-19074\n\nNavid Emamdoost discovered potential memory leaks in the ath9k and\nath9k_htc drivers. The security impact of these is unclear.\n\nCVE-2019-19448\n\n'Team bobfuzzer' reported a bug in Btrfs that could lead to a\nuse-after-free, and could be triggered by crafted filesystem images. A\nuser permitted to mount and access arbitrary filesystems could use\nthis to cause a denial of service (crash or memory corruption) or\npossibly for privilege escalation.\n\nCVE-2020-12351\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation in the\nway L2CAP packets with A2MP CID are handled. A remote attacker within\na short distance, knowing the victim's Bluetooth device address, can\nsend a malicious l2cap packet and cause a denial of service or\npossibly arbitrary code execution with kernel privileges.\n\nCVE-2020-12352\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation. Stack\nmemory is not properly initialised when handling certain AMP packets.\nA remote attacker within a short distance, knowing the victim's\nBluetooth device address address, can retrieve kernel stack\ninformation.\n\nCVE-2020-12655\n\nZheng Bin reported that crafted XFS volumes could trigger a system\nhang. An attacker able to mount such a volume could use this to cause\na denial of service.\n\nCVE-2020-12771\n\nZhiqiang Liu reported a bug in the bcache block driver that could lead\nto a system hang. The security impact of this is unclear.\n\nCVE-2020-12888\n\nIt was discovered that the PCIe Virtual Function I/O (vfio-pci) driver\nallowed users to disable a device's memory space while it was still\nmapped into a process. On some hardware platforms, local users or\nguest virtual machines permitted to access PCIe Virtual Functions\ncould use this to cause a denial of service (hardware error and\ncrash).\n\nCVE-2020-14305\n\nVasily Averin of Virtuozzo discovered a potential heap buffer overflow\nin the netfilter nf_contrack_h323 module. When this module is used to\nperform connection tracking for TCP/IPv6, a remote attacker could use\nthis to cause a denial of service (crash or memory corruption) or\npossibly for remote code execution with kernel privilege.\n\nCVE-2020-14314\n\nA bug was discovered in the ext4 filesystem that could lead to an\nout-of-bound read. A local user permitted to mount and access\narbitrary filesystem images could use this to cause a denial of\nservice (crash).\n\nCVE-2020-14331\n\nA bug was discovered in the VGA console driver's soft-scrollback\nfeature that could lead to a heap buffer overflow. On a system with a\ncustom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK enabled, a local\nuser with access to a console could use this to cause a denial of\nservice (crash or memory corruption) or possibly for privilege\nescalation.\n\nCVE-2020-14356, CVE-2020-25220\n\nA bug was discovered in the cgroup subsystem's handling of socket\nreferences to cgroups. In some cgroup configurations, this could lead\nto a use-after-free. A local user might be able to use this to cause a\ndenial of service (crash or memory corruption) or possibly for\nprivilege escalation.\n\nThe original fix for this bug introudced a new security\nissue, which is also addressed in this update.\n\nCVE-2020-14386\n\nOr Cohen discovered a bug in the packet socket (AF_PACKET)\nimplementation which could lead to a heap buffer overflow. A local\nuser with the CAP_NET_RAW capability (in any user namespace) could use\nthis to cause a denial of service (crash or memory corruption) or\npossibly for privilege escalation.\n\nCVE-2020-14390\n\nMinh Yuan discovered a bug in the framebuffer console driver's\nscrollback feature that could lead to a heap buffer overflow. On a\nsystem using framebuffer consoles, a local user with access to a\nconsole could use this to cause a denial of service (crash or memory\ncorruption) or possibly for privilege escalation.\n\nThe scrollback feature has been disabled for now, as no\nother fix was available for this issue.\n\nCVE-2020-15393\n\nKyungtae Kim reported a memory leak in the usbtest driver. The\nsecurity impact of this is unclear.\n\nCVE-2020-16166\n\nAmit Klein reported that the random number generator used by the\nnetwork stack might not be re-seeded for long periods of time, making\ne.g. client port number allocations more predictable. This made it\neasier for remote attackers to carry out some network- based attacks\nsuch as DNS cache poisoning or device tracking.\n\nCVE-2020-24490\n\nAndy Nguyen discovered a flaw in the Bluetooth implementation that can\nlead to a heap buffer overflow. On systems with a Bluetooth 5 hardware\ninterface, a remote attacker within a short distance can use this to\ncause a denial of service (crash or memory corruption) or possibly for\nremote code execution with kernel privilege.\n\nCVE-2020-25211\n\nA flaw was discovered in netfilter subsystem. A local attacker able to\ninject conntrack Netlink configuration can cause a denial of service.\n\nCVE-2020-25212\n\nA bug was discovered in the NFSv4 client implementation that could\nlead to a heap buffer overflow. A malicious NFS server could use this\nto cause a denial of service (crash or memory corruption) or possibly\nto execute arbitrary code on the client.\n\nCVE-2020-25284\n\nIt was discovered that the Rados block device (rbd) driver allowed\ntasks running as uid 0 to add and remove rbd devices, even if they\ndropped capabilities. On a system with the rbd driver loaded, this\nmight allow privilege escalation from a container with a task running\nas root.\n\nCVE-2020-25285\n\nA race condition was discovered in the hugetlb filesystem's sysctl\nhandlers, that could lead to stack corruption. A local user permitted\nto write to hugepages sysctls could use this to cause a denial of\nservice (crash or memory corruption) or possibly for privilege\nescalation. By default only the root user can do this.\n\nCVE-2020-25641\n\nThe syzbot tool found a bug in the block layer that could lead to an\ninfinite loop. A local user with access to a raw block device could\nuse this to cause a denial of service (unbounded CPU use and possible\nsystem hang).\n\nCVE-2020-25643\n\nChenNan Of Chaitin Security Research Lab discovered a flaw in the\nhdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()\nfunction may lead to memory corruption and information disclosure.\n\nCVE-2020-26088\n\nIt was discovered that the NFC (Near Field Communication) socket\nimplementation allowed any user to create raw sockets. On a system\nwith an NFC interface, this allowed local users to evade local network\nsecurity policy.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.9.240-1. This update additionally includes many more bug fixes from\nstable updates 4.9.229-4.9.240 inclusive.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/linux\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/linux\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/linux\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:hyperv-daemons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcpupower-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcpupower1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libusbip-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-6-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-cpupower\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-doc-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-4kc-malta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-5kc-malta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-armel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-armhf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-i386\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mips64el\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-mipsel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-ppc64el\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-all-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-common-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-loongson-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-octeon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-powerpc64le\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-9-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-4kc-malta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-4kc-malta-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-5kc-malta\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-5kc-malta-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-arm64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-arm64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-armmp-lpae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-loongson-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-loongson-3-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-marvell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-marvell-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-octeon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-octeon-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-powerpc64le\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-powerpc64le-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-686-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-686-pae-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-amd64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-rt-amd64-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-9-s390x-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-libc-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-manual-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-perf-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-source-4.9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:usbip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/09/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"hyperv-daemons\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libcpupower-dev\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libcpupower1\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libusbip-dev\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-compiler-gcc-6-arm\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-compiler-gcc-6-s390\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-compiler-gcc-6-x86\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-cpupower\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-doc-4.9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-4kc-malta\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-5kc-malta\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-686\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-686-pae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-amd64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-arm64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-armel\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-armhf\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-i386\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-mips\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-mips64el\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-mipsel\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-ppc64el\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-all-s390x\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-amd64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-arm64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-armmp\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-armmp-lpae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-common\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-common-rt\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-loongson-3\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-marvell\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-octeon\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-powerpc64le\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-rt-686-pae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-rt-amd64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-headers-4.9.0-9-s390x\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-4kc-malta\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-4kc-malta-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-5kc-malta\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-5kc-malta-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-686\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-686-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-686-pae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-686-pae-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-amd64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-amd64-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-arm64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-arm64-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-armmp\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-armmp-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-armmp-lpae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-armmp-lpae-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-loongson-3\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-loongson-3-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-marvell\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-marvell-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-octeon\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-octeon-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-powerpc64le\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-powerpc64le-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-rt-686-pae\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-rt-686-pae-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-rt-amd64\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-rt-amd64-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-s390x\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-image-4.9.0-9-s390x-dbg\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-kbuild-4.9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-libc-dev\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-manual-4.9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-perf-4.9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-source-4.9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"linux-support-4.9.0-9\", reference:\"4.9.240-2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"usbip\", reference:\"4.9.240-2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-05-13T22:23:50", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by multiple vulnerabilities:\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2021-0169)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18551", "CVE-2019-15917", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19332", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19807", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-14305", "CVE-2020-25212", "CVE-2020-25284", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2021-10-27T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_core:bpftool", "p-cpe:/a:zte:cgsl_core:kernel", "p-cpe:/a:zte:cgsl_core:kernel-core", "p-cpe:/a:zte:cgsl_core:kernel-debug-core", "p-cpe:/a:zte:cgsl_core:kernel-debug-devel", "p-cpe:/a:zte:cgsl_core:kernel-debug-modules", "p-cpe:/a:zte:cgsl_core:kernel-devel", "p-cpe:/a:zte:cgsl_core:kernel-headers", "p-cpe:/a:zte:cgsl_core:kernel-modules", "p-cpe:/a:zte:cgsl_core:kernel-tools", "p-cpe:/a:zte:cgsl_core:kernel-tools-libs", "p-cpe:/a:zte:cgsl_core:kernel-tools-libs-devel", "p-cpe:/a:zte:cgsl_core:perf", "p-cpe:/a:zte:cgsl_core:python-perf", "p-cpe:/a:zte:cgsl_main:bpftool", "p-cpe:/a:zte:cgsl_main:kernel", "p-cpe:/a:zte:cgsl_main:kernel-debug", "p-cpe:/a:zte:cgsl_main:kernel-debug-devel", "p-cpe:/a:zte:cgsl_main:kernel-devel", "p-cpe:/a:zte:cgsl_main:kernel-headers", "p-cpe:/a:zte:cgsl_main:kernel-tools", "p-cpe:/a:zte:cgsl_main:kernel-tools-libs", "p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel", "p-cpe:/a:zte:cgsl_main:perf", "p-cpe:/a:zte:cgsl_main:python-perf", "cpe:/o:zte:cgsl_core:5", "cpe:/o:zte:cgsl_main:5"], "id": "NEWSTART_CGSL_NS-SA-2021-0169_KERNEL.NASL", "href": "https://www.tenable.com/plugins/nessus/154525", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0169. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154525);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/27\");\n\n script_cve_id(\n \"CVE-2017-18551\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-15917\",\n \"CVE-2019-17055\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19332\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19807\",\n \"CVE-2019-20636\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-11565\",\n \"CVE-2020-12770\",\n \"CVE-2020-14305\",\n \"CVE-2020-25212\",\n \"CVE-2020-25284\"\n );\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2021-0169)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by\nmultiple vulnerabilities:\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete\n permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap\n rbd block devices, aka CID-f44d04e696fe. (CVE-2020-25284)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0169\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2017-18551\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-15917\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-17055\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-18808\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19046\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19055\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19332\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19523\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19524\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19530\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19534\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19537\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-19807\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-20636\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-9454\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-9458\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-10732\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-10742\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-10751\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-11565\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-12770\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-14305\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25212\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-25284\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-2732\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-8647\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-8649\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-9383\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_core:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:5\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL CORE 5.05': [\n 'bpftool-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-core-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-debug-core-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-debug-devel-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-debug-modules-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-devel-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-headers-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-modules-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-tools-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-tools-libs-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'kernel-tools-libs-devel-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'perf-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite',\n 'python-perf-3.10.0-957.27.2.el7.cgslv5_5.19.275.ge2a4ecc.lite'\n ],\n 'CGSL MAIN 5.05': [\n 'bpftool-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-debug-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-debug-devel-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-devel-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-headers-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-tools-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-tools-libs-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'kernel-tools-libs-devel-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'perf-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e',\n 'python-perf-3.10.0-957.27.2.el7.cgslv5_5.20.312.gc682c7e'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-16T14:51:11", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A stack information leak flaw was found in s390/s390x in the Linux kernel's memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.(CVE-2020-10773)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9458)\n\n - An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.(CVE-2019-20934)\n\n - A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14305)\n\n - A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.(CVE-2020-29661)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.(CVE-2020-15437)\n\n - An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14351)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.(CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)\n\n - Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.(CVE-2020-12352)\n\n - In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:\n Android-10Android ID: A-153467744(CVE-2020-0305)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service.\n The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25643)\n\n - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user 'root' with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g.\n cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.(CVE-2019-3701)\n\n - In the Android kernel in Pixel C USB monitor driver there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9456)\n\n - A pivot_root race condition in fs/ namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.(CVE-2020-25645)\n\n - In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-144161459(CVE-2020-0431)\n\n - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-151939299(CVE-2020-0433)\n\n - In the Linux kernel through 5.8.7, local attackers able to inject conntrack netlink configuration could overflow a local buffer, causing crashes or triggering use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/ netfilter/ nf_conntrack_netlink.c, aka CID-1cc5ef91d2ff.(CVE-2020-25211)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.(CVE-2020-14314)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/ nfs/ nfs4proc.c instead of fs/ nfs/ nfs4xdr.c, aka CID-b4487b935452.(CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in the Linux kernel through 5.8.9 used incomplete permission checking for access to rbd devices, which could be leveraged by local attackers to map or unmap rbd block devices, aka CID-f44d04e696fe.(CVE-2020-25284)\n\n - A race condition between hugetlb sysctl handlers in mm/hugetlb.c in the Linux kernel before 5.8.8 could be used by local attackers to corrupt memory, cause a NULL pointer dereference, or possibly have unspecified other impact, aka CID-17743798d812.(CVE-2020-25285)\n\n - A flaw was found in the Linux kernel before 5.9-rc4.\n Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.(CVE-2020-14386)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-01-20T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1079)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-20934", "CVE-2019-3701", "CVE-2019-9456", "CVE-2019-9458", "CVE-2020-0305", "CVE-2020-0431", "CVE-2020-0433", "CVE-2020-10773", "CVE-2020-12114", "CVE-2020-12352", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14351", "CVE-2020-14386", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-25211", "CVE-2020-25212", "CVE-2020-25284", "CVE-2020-25285", "CVE-2020-25643", "CVE-2020-25645", "CVE-2020-28915", "CVE-2020-28974", "CVE-2020-29370", "CVE-2020-29371", "CVE-2020-29660", "CVE-2020-29661"], "modified": "2021-01-22T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1079.NASL", "href": "https://www.tenable.com/plugins/nessus/145201", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145201);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/22\");\n\n script_cve_id(\n \"CVE-2019-20934\",\n \"CVE-2019-3701\",\n \"CVE-2019-9456\",\n \"CVE-2019-9458\",\n \"CVE-2020-0305\",\n \"CVE-2020-0431\",\n \"CVE-2020-0433\",\n \"CVE-2020-10773\",\n \"CVE-2020-12114\",\n \"CVE-2020-12352\",\n \"CVE-2020-14305\",\n \"CVE-2020-14314\",\n \"CVE-2020-14351\",\n \"CVE-2020-14386\",\n \"CVE-2020-15436\",\n \"CVE-2020-15437\",\n \"CVE-2020-25211\",\n \"CVE-2020-25212\",\n \"CVE-2020-25284\",\n \"CVE-2020-25285\",\n \"CVE-2020-25643\",\n \"CVE-2020-25645\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\",\n \"CVE-2020-29370\",\n \"CVE-2020-29371\",\n \"CVE-2020-29660\",\n \"CVE-2020-29661\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : kernel (EulerOS-SA-2021-1079)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - A stack information leak flaw was found in s390/s390x\n in the Linux kernel's memory manager functionality,\n where it incorrectly writes to the\n /proc/sys/vm/cmm_timeout file. This flaw allows a local\n user to see the kernel data.(CVE-2020-10773)\n\n - In the Android kernel in the video driver there is a\n use after free due to a race condition. This could lead\n to local escalation of privilege with no additional\n execution privileges needed. User interaction is not\n needed for exploitation.(CVE-2019-9458)\n\n - An issue was discovered in the Linux kernel before\n 5.2.6. On NUMA systems, the Linux fair scheduler has a\n use-after-free in show_numa_stats() because NUMA fault\n statistics are inappropriately freed, aka\n CID-16d51a590a8c.(CVE-2019-20934)\n\n - A locking inconsistency issue was discovered in the tty\n subsystem of the Linux kernel through 5.9.13.\n drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may\n allow a read-after-free attack against TIOCGSID, aka\n CID-c8bcd9c5be24.(CVE-2020-29660)\n\n - An out-of-bounds memory write flaw was found in how the\n Linux kernel's Voice Over IP H.323 connection tracking\n functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to\n crash the system, causing a denial of service. The\n highest threat from this vulnerability is to\n confidentiality, integrity, as well as system\n availability.(CVE-2020-14305)\n\n - A locking issue was discovered in the tty subsystem of\n the Linux kernel through 5.9.13.\n drivers/tty/tty_jobctrl.c allows a use-after-free\n attack against TIOCSPGRP, aka\n CID-54ffccbf053b.(CVE-2020-29661)\n\n - An issue was discovered in romfs_dev_read in\n fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka\n CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - Use-after-free vulnerability in fs/block_dev.c in the\n Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging\n improper access to a certain error\n field.(CVE-2020-15436)\n\n - The Linux kernel before version 5.8 is vulnerable to a\n NULL pointer dereference in\n drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of\n service by using the p->serial_in pointer which\n uninitialized.(CVE-2020-15437)\n\n - An issue was discovered in kmem_cache_alloc_bulk in\n mm/slub.c in the Linux kernel before 5.5.11. The\n slowpath lacks the required TID increment, aka\n CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - A flaw was found in the Linux kernel. A use-after-free\n memory flaw was found in the perf subsystem allowing a\n local attacker with permission to monitor perf events\n to corrupt memory and possibly escalate privileges. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-14351)\n\n - A buffer over-read (at the framebuffer layer) in the\n fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka\n CID-6735b4632def.(CVE-2020-28915)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel\n before 5.9.7 could be used by local attackers to read\n privileged information or potentially crash the kernel,\n aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for\n manipulations such as font height.(CVE-2020-28974)\n\n - Improper access control in BlueZ may allow an\n unauthenticated user to potentially enable information\n disclosure via adjacent access.(CVE-2020-12352)\n\n - In cdev_get of char_dev.c, there is a possible\n use-after-free due to a race condition. This could lead\n to local escalation of privilege with System execution\n privileges needed. User interaction is not needed for\n exploitation.Product: AndroidVersions:\n Android-10Android ID: A-153467744(CVE-2020-0305)\n\n - A flaw was found in the HDLC_PPP module of the Linux\n kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input\n validation in the ppp_cp_parse_cr function which can\n cause the system to crash or cause a denial of service.\n The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-25643)\n\n - An issue was discovered in can_can_gw_rcv in\n net/can/gw.c in the Linux kernel through 4.19.13. The\n CAN frame modification rules allow bitwise logical\n operations that can be also applied to the can_dlc\n field. The privileged user 'root' with CAP_NET_ADMIN\n can create a CAN frame modification rule that makes the\n data length code a higher value than the available CAN\n frame data size. In combination with a configured\n checksum calculation where the result is stored\n relatively to the end of the data (e.g.\n cgw_csum_xor_rel) the tail of the skb (e.g. frag_list\n pointer in skb_shared_info) can be rewritten which\n finally can cause a system crash. Because of a missing\n check, the CAN drivers may write arbitrary content\n beyond the data registers in the CAN controller's I/O\n memory when processing can-gw manipulated outgoing\n frames.(CVE-2019-3701)\n\n - In the Android kernel in Pixel C USB monitor driver\n there is a possible OOB write due to a missing bounds\n check. This could lead to local escalation of privilege\n with System execution privileges needed. User\n interaction is not needed for\n exploitation.(CVE-2019-9456)\n\n - A pivot_root race condition in fs/ namespace.c in the\n Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before\n 4.19.119, and 5.x before 5.3 allows local users to\n cause a denial of service (panic) by corrupting a\n mountpoint reference counter.(CVE-2020-12114)\n\n - A flaw was found in the Linux kernel in versions before\n 5.9-rc7. Traffic between two Geneve endpoints may be\n unencrypted when IPsec is configured to encrypt traffic\n for the specific UDP port used by the GENEVE tunnel\n allowing anyone between the two endpoints to read the\n traffic unencrypted. The main threat from this\n vulnerability is to data\n confidentiality.(CVE-2020-25645)\n\n - In kbd_keycode of keyboard.c, there is a possible out\n of bounds write due to a missing bounds check. This\n could lead to local escalation of privilege with no\n additional execution privileges needed. User\n interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-144161459(CVE-2020-0431)\n\n - In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is\n a possible use after free due to improper locking. This\n could lead to local escalation of privilege with no\n additional execution privileges needed. User\n interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-151939299(CVE-2020-0433)\n\n - In the Linux kernel through 5.8.7, local attackers able\n to inject conntrack netlink configuration could\n overflow a local buffer, causing crashes or triggering\n use of incorrect protocol numbers in\n ctnetlink_parse_tuple_filter in net/ netfilter/\n nf_conntrack_netlink.c, aka\n CID-1cc5ef91d2ff.(CVE-2020-25211)\n\n - A memory out-of-bounds read flaw was found in the Linux\n kernel before 5.9-rc2 with the ext3/ext4 file system,\n in the way it accesses a directory with broken\n indexing. This flaw allows a local user to crash the\n system if the directory exists. The highest threat from\n this vulnerability is to system\n availability.(CVE-2020-14314)\n\n - A TOCTOU mismatch in the NFS client code in the Linux\n kernel before 5.8.3 could be used by local attackers to\n corrupt memory or possibly have unspecified other\n impact because a size check is in fs/ nfs/ nfs4proc.c\n instead of fs/ nfs/ nfs4xdr.c, aka\n CID-b4487b935452.(CVE-2020-25212)\n\n - The rbd block device driver in drivers/block/rbd.c in\n the Linux kernel through 5.8.9 used incomplete\n permission checking for access to rbd devices, which\n could be leveraged by local attackers to map or unmap\n rbd block devices, aka\n CID-f44d04e696fe.(CVE-2020-25284)\n\n - A race condition between hugetlb sysctl handlers in\n mm/hugetlb.c in the Linux kernel before 5.8.8 could be\n used by local attackers to corrupt memory, cause a NULL\n pointer dereference, or possibly have unspecified other\n impact, aka CID-17743798d812.(CVE-2020-25285)\n\n - A flaw was found in the Linux kernel before 5.9-rc4.\n Memory corruption can be exploited to gain root\n privileges from unprivileged processes. The highest\n threat from this vulnerability is to data\n confidentiality and integrity.(CVE-2020-14386)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1079\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?83f9eb52\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-514.44.5.10.h296\",\n \"kernel-debuginfo-3.10.0-514.44.5.10.h296\",\n \"kernel-debuginfo-common-x86_64-3.10.0-514.44.5.10.h296\",\n \"kernel-devel-3.10.0-514.44.5.10.h296\",\n \"kernel-headers-3.10.0-514.44.5.10.h296\",\n \"kernel-tools-3.10.0-514.44.5.10.h296\",\n \"kernel-tools-libs-3.10.0-514.44.5.10.h296\",\n \"perf-3.10.0-514.44.5.10.h296\",\n \"python-perf-3.10.0-514.44.5.10.h296\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-15T22:17:46", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3929-1 advisory.\n\n - Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5753)\n\n - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)\n\n - A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)\n\n - In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-152735806 (CVE-2020-0429)\n\n - An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.\n Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. (CVE-2020-12655)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3542)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. (CVE-2021-3653)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\n - A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, the socket will be used after being released leading to denial of service (DoS) or a potential code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-16119) (CVE-2021-3753)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. (CVE-2021-38198)\n\n - drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations. (CVE-2021-38204)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3896)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.\n (CVE-2021-42008)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)\n\n - An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. (CVE-2021-43389)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-07T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:3929-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5753", "CVE-2018-13405", "CVE-2018-16882", "CVE-2020-0429", "CVE-2020-12655", "CVE-2020-14305", "CVE-2020-16119", "CVE-2020-3702", "CVE-2021-20265", "CVE-2021-20322", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-34556", "CVE-2021-34981", "CVE-2021-3542", "CVE-2021-35477", "CVE-2021-3640", "CVE-2021-3653", "CVE-2021-3655", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3715", "CVE-2021-37159", "CVE-2021-3732", "CVE-2021-3752", "CVE-2021-3753", "CVE-2021-37576", "CVE-2021-3760", "CVE-2021-3772", "CVE-2021-38160", "CVE-2021-38198", "CVE-2021-38204", "CVE-2021-3896", "CVE-2021-40490", "CVE-2021-42008", "CVE-2021-42739", "CVE-2021-43389"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-3929-1.NASL", "href": "https://www.tenable.com/plugins/nessus/155910", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3929-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155910);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2017-5753\",\n \"CVE-2018-13405\",\n \"CVE-2018-16882\",\n \"CVE-2020-0429\",\n \"CVE-2020-3702\",\n \"CVE-2020-12655\",\n \"CVE-2020-14305\",\n \"CVE-2021-3542\",\n \"CVE-2021-3640\",\n \"CVE-2021-3653\",\n \"CVE-2021-3655\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3715\",\n \"CVE-2021-3732\",\n \"CVE-2021-3752\",\n \"CVE-2021-3753\",\n \"CVE-2021-3760\",\n \"CVE-2021-3772\",\n \"CVE-2021-3896\",\n \"CVE-2021-20265\",\n \"CVE-2021-20322\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-34556\",\n \"CVE-2021-34981\",\n \"CVE-2021-35477\",\n \"CVE-2021-37159\",\n \"CVE-2021-37576\",\n \"CVE-2021-38160\",\n \"CVE-2021-38198\",\n \"CVE-2021-38204\",\n \"CVE-2021-40490\",\n \"CVE-2021-42008\",\n \"CVE-2021-42739\",\n \"CVE-2021-43389\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3929-1\");\n script_xref(name:\"IAVA\", value:\"2017-A-0345-S\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n script_xref(name:\"IAVA\", value:\"2018-A-0017\");\n script_xref(name:\"IAVA\", value:\"2018-A-0022-S\");\n script_xref(name:\"IAVA\", value:\"2017-A-0347-S\");\n script_xref(name:\"IAVA\", value:\"2018-A-0123-S\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:3929-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:3929-1 advisory.\n\n - Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized\n disclosure of information to an attacker with local user access via a side-channel analysis.\n (CVE-2017-5753)\n\n - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create\n files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and\n is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a\n plain file whose group ownership is that group. The intended behavior was that the non-member can trigger\n creation of a directory (but not a plain file) whose group ownership is that group. The non-member can\n escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)\n\n - A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts\n when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while\n processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor\n address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash\n the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before\n 4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)\n\n - In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a\n use after free. This could lead to local escalation of privilege with System execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-152735806 (CVE-2020-0429)\n\n - An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.\n Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka\n CID-d0c7feaf8767. (CVE-2020-12655)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to\n improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for\n a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon\n Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon\n Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W,\n MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux\n kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by\n exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects\n the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a\n reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of\n this candidate. All references and descriptions in this candidate have been removed to prevent accidental\n usage. (CVE-2021-3542)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store\n operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to\n enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest\n would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak\n of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to\n 5.14-rc7. (CVE-2021-3653)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\n - A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a\n listener, the socket will be used after being released leading to denial of service (DoS) or a potential\n code execution. The highest threat from this vulnerability is to data confidentiality and integrity as\n well as system availability. (CVE-2020-16119) (CVE-2021-3753)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access\n permissions of a shadow page, leading to a missing guest protection page fault. (CVE-2021-38198)\n\n - drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to\n cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain\n situations. (CVE-2021-38204)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a\n reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of\n this candidate. All references and descriptions in this candidate have been removed to prevent accidental\n usage. (CVE-2021-3896)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab\n out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.\n (CVE-2021-42008)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to\n drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt\n mishandles bounds checking. (CVE-2021-42739)\n\n - An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in\n the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. (CVE-2021-43389)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/802154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1068032\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1087082\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1098425\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1100416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1119934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1129735\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1173346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183089\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186109\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188172\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188325\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188876\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188983\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188985\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189262\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189291\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189706\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190025\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190067\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190276\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190351\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191790\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191961\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.suse.com/pipermail/sle-updates/2021-December/020993.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-5753\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-13405\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-16882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-0429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-14305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-3702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-31916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-34556\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-34981\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-35477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3653\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-37159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3752\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3753\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-37576\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3772\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38204\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3896\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-40490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42008\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-43389\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3653\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.4.121-92.161.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-default-base-4.4.121-92.161.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-default-devel-4.4.121-92.161.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-devel-4.4.121-92.161.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-macros-4.4.121-92.161.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-source-4.4.121-92.161.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'},\n {'reference':'kernel-syms-4.4.121-92.161.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-default / kernel-default-base / kernel-default-devel / etc');\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-05-13T17:40:33", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3935-1 advisory.\n\n - kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service. (CVE-2017-17862)\n\n - kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a pointer leak. (CVE-2017-17864)\n\n - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)\n\n - A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)\n\n - In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-152735806 (CVE-2020-0429)\n\n - An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.\n Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. (CVE-2020-12655)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W, MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.\n (CVE-2020-4788)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi- device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3542)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7. (CVE-2021-3653)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files (CVE-2021-3732)\n\n - A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, the socket will be used after being released leading to denial of service (DoS) or a potential code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-16119) (CVE-2021-3753)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault. (CVE-2021-38198)\n\n - drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations. (CVE-2021-38204)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. (CVE-2021-3896)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.\n (CVE-2021-42008)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking. (CVE-2021-42739)\n\n - An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. (CVE-2021-43389)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-07T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2021:3935-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-17862", "CVE-2017-17864", "CVE-2018-13405", "CVE-2018-16882", "CVE-2020-0429", "CVE-2020-12655", "CVE-2020-14305", "CVE-2020-16119", "CVE-2020-3702", "CVE-2020-4788", "CVE-2021-20265", "CVE-2021-20322", "CVE-2021-31916", "CVE-2021-33033", "CVE-2021-34556", "CVE-2021-34981", "CVE-2021-3542", "CVE-2021-35477", "CVE-2021-3640", "CVE-2021-3653", "CVE-2021-3655", "CVE-2021-3659", "CVE-2021-3679", "CVE-2021-3715", "CVE-2021-37159", "CVE-2021-3732", "CVE-2021-3752", "CVE-2021-3753", "CVE-2021-37576", "CVE-2021-3760", "CVE-2021-3772", "CVE-2021-38160", "CVE-2021-38198", "CVE-2021-38204", "CVE-2021-3896", "CVE-2021-40490", "CVE-2021-42008", "CVE-2021-42739", "CVE-2021-43389"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-default", "p-cpe:/a:novell:suse_linux:dlm-kmp-default", "p-cpe:/a:novell:suse_linux:gfs2-kmp-default", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-kgraft", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-devel", "p-cpe:/a:novell:suse_linux:kernel-macros", "p-cpe:/a:novell:suse_linux:kernel-source", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_180-94_150-default", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-default", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-3935-1.NASL", "href": "https://www.tenable.com/plugins/nessus/155902", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3935-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155902);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2017-17862\",\n \"CVE-2017-17864\",\n \"CVE-2018-13405\",\n \"CVE-2018-16882\",\n \"CVE-2020-0429\",\n \"CVE-2020-3702\",\n \"CVE-2020-4788\",\n \"CVE-2020-12655\",\n \"CVE-2020-14305\",\n \"CVE-2021-3542\",\n \"CVE-2021-3640\",\n \"CVE-2021-3653\",\n \"CVE-2021-3655\",\n \"CVE-2021-3659\",\n \"CVE-2021-3679\",\n \"CVE-2021-3715\",\n \"CVE-2021-3732\",\n \"CVE-2021-3752\",\n \"CVE-2021-3753\",\n \"CVE-2021-3760\",\n \"CVE-2021-3772\",\n \"CVE-2021-3896\",\n \"CVE-2021-20265\",\n \"CVE-2021-20322\",\n \"CVE-2021-31916\",\n \"CVE-2021-33033\",\n \"CVE-2021-34556\",\n \"CVE-2021-34981\",\n \"CVE-2021-35477\",\n \"CVE-2021-37159\",\n \"CVE-2021-37576\",\n \"CVE-2021-38160\",\n \"CVE-2021-38198\",\n \"CVE-2021-38204\",\n \"CVE-2021-40490\",\n \"CVE-2021-42008\",\n \"CVE-2021-42739\",\n \"CVE-2021-43389\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3935-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2021:3935-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2021:3935-1 advisory.\n\n - kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would\n still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic\n issue, could possibly be used by local users for denial of service. (CVE-2017-17862)\n\n - kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the\n pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially\n sensitive address information, aka a pointer leak. (CVE-2017-17864)\n\n - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create\n files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and\n is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a\n plain file whose group ownership is that group. The intended behavior was that the non-member can trigger\n creation of a directory (but not a plain file) whose group ownership is that group. The non-member can\n escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)\n\n - A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts\n when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while\n processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor\n address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash\n the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before\n 4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)\n\n - In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a\n use after free. This could lead to local escalation of privilege with System execution privileges needed.\n User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-152735806 (CVE-2020-0429)\n\n - An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10.\n Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka\n CID-d0c7feaf8767. (CVE-2020-12655)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - u'Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to\n improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for\n a discrete set of traffic' in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon\n Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon\n Wearables, Snapdragon Wired Infrastructure and Networking in APQ8053, IPQ4019, IPQ8064, MSM8909W,\n MSM8996AU, QCA9531, QCN5502, QCS405, SDX20, SM6150, SM7150 (CVE-2020-3702)\n\n - IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive\n information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296.\n (CVE-2020-4788)\n\n - A flaw was found in the way memory resources were freed in the unix_stream_recvmsg function in the Linux\n kernel when a signal was pending. This flaw allows an unprivileged local user to crash the system by\n exhausting available memory. The highest threat from this vulnerability is to system availability.\n (CVE-2021-20265)\n\n - An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-\n device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with\n special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or\n a leak of internal kernel information. The highest threat from this vulnerability is to system\n availability. (CVE-2021-31916)\n\n - The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because\n the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads\n to writing an arbitrary value. (CVE-2021-33033)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects\n the possibility of uninitialized memory locations on the BPF stack. (CVE-2021-34556)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a\n reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of\n this candidate. All references and descriptions in this candidate have been removed to prevent accidental\n usage. (CVE-2021-3542)\n\n - In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from\n kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store\n operation does not necessarily occur before a store operation that has an attacker-controlled value.\n (CVE-2021-35477)\n\n - A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when\n processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested\n guest (L2). Due to improper validation of the int_ctl field, this issue could allow a malicious L1 to\n enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest\n would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak\n of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to\n 5.14-rc7. (CVE-2021-3653)\n\n - A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on\n inbound SCTP packets may allow the kernel to read uninitialized memory. (CVE-2021-3655)\n\n - kernel: NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (CVE-2021-3659)\n\n - A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was\n found in the way user uses trace ring buffer in a specific way. Only privileged local users (with\n CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.\n (CVE-2021-3679)\n\n - kernel: use-after-free in route4_change() in net/sched/cls_route.c (CVE-2021-3715)\n\n - hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev\n without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free.\n (CVE-2021-37159)\n\n - kernel: overlayfs: Mounting overlayfs inside an unprivileged user namespace can reveal files\n (CVE-2021-3732)\n\n - A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a\n listener, the socket will be used after being released leading to denial of service (DoS) or a potential\n code execution. The highest threat from this vulnerability is to data confidentiality and integrity as\n well as system availability. (CVE-2020-16119) (CVE-2021-3753)\n\n - arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest\n OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e. (CVE-2021-37576)\n\n - ** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss\n can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE:\n the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the\n length validation was added solely for robustness in the face of anomalous host OS behavior.\n (CVE-2021-38160)\n\n - arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access\n permissions of a shadow page, leading to a missing guest protection page fault. (CVE-2021-38198)\n\n - drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to\n cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain\n situations. (CVE-2021-38204)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a\n reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of\n this candidate. All references and descriptions in this candidate have been removed to prevent accidental\n usage. (CVE-2021-3896)\n\n - A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in\n the Linux kernel through 5.13.13. (CVE-2021-40490)\n\n - The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab\n out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.\n (CVE-2021-42008)\n\n - The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to\n drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt\n mishandles bounds checking. (CVE-2021-42739)\n\n - An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in\n the detach_capi_ctr function in drivers/isdn/capi/kcapi.c. (CVE-2021-43389)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1073928\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1098425\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1100416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1119934\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1129735\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1171420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1173346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176724\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177666\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181854\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1183089\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184673\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185727\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185758\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1185973\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186109\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186390\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188172\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188876\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188983\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188985\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189262\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189278\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189291\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189706\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190022\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190025\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190067\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190194\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190349\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190351\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190717\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191193\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191315\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191790\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191961\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192267\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192400\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192781\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-December/009856.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71e58fa3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-17862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-17864\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-13405\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-16882\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-0429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-12655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-14305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-3702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-4788\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20322\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-31916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-33033\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-34556\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-34981\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3542\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-35477\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3640\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3653\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3715\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-37159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3752\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3753\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-37576\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3760\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3772\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38198\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-38204\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3896\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-40490\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42008\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-43389\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3653\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_180-94_150-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3|4|5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3/4/5\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'kernel-default-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-default-base-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-default-devel-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-default-kgraft-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-devel-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-macros-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-source-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kernel-syms-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'kgraft-patch-4_4_180-94_150-default-1-4.3.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-12.3'},\n {'reference':'cluster-md-kmp-default-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'cluster-md-kmp-default-4.4.180-94.150.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'cluster-md-kmp-default-4.4.180-94.150.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'dlm-kmp-default-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'dlm-kmp-default-4.4.180-94.150.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'dlm-kmp-default-4.4.180-94.150.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'gfs2-kmp-default-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'gfs2-kmp-default-4.4.180-94.150.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'gfs2-kmp-default-4.4.180-94.150.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'ocfs2-kmp-default-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'ocfs2-kmp-default-4.4.180-94.150.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'ocfs2-kmp-default-4.4.180-94.150.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-ha-release-12.3'},\n {'reference':'kernel-default-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-base-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-base-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-devel-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-devel-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-kgraft-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-default-man-4.4.180-94.150.1', 'sp':'3', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-devel-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-devel-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-macros-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-macros-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-source-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-source-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-syms-4.4.180-94.150.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kernel-syms-4.4.180-94.150.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'},\n {'reference':'kgraft-patch-4_4_180-94_150-default-1-4.3.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-12.3'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-04-22T15:08:54", "description": "Security Fix(es) :\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20201001)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-10-23T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:bpftool", "p-cpe:/a:fermilab:scientific_linux:bpftool-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20201001_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/141727", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141727);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/23\");\n\n script_cve_id(\"CVE-2017-18551\", \"CVE-2018-20836\", \"CVE-2019-12614\", \"CVE-2019-15217\", \"CVE-2019-15807\", \"CVE-2019-15917\", \"CVE-2019-16231\", \"CVE-2019-16233\", \"CVE-2019-16994\", \"CVE-2019-17053\", \"CVE-2019-18808\", \"CVE-2019-19046\", \"CVE-2019-19055\", \"CVE-2019-19058\", \"CVE-2019-19059\", \"CVE-2019-19062\", \"CVE-2019-19063\", \"CVE-2019-19332\", \"CVE-2019-19447\", \"CVE-2019-19523\", \"CVE-2019-19524\", \"CVE-2019-19530\", \"CVE-2019-19534\", \"CVE-2019-19537\", \"CVE-2019-19767\", \"CVE-2019-19807\", \"CVE-2019-20054\", \"CVE-2019-20095\", \"CVE-2019-20636\", \"CVE-2019-9454\", \"CVE-2019-9458\", \"CVE-2020-10690\", \"CVE-2020-10732\", \"CVE-2020-10742\", \"CVE-2020-10751\", \"CVE-2020-10942\", \"CVE-2020-11565\", \"CVE-2020-12770\", \"CVE-2020-12826\", \"CVE-2020-14305\", \"CVE-2020-1749\", \"CVE-2020-2732\", \"CVE-2020-8647\", \"CVE-2020-8649\", \"CVE-2020-9383\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20201001)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - kernel: use-after-free in sound/core/timer.c\n (CVE-2019-19807)\n\n - kernel: out of bounds write in function\n i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c\n (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and\n smp_task_done() in drivers/scsi/libsas/sas_expander.c\n leads to use-after-free (CVE-2018-20836)\n\n - kernel: out of bounds write in i2c driver leads to local\n escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the\n video driver leads to local privilege escalation\n (CVE-2019-9458)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2010&L=SCIENTIFIC-LINUX-ERRATA&P=19779\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?be3180c5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bpftool-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"bpftool-debuginfo-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-1160.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-1160.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / kernel-abi-whitelists / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-22T18:01:39", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.(CVE-2020-15436)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-14305)\n\n - Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.(CVE-2020-12351)\n\n - In the Linux kernel 4.14 longterm through 4.14.165 and 4.19 longterm through 4.19.96 (and 5.x before 5.2), there is a use-after-free (write) in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c, aka CID-7dc40713618c. This is related to i915_gem_context_destroy_ioctl in drivers/gpu/drm/i915/i915_gem_context.c.(CVE-2020-7053)\n\n - In kbd_keycode of keyboard.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-144161459(CVE-2020-0431)\n\n - In various methods of hid-multitouch.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-162844689References: Upstream kernel(CVE-2020-0465)\n\n - mwifiex_cmd_802_11_ad_hoc_start in drivers/net/wireless/marvell/mwifiex/join.c in the Linux kernel through 5.10.4 might allow remote attackers to execute arbitrary code via a long SSID value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.(CVE-2020-27777)\n\n - An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.(CVE-2020-8648)\n\n - A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.(CVE-2020-28915)\n\n - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c,\n __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.(CVE-2019-19813)\n\n - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_gss_krb5 implementation in the Linux kernel through 5.6.10 lacks certain domain_release calls, leading to a memory leak.(CVE-2020-12656)\n\n - A flaw was found in the Linux kernels implementation of MIDI, where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.(CVE-2020-27786)\n\n - A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.(CVE-2020-25704)\n\n - A flaw was found in the Linux Kernel before 5.8-rc6 in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable.(CVE-2020-10781)\n\n - go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.(CVE-2021-27365)\n\n - An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.(CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.(CVE-2021-27363)\n\n - A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free.(CVE-2020-25669)\n\n - A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-25656)\n\n - The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.(CVE-2020-15437)\n\n - An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.(CVE-2020-11494)\n\n - A stack information leak flaw was found in s390/s390x in the Linux kernel's memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.(CVE-2020-10773)\n\n - ** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: A third-party software maintainer states that the work queue allocation is happening during device initialization, which for a graphics card occurs during boot. It is not attacker controllable and OOM at that time is highly unlikely.(CVE-2019-16230)\n\n - A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.(CVE-2020-10757)\n\n - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.(CVE-2020-28974)\n\n - Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.(CVE-2019-14615)\n\n - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.(CVE-2019-19377)\n\n - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-147802478References: Upstream kernel(CVE-2020-0466)\n\n - ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack see also the exports(5) no_subtree_check default behavior.(CVE-2021-3178)\n\n - A flaw was found in the Linux kernels eBPF implementation. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can abuse a flaw in eBPF to corrupt memory. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-29154)\n\n - A flaw memory leak in the Linux kernel webcam device functionality was found in the way user calls ioctl that triggers video_usercopy function. The highest threat from this vulnerability is to system availability.(CVE-2021-30002)\n\n - A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3483)\n\n - A flaw in the Linux kernels implementation of the RPA PCI Hotplug driver for power-pc. A user with permissions to write to the sysfs settings for this driver can trigger a buffer overflow when writing a new device name to the driver from userspace, overwriting data in the kernel's stack.(CVE-2021-28972)\n\n - A race condition flaw was found in get_old_root in fs/btrfs/ctree.c in the Linux kernel in btrfs file-system. This flaw allows a local attacker with a special user privilege to cause a denial of service due to not locking an extent buffer before a cloning operation. The highest threat from this vulnerability is to system availability.(CVE-2021-28964)\n\n - A flaw was found in the Linux kernel. The usbip driver allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status. The highest threat from this vulnerability is to system availability.(CVE-2021-29265)\n\n - An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-35519)\n\n - There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.(CVE-2021-20292)\n\n - A flaw was found in the JFS filesystem code. This flaw allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-27815)\n\n - A flaw was found in the Linux kernel. A denial of service problem is identified if an extent tree is corrupted in a crafted ext4 filesystem in fs/ext4/extents.c in ext4_es_cache_extent. Fabricating an integer overflow, A local attacker with a special user privilege may cause a system crash problem which can lead to an availability threat.(CVE-2021-3428)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-07-01T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2021-2040)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-14615", "CVE-2019-16230", "CVE-2019-19377", "CVE-2019-19813", "CVE-2019-20810", "CVE-2020-0431", "CVE-2020-0465", "CVE-2020-0466", "CVE-2020-10757", "CVE-2020-10773", "CVE-2020-10781", "CVE-2020-11494", "CVE-2020-12114", "CVE-2020-12351", "CVE-2020-12656", "CVE-2020-14305", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-25656", "CVE-2020-25669", "CVE-2020-25704", "CVE-2020-27777", "CVE-2020-27786", "CVE-2020-27815", "CVE-2020-28915", "CVE-2020-28974", "CVE-2020-29370", "CVE-2020-29371", "CVE-2020-35519", "CVE-2020-36158", "CVE-2020-7053", "CVE-2020-8648", "CVE-2021-20292", "CVE-2021-27363", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-28964", "CVE-2021-28972", "CVE-2021-29154", "CVE-2021-29265", "CVE-2021-30002", "CVE-2021-3178", "CVE-2021-3428", "CVE-2021-3483"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.6.6"], "id": "EULEROS_SA-2021-2040.NASL", "href": "https://www.tenable.com/plugins/nessus/151229", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151229);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2019-14615\",\n \"CVE-2019-16230\",\n \"CVE-2019-19377\",\n \"CVE-2019-19813\",\n \"CVE-2019-20810\",\n \"CVE-2020-0431\",\n \"CVE-2020-0465\",\n \"CVE-2020-0466\",\n \"CVE-2020-7053\",\n \"CVE-2020-8648\",\n \"CVE-2020-10757\",\n \"CVE-2020-10773\",\n \"CVE-2020-10781\",\n \"CVE-2020-11494\",\n \"CVE-2020-12114\",\n \"CVE-2020-12351\",\n \"CVE-2020-12656\",\n \"CVE-2020-14305\",\n \"CVE-2020-15436\",\n \"CVE-2020-15437\",\n \"CVE-2020-25656\",\n \"CVE-2020-25669\",\n \"CVE-2020-25704\",\n \"CVE-2020-27777\",\n \"CVE-2020-27786\",\n \"CVE-2020-27815\",\n \"CVE-2020-28915\",\n \"CVE-2020-28974\",\n \"CVE-2020-29370\",\n \"CVE-2020-29371\",\n \"CVE-2020-35519\",\n \"CVE-2020-36158\",\n \"CVE-2021-3178\",\n \"CVE-2021-3428\",\n \"CVE-2021-3483\",\n \"CVE-2021-20292\",\n \"CVE-2021-27363\",\n \"CVE-2021-27364\",\n \"CVE-2021-27365\",\n \"CVE-2021-28964\",\n \"CVE-2021-28972\",\n \"CVE-2021-29154\",\n \"CVE-2021-29265\",\n \"CVE-2021-30002\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.6 : kernel (EulerOS-SA-2021-2040)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - Use-after-free vulnerability in fs/block_dev.c in the\n Linux kernel before 5.8 allows local users to gain\n privileges or cause a denial of service by leveraging\n improper access to a certain error\n field.(CVE-2020-15436)\n\n - An out-of-bounds memory write flaw was found in how the\n Linux kernel's Voice Over IP H.323 connection tracking\n functionality handled connections on ipv6 port 1720.\n This flaw allows an unauthenticated remote user to\n crash the system, causing a denial of service. The\n highest threat from this vulnerability is to\n confidentiality, integrity, as well as system\n availability.(CVE-2020-14305)\n\n - Improper input validation in BlueZ may allow an\n unauthenticated user to potentially enable escalation\n of privilege via adjacent access.(CVE-2020-12351)\n\n - In the Linux kernel 4.14 longterm through 4.14.165 and\n 4.19 longterm through 4.19.96 (and 5.x before 5.2),\n there is a use-after-free (write) in the\n i915_ppgtt_close function in\n drivers/gpu/drm/i915/i915_gem_gtt.c, aka\n CID-7dc40713618c. This is related to\n i915_gem_context_destroy_ioctl in\n drivers/gpu/drm/i915/i915_gem_context.c.(CVE-2020-7053)\n\n - In kbd_keycode of keyboard.c, there is a possible out\n of bounds write due to a missing bounds check. This\n could lead to local escalation of privilege with no\n additional execution privileges needed. User\n interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-144161459(CVE-2020-0431)\n\n - In various methods of hid-multitouch.c, there is a\n possible out of bounds write due to a missing bounds\n check. This could lead to local escalation of privilege\n with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-162844689References: Upstream kernel(CVE-2020-0465)\n\n - mwifiex_cmd_802_11_ad_hoc_start in\n drivers/net/wireless/marvell/mwifiex/join.c in the\n Linux kernel through 5.10.4 might allow remote\n attackers to execute arbitrary code via a long SSID\n value, aka CID-5c455c5ab332.(CVE-2020-36158)\n\n - A flaw was found in the way RTAS handled memory\n accesses in userspace to kernel communication. On a\n locked down (usually due to Secure Boot) guest system\n running on top of PowerVM or KVM hypervisors (pseries\n platform) a root like local user could use this flaw to\n further increase their privileges to that of a running\n kernel.(CVE-2020-27777)\n\n - An issue was discovered in romfs_dev_read in\n fs/romfs/storage.c in the Linux kernel before 5.8.4.\n Uninitialized memory leaks to userspace, aka\n CID-bcf85fcedfdd.(CVE-2020-29371)\n\n - An issue was discovered in kmem_cache_alloc_bulk in\n mm/slub.c in the Linux kernel before 5.5.11. The\n slowpath lacks the required TID increment, aka\n CID-fd4d9c7d0c71.(CVE-2020-29370)\n\n - There is a use-after-free vulnerability in the Linux\n kernel through 5.5.2 in the n_tty_receive_buf_common\n function in drivers/tty/n_tty.c.(CVE-2020-8648)\n\n - A buffer over-read (at the framebuffer layer) in the\n fbcon code in the Linux kernel before 5.8.15 could be\n used by local attackers to read kernel memory, aka\n CID-6735b4632def.(CVE-2020-28915)\n\n - In the Linux kernel 5.0.21, mounting a crafted btrfs\n filesystem image, performing some operations, and then\n making a syncfs system call can lead to a\n use-after-free in __mutex_lock in\n kernel/locking/mutex.c. This is related to\n mutex_can_spin_on_owner in kernel/locking/mutex.c,\n __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and\n btrfs_insert_delayed_items in\n fs/btrfs/delayed-inode.c.(CVE-2019-19813)\n\n - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c\n in the rpcsec_gss_krb5 implementation in the Linux\n kernel through 5.6.10 lacks certain domain_release\n calls, leading to a memory leak.(CVE-2020-12656)\n\n - A flaw was found in the Linux kernels implementation of\n MIDI, where an attacker with a local account and the\n permissions to issue an ioctl commands to midi devices,\n could trigger a use-after-free. A write to this\n specific memory while freed and before use could cause\n the flow of execution to change and possibly allow for\n memory corruption or privilege\n escalation.(CVE-2020-27786)\n\n - A flaw memory leak in the Linux kernel performance\n monitoring subsystem was found in the way if using\n PERF_EVENT_IOC_SET_FILTER. A local user could use this\n flaw to starve the resources causing denial of\n service.(CVE-2020-25704)\n\n - A flaw was found in the Linux Kernel before 5.8-rc6 in\n the ZRAM kernel module, where a user with a local\n account and the ability to read the\n /sys/class/zram-control/hot_add file can create ZRAM\n device nodes in the /dev/ directory. This read\n allocates kernel memory and is not accounted for a user\n that triggers the creation of that ZRAM device. With\n this vulnerability, continually reading the device may\n consume a large amount of system memory and cause the\n Out-of-Memory (OOM) killer to activate and terminate\n random userspace processes, possibly making the system\n inoperable.(CVE-2020-10781)\n\n - go7007_snd_init in\n drivers/media/usb/go7007/snd-go7007.c in the Linux\n kernel before 5.6 does not call snd_card_free for a\n failure path, which causes a memory leak, aka\n CID-9453264ef586.(CVE-2019-20810)\n\n - An issue was discovered in the Linux kernel through\n 5.11.3. Certain iSCSI data structures do not have\n appropriate length constraints or checks, and can\n exceed the PAGE_SIZE value. An unprivileged user can\n send a Netlink message that is associated with iSCSI,\n and has a length up to the maximum length of a Netlink\n message.(CVE-2021-27365)\n\n - An issue was discovered in the Linux kernel through\n 5.11.3. drivers/scsi/scsi_transport_iscsi.c is\n adversely affected by the ability of an unprivileged\n user to craft Netlink messages.(CVE-2021-27364)\n\n - An issue was discovered in the Linux kernel through\n 5.11.3. A kernel pointer leak can be used to determine\n the address of the iscsi_transport structure. When an\n iSCSI transport is registered with the iSCSI subsystem,\n the transport's handle is available to unprivileged\n users via the sysfs file system, at\n /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When\n read, the show_transport_handle function (in\n drivers/scsi/scsi_transport_iscsi.c) is called, which\n leaks the handle. This handle is actually the pointer\n to an iscsi_transport struct in the kernel module's\n global variables.(CVE-2021-27363)\n\n - A vulnerability was found in the Linux Kernel where the\n function sunkbd_reinit having been scheduled by\n sunkbd_interrupt before sunkbd being freed. Though the\n dangling pointer is set to NULL in sunkbd_disconnect,\n there is still an alias in sunkbd_reinit causing Use\n After Free.(CVE-2020-25669)\n\n - A flaw was found in the Linux kernel. A use-after-free\n was found in the way the console subsystem was using\n ioctls KDGKBSENT and KDSKBSENT. A local user could use\n this flaw to get read memory access out of bounds. The\n highest threat from this vulnerability is to data\n confidentiality.(CVE-2020-25656)\n\n - The Linux kernel before version 5.8 is vulnerable to a\n NULL pointer dereference in\n drivers/tty/serial/8250/8250_core.c:serial8250_isa_init\n _ports() that allows local users to cause a denial of\n service by using the p->serial_in pointer which\n uninitialized.(CVE-2020-15437)\n\n - An issue was discovered in slc_bump in\n drivers/net/can/slcan.c in the Linux kernel through\n 5.6.2. It allows attackers to read uninitialized\n can_frame data, potentially containing sensitive\n information from kernel stack memory, if the\n configuration lacks CONFIG_INIT_STACK_ALL, aka\n CID-b9258a2cece4.(CVE-2020-11494)\n\n - A stack information leak flaw was found in s390/s390x\n in the Linux kernel's memory manager functionality,\n where it incorrectly writes to the\n /proc/sys/vm/cmm_timeout file. This flaw allows a local\n user to see the kernel data.(CVE-2020-10773)\n\n - ** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c\n in the Linux kernel 5.2.14 does not check the\n alloc_workqueue return value, leading to a NULL pointer\n dereference. NOTE: A third-party software maintainer\n states that the work queue allocation is happening\n during device initialization, which for a graphics card\n occurs during boot. It is not attacker controllable and\n OOM at that time is highly unlikely.(CVE-2019-16230)\n\n - A flaw was found in the Linux Kernel in versions after\n 4.5-rc1 in the way mremap handled DAX Huge Pages. This\n flaw allows a local attacker with access to a DAX\n enabled storage to escalate their privileges on the\n system.(CVE-2020-10757)\n\n - A pivot_root race condition in fs/namespace.c in the\n Linux kernel 4.4.x before 4.4.221, 4.9.x before\n 4.9.221, 4.14.x before 4.14.178, 4.19.x before\n 4.19.119, and 5.x before 5.3 allows local users to\n cause a denial of service (panic) by corrupting a\n mountpoint reference counter.(CVE-2020-12114)\n\n - A slab-out-of-bounds read in fbcon in the Linux kernel\n before 5.9.7 could be used by local attackers to read\n privileged information or potentially crash the kernel,\n aka CID-3c4e0dff2095. This occurs because\n KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for\n manipulations such as font height.(CVE-2020-28974)\n\n - Insufficient control flow in certain data structures\n for some Intel(R) Processors with Intel(R) Processor\n Graphics may allow an unauthenticated user to\n potentially enable information disclosure via local\n access.(CVE-2019-14615)\n\n - In the Linux kernel 5.0.21, mounting a crafted btrfs\n filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in\n btrfs_queue_work in\n fs/btrfs/async-thread.c.(CVE-2019-19377)\n\n - In do_epoll_ctl and ep_loop_check_proc of eventpoll.c,\n there is a possible use after free due to a logic\n error. This could lead to local escalation of privilege\n with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product:\n AndroidVersions: Android kernelAndroid ID:\n A-147802478References: Upstream kernel(CVE-2020-0466)\n\n - ** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel\n through 5.10.8, when there is an NFS export of a\n subdirectory of a filesystem, allows remote attackers\n to traverse to other parts of the filesystem via\n READDIRPLUS. NOTE: some parties argue that such a\n subdirectory export is not intended to prevent this\n attack see also the exports(5) no_subtree_check default\n behavior.(CVE-2021-3178)\n\n - A flaw was found in the Linux kernels eBPF\n implementation. By default, accessing the eBPF verifier\n is only accessible to privileged users with\n CAP_SYS_ADMIN. A local user with the ability to insert\n eBPF instructions can abuse a flaw in eBPF to corrupt\n memory. The highest threat from this vulnerability is\n to confidentiality, integrity, as well as system\n availability.(CVE-2021-29154)\n\n - A flaw memory leak in the Linux kernel webcam device\n functionality was found in the way user calls ioctl\n that triggers video_usercopy function. The highest\n threat from this vulnerability is to system\n availability.(CVE-2021-30002)\n\n - A flaw was found in the Nosy driver in the Linux\n kernel. This issue allows a device to be inserted twice\n into a doubly-linked list, leading to a use-after-free\n when one of these devices is removed. The highest\n threat from this vulnerability is to confidentiality,\n integrity, as well as system\n availability.(CVE-2021-3483)\n\n - A flaw in the Linux kernels implementation of the RPA\n PCI Hotplug driver for power-pc. A user with\n permissions to write to the sysfs settings for this\n driver can trigger a buffer overflow when writing a new\n device name to the driver from userspace, overwriting\n data in the kernel's stack.(CVE-2021-28972)\n\n - A race condition flaw was found in get_old_root in\n fs/btrfs/ctree.c in the Linux kernel in btrfs\n file-system. This flaw allows a local attacker with a\n special user privilege to cause a denial of service due\n to not locking an extent buffer before a cloning\n operation. The highest threat from this vulnerability\n is to system availability.(CVE-2021-28964)\n\n - A flaw was found in the Linux kernel. The usbip driver\n allows attackers to cause a denial of service (GPF)\n because the stub-up sequence has race conditions during\n an update of the local and shared status. The highest\n threat from this vulnerability is to system\n availability.(CVE-2021-29265)\n\n - An out-of-bounds (OOB) memory access flaw was found in\n x25_bind in net/x25/af_x25.c in the Linux kernel. A\n bounds check failure allows a local attacker with a\n user account on the system to gain access to\n out-of-bounds memory, leading to a system crash or a\n leak of internal kernel information. The highest threat\n from this vulnerability is to confidentiality,\n integrity, as well as system\n availability.(CVE-2020-35519)\n\n - There is a flaw reported in\n drivers/gpu/drm/nouveau/nouveau_sgdma.c in\n nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The\n issue results from the lack of validating the existence\n of an object prior to performing operations on the\n object. An attacker with a local account with a root\n privilege, can leverage this vulnerability to escalate\n privileges and execute code in the context of the\n kernel.(CVE-2021-20292)\n\n - A flaw was found in the JFS filesystem code. This flaw\n allows a local attacker with the ability to set\n extended attributes to panic the system, causing memory\n corruption or escalating privileges. The highest threat\n from this vulnerability is to confidentiality,\n integrity, as well as system\n availability.(CVE-2020-27815)\n\n - A flaw was found in the Linux kernel. A denial of\n service problem is identified if an extent tree is\n corrupted in a crafted ext4 filesystem in\n fs/ext4/extents.c in ext4_es_cache_extent. Fabricating\n an integer overflow, A local attacker with a special\n user privilege may cause a system crash problem which\n can lead to an availability threat.(CVE-2021-3428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2040\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?efda5723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14305\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-12351\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.6_137\",\n \"kernel-devel-3.10.0-862.14.1.6_137\",\n \"kernel-headers-3.10.0-862.14.1.6_137\",\n \"kernel-tools-3.10.0-862.14.1.6_137\",\n \"kernel-tools-libs-3.10.0-862.14.1.6_137\",\n \"kernel-tools-libs-devel-3.10.0-862.14.1.6_137\",\n \"perf-3.10.0-862.14.1.6_137\",\n \"python-perf-3.10.0-862.14.1.6_137\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-04-22T15:01:25", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4062 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-29T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel-rt (RHSA-2020:4062)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm"], "id": "REDHAT-RHSA-2020-4062.NASL", "href": "https://www.tenable.com/plugins/nessus/141026", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4062. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141026);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\n \"CVE-2017-18551\",\n \"CVE-2018-20836\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16994\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20636\",\n \"CVE-2020-1749\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-14305\"\n );\n script_bugtraq_id(108196);\n script_xref(name:\"RHSA\", value:\"2020:4062\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2020:4062)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4062 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c\n (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c\n leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS\n (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c\n allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS\n (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c\n allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a\n use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver\n (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver\n (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the\n drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer\n (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c\n and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation\n (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open\n (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic\n (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c\n (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/94.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/250.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/319.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/349.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/362.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/416.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/772.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-18551\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2018-20836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9458\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15917\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16231\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16994\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17053\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17055\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-18808\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19055\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19058\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19332\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19447\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19523\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19530\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19534\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19537\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20095\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1749\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8647\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10742\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10751\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11565\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12770\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12826\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1707796\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1745528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1747216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1757368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758242\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1759681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760310\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1774988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775015\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775042\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775074\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1777418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1779594\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1781679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783459\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783561\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1786078\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1786160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1790063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1802555\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1802563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1805135\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1809833\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1810685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1817141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1817718\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1818818\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1819377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1822077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1824059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1824918\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1831399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1834845\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1835127\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1839634\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1850716\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-20836\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 94, 119, 121, 125, 200, 250, 319, 349, 362, 400, 401, 416, 476, 772, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'enterprise_linux_7_client': [\n 'rhel-7-desktop-debug-rpms',\n 'rhel-7-desktop-fastrack-debug-rpms',\n 'rhel-7-desktop-fastrack-rpms',\n 'rhel-7-desktop-fastrack-source-rpms',\n 'rhel-7-desktop-optional-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-rpms',\n 'rhel-7-desktop-optional-fastrack-source-rpms',\n 'rhel-7-desktop-optional-rpms',\n 'rhel-7-desktop-optional-source-rpms',\n 'rhel-7-desktop-rpms',\n 'rhel-7-desktop-source-rpms'\n ],\n 'enterprise_linux_7_computenode': [\n 'rhel-7-for-hpc-node-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-fastrack-rpms',\n 'rhel-7-for-hpc-node-fastrack-source-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-7-hpc-node-debug-rpms',\n 'rhel-7-hpc-node-optional-debug-rpms',\n 'rhel-7-hpc-node-optional-rpms',\n 'rhel-7-hpc-node-optional-source-rpms',\n 'rhel-7-hpc-node-rpms',\n 'rhel-7-hpc-node-source-rpms'\n ],\n 'enterprise_linux_7_server': [\n 'rhel-7-server-debug-rpms',\n 'rhel-7-server-fastrack-debug-rpms',\n 'rhel-7-server-fastrack-rpms',\n 'rhel-7-server-fastrack-source-rpms',\n 'rhel-7-server-optional-debug-rpms',\n 'rhel-7-server-optional-fastrack-debug-rpms',\n 'rhel-7-server-optional-fastrack-rpms',\n 'rhel-7-server-optional-fastrack-source-rpms',\n 'rhel-7-server-optional-rpms',\n 'rhel-7-server-optional-source-rpms',\n 'rhel-7-server-rpms',\n 'rhel-7-server-source-rpms',\n 'rhel-ha-for-rhel-7-server-debug-rpms',\n 'rhel-ha-for-rhel-7-server-rpms',\n 'rhel-ha-for-rhel-7-server-source-rpms',\n 'rhel-rs-for-rhel-7-server-debug-rpms',\n 'rhel-rs-for-rhel-7-server-rpms',\n 'rhel-rs-for-rhel-7-server-source-rpms'\n ],\n 'enterprise_linux_7_workstation': [\n 'rhel-7-workstation-debug-rpms',\n 'rhel-7-workstation-fastrack-debug-rpms',\n 'rhel-7-workstation-fastrack-rpms',\n 'rhel-7-workstation-fastrack-source-rpms',\n 'rhel-7-workstation-optional-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-rpms',\n 'rhel-7-workstation-optional-fastrack-source-rpms',\n 'rhel-7-workstation-optional-rpms',\n 'rhel-7-workstation-optional-source-rpms',\n 'rhel-7-workstation-rpms',\n 'rhel-7-workstation-source-rpms'\n ],\n 'rhel_extras_7': [\n 'rhel-7-desktop-supplementary-rpms',\n 'rhel-7-desktop-supplementary-source-rpms',\n 'rhel-7-for-hpc-node-supplementary-rpms',\n 'rhel-7-for-hpc-node-supplementary-source-rpms',\n 'rhel-7-hpc-node-eus-supplementary-rpms',\n 'rhel-7-server-eus-supplementary-rpms',\n 'rhel-7-server-supplementary-rpms',\n 'rhel-7-server-supplementary-source-rpms',\n 'rhel-7-workstation-supplementary-rpms',\n 'rhel-7-workstation-supplementary-source-rpms'\n ],\n 'rhel_extras_oracle_java_7': [\n 'rhel-7-desktop-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-for-hpc-node-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-hpc-node-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-source-rpms',\n 'rhel-7-server-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-workstation-restricted-maintenance-oracle-java-rpms'\n ],\n 'rhel_extras_rt_7': [\n 'rhel-7-server-nfv-debug-rpms',\n 'rhel-7-server-nfv-rpms',\n 'rhel-7-server-nfv-source-rpms',\n 'rhel-7-server-rt-debug-rpms',\n 'rhel-7-server-rt-rpms',\n 'rhel-7-server-rt-source-rpms'\n ],\n 'rhel_extras_sap_7': [\n 'rhel-sap-for-rhel-7-server-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-server-eus-rpms',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-for-rhel-7-server-rpms',\n 'rhel-sap-for-rhel-7-server-source-rpms'\n ],\n 'rhel_extras_sap_hana_7': [\n 'rhel-sap-hana-for-rhel-7-server-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-rpms',\n 'rhel-sap-hana-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2017-18551', 'CVE-2018-20836', 'CVE-2019-9454', 'CVE-2019-9458', 'CVE-2019-15217', 'CVE-2019-15807', 'CVE-2019-15917', 'CVE-2019-16231', 'CVE-2019-16233', 'CVE-2019-16994', 'CVE-2019-17053', 'CVE-2019-17055', 'CVE-2019-18808', 'CVE-2019-19046', 'CVE-2019-19055', 'CVE-2019-19058', 'CVE-2019-19059', 'CVE-2019-19062', 'CVE-2019-19063', 'CVE-2019-19332', 'CVE-2019-19447', 'CVE-2019-19523', 'CVE-2019-19524', 'CVE-2019-19530', 'CVE-2019-19534', 'CVE-2019-19537', 'CVE-2019-19767', 'CVE-2019-19807', 'CVE-2019-20054', 'CVE-2019-20095', 'CVE-2019-20636', 'CVE-2020-1749', 'CVE-2020-2732', 'CVE-2020-8647', 'CVE-2020-8649', 'CVE-2020-9383', 'CVE-2020-10690', 'CVE-2020-10732', 'CVE-2020-10742', 'CVE-2020-10751', 'CVE-2020-10942', 'CVE-2020-11565', 'CVE-2020-12770', 'CVE-2020-12826', 'CVE-2020-14305');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:4062');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'kernel-rt-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-debug-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-debug-devel-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-debug-kvm-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-devel-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-doc-3.10.0-1160.rt56.1131.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-kvm-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-trace-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-trace-devel-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-rt-trace-kvm-3.10.0-1160.rt56.1131.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-rt / kernel-rt-debug / kernel-rt-debug-devel / etc');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:01:21", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4060 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c causing denial of service (CVE-2019-12614)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-30T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel (RHSA-2020:4060)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2021-10-12T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:bpftool", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:python-perf"], "id": "REDHAT-RHSA-2020-4060.NASL", "href": "https://www.tenable.com/plugins/nessus/141057", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4060. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141057);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/12\");\n\n script_cve_id(\n \"CVE-2017-18551\",\n \"CVE-2018-20836\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-12614\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16994\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20636\",\n \"CVE-2020-1749\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-14305\"\n );\n script_bugtraq_id(108196, 108550);\n script_xref(name:\"RHSA\", value:\"2020:4060\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2020:4060)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4060 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c\n (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c\n leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c\n causing denial of service (CVE-2019-12614)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS\n (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c\n allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS\n (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c\n allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a\n use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver\n (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver\n (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the\n drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer\n (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c\n and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation\n (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open\n (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic\n (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c\n (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/94.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/250.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/319.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/349.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/362.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/416.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/772.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-18551\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2018-20836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9454\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-9458\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-12614\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15217\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-15917\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16231\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16994\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17053\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17055\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-18808\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19046\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19055\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19058\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19062\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19332\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19447\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19523\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19524\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19530\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19534\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19537\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-19807\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20095\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-20636\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-1749\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-2732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8647\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8649\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10742\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10751\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-10942\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11565\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12770\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12826\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14305\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1707796\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1718176\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1745528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1747216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1757368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758242\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1758248\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1759681\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760310\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1760420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1774988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775015\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775021\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775042\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775074\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1777418\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1779594\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1781679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783459\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783518\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783540\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1783561\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1786078\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1786160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1790063\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1802555\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1802563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1805135\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1809833\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1810685\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1817141\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1817718\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1818818\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1819377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1822077\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1824059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1824918\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1831399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1834845\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1835127\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1839634\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1850716\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-20836\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 94, 119, 121, 125, 200, 250, 319, 349, 362, 400, 401, 416, 476, 772, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nvar os_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar repositories = {\n 'enterprise_linux_7_client': [\n 'rhel-7-desktop-debug-rpms',\n 'rhel-7-desktop-fastrack-debug-rpms',\n 'rhel-7-desktop-fastrack-rpms',\n 'rhel-7-desktop-fastrack-source-rpms',\n 'rhel-7-desktop-optional-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-debug-rpms',\n 'rhel-7-desktop-optional-fastrack-rpms',\n 'rhel-7-desktop-optional-fastrack-source-rpms',\n 'rhel-7-desktop-optional-rpms',\n 'rhel-7-desktop-optional-source-rpms',\n 'rhel-7-desktop-rpms',\n 'rhel-7-desktop-source-rpms'\n ],\n 'enterprise_linux_7_computenode': [\n 'rhel-7-for-hpc-node-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-fastrack-rpms',\n 'rhel-7-for-hpc-node-fastrack-source-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-rpms',\n 'rhel-7-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-7-hpc-node-debug-rpms',\n 'rhel-7-hpc-node-optional-debug-rpms',\n 'rhel-7-hpc-node-optional-rpms',\n 'rhel-7-hpc-node-optional-source-rpms',\n 'rhel-7-hpc-node-rpms',\n 'rhel-7-hpc-node-source-rpms'\n ],\n 'enterprise_linux_7_server': [\n 'rhel-7-for-system-z-a-debug-rpms',\n 'rhel-7-for-system-z-a-optional-debug-rpms',\n 'rhel-7-for-system-z-a-optional-rpms',\n 'rhel-7-for-system-z-a-optional-source-rpms',\n 'rhel-7-for-system-z-a-rpms',\n 'rhel-7-for-system-z-a-source-rpms',\n 'rhel-7-for-system-z-debug-rpms',\n 'rhel-7-for-system-z-fastrack-debug-rpms',\n 'rhel-7-for-system-z-fastrack-rpms',\n 'rhel-7-for-system-z-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-debug-rpms',\n 'rhel-7-for-system-z-optional-fastrack-rpms',\n 'rhel-7-for-system-z-optional-fastrack-source-rpms',\n 'rhel-7-for-system-z-optional-rpms',\n 'rhel-7-for-system-z-optional-source-rpms',\n 'rhel-7-for-system-z-rpms',\n 'rhel-7-for-system-z-source-rpms',\n 'rhel-7-server-debug-rpms',\n 'rhel-7-server-fastrack-debug-rpms',\n 'rhel-7-server-fastrack-rpms',\n 'rhel-7-server-fastrack-source-rpms',\n 'rhel-7-server-optional-debug-rpms',\n 'rhel-7-server-optional-fastrack-debug-rpms',\n 'rhel-7-server-optional-fastrack-rpms',\n 'rhel-7-server-optional-fastrack-source-rpms',\n 'rhel-7-server-optional-rpms',\n 'rhel-7-server-optional-source-rpms',\n 'rhel-7-server-rpms',\n 'rhel-7-server-source-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-rpms',\n 'rhel-ha-for-rhel-7-for-system-z-source-rpms',\n 'rhel-ha-for-rhel-7-server-debug-rpms',\n 'rhel-ha-for-rhel-7-server-rpms',\n 'rhel-ha-for-rhel-7-server-source-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-rpms',\n 'rhel-rs-for-rhel-7-for-system-z-source-rpms',\n 'rhel-rs-for-rhel-7-server-debug-rpms',\n 'rhel-rs-for-rhel-7-server-rpms',\n 'rhel-rs-for-rhel-7-server-source-rpms'\n ],\n 'enterprise_linux_7_workstation': [\n 'rhel-7-workstation-debug-rpms',\n 'rhel-7-workstation-fastrack-debug-rpms',\n 'rhel-7-workstation-fastrack-rpms',\n 'rhel-7-workstation-fastrack-source-rpms',\n 'rhel-7-workstation-optional-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-debug-rpms',\n 'rhel-7-workstation-optional-fastrack-rpms',\n 'rhel-7-workstation-optional-fastrack-source-rpms',\n 'rhel-7-workstation-optional-rpms',\n 'rhel-7-workstation-optional-source-rpms',\n 'rhel-7-workstation-rpms',\n 'rhel-7-workstation-source-rpms'\n ],\n 'rhel_extras_7': [\n 'rhel-7-desktop-supplementary-rpms',\n 'rhel-7-desktop-supplementary-source-rpms',\n 'rhel-7-for-hpc-node-supplementary-rpms',\n 'rhel-7-for-hpc-node-supplementary-source-rpms',\n 'rhel-7-for-system-z-eus-supplementary-rpms',\n 'rhel-7-for-system-z-eus-supplementary-source-rpms',\n 'rhel-7-for-system-z-supplementary-debug-rpms',\n 'rhel-7-for-system-z-supplementary-rpms',\n 'rhel-7-for-system-z-supplementary-source-rpms',\n 'rhel-7-hpc-node-eus-supplementary-rpms',\n 'rhel-7-server-eus-supplementary-rpms',\n 'rhel-7-server-supplementary-rpms',\n 'rhel-7-server-supplementary-source-rpms',\n 'rhel-7-workstation-supplementary-rpms',\n 'rhel-7-workstation-supplementary-source-rpms'\n ],\n 'rhel_extras_oracle_java_7': [\n 'rhel-7-desktop-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-for-hpc-node-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-hpc-node-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-server-eus-restricted-maintenance-oracle-java-source-rpms',\n 'rhel-7-server-restricted-maintenance-oracle-java-rpms',\n 'rhel-7-workstation-restricted-maintenance-oracle-java-rpms'\n ],\n 'rhel_extras_rt_7': [\n 'rhel-7-server-nfv-debug-rpms',\n 'rhel-7-server-nfv-rpms',\n 'rhel-7-server-nfv-source-rpms',\n 'rhel-7-server-rt-debug-rpms',\n 'rhel-7-server-rt-rpms',\n 'rhel-7-server-rt-source-rpms'\n ],\n 'rhel_extras_sap_7': [\n 'rhel-sap-for-rhel-7-for-system-z-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-eus-source-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-rpms',\n 'rhel-sap-for-rhel-7-for-system-z-source-rpms',\n 'rhel-sap-for-rhel-7-server-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-for-rhel-7-server-eus-rpms',\n 'rhel-sap-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-for-rhel-7-server-rpms',\n 'rhel-sap-for-rhel-7-server-source-rpms'\n ],\n 'rhel_extras_sap_hana_7': [\n 'rhel-sap-hana-for-rhel-7-server-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-rpms',\n 'rhel-sap-hana-for-rhel-7-server-e4s-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-debug-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-rpms',\n 'rhel-sap-hana-for-rhel-7-server-eus-source-rpms',\n 'rhel-sap-hana-for-rhel-7-server-rpms',\n 'rhel-sap-hana-for-rhel-7-server-source-rpms'\n ]\n};\n\nvar repo_sets = rhel_get_valid_repo_sets(repositories:repositories);\nif(repo_sets == RHEL_REPOS_NO_OVERLAP_MESSAGE) audit(AUDIT_PACKAGE_LIST_MISSING, RHEL_REPO_AUDIT_PACKAGE_LIST_DETAILS);\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n var cve_list = make_list('CVE-2017-18551', 'CVE-2018-20836', 'CVE-2019-9454', 'CVE-2019-9458', 'CVE-2019-12614', 'CVE-2019-15217', 'CVE-2019-15807', 'CVE-2019-15917', 'CVE-2019-16231', 'CVE-2019-16233', 'CVE-2019-16994', 'CVE-2019-17053', 'CVE-2019-17055', 'CVE-2019-18808', 'CVE-2019-19046', 'CVE-2019-19055', 'CVE-2019-19058', 'CVE-2019-19059', 'CVE-2019-19062', 'CVE-2019-19063', 'CVE-2019-19332', 'CVE-2019-19447', 'CVE-2019-19523', 'CVE-2019-19524', 'CVE-2019-19530', 'CVE-2019-19534', 'CVE-2019-19537', 'CVE-2019-19767', 'CVE-2019-19807', 'CVE-2019-20054', 'CVE-2019-20095', 'CVE-2019-20636', 'CVE-2020-1749', 'CVE-2020-2732', 'CVE-2020-8647', 'CVE-2020-8649', 'CVE-2020-9383', 'CVE-2020-10690', 'CVE-2020-10732', 'CVE-2020-10742', 'CVE-2020-10751', 'CVE-2020-10942', 'CVE-2020-11565', 'CVE-2020-12770', 'CVE-2020-12826', 'CVE-2020-14305');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:4060');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nvar pkgs = [\n {'reference':'bpftool-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'bpftool-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-debug-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-debug-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-debug-devel-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-debug-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-devel-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-headers-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-headers-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-kdump-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-kdump-devel-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-tools-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-tools-libs-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'perf-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'perf-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'python-perf-3.10.0-1160.el7', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']},\n {'reference':'python-perf-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_7_client', 'enterprise_linux_7_computenode', 'enterprise_linux_7_server', 'enterprise_linux_7_workstation', 'rhel_extras_7', 'rhel_extras_oracle_java_7', 'rhel_extras_rt_7', 'rhel_extras_sap_7', 'rhel_extras_sap_hana_7']}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n var repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference &&\n release &&\n (rhel_decide_repo_check(repo_list:repo_list, repo_sets:repo_sets) || (!exists_check || rpm_exists(release:release, rpm:exists_check))) &&\n rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(repo_sets)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:04:26", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4060 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c causing denial of service (CVE-2019-12614)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "CentOS 7 : kernel (CESA-2020:4060)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-11-30T00:00:00", "cpe": ["p-cpe:/a:centos:centos:bpftool", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2020-4060.NASL", "href": "https://www.tenable.com/plugins/nessus/141619", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4060 and\n# CentOS Errata and Security Advisory 2020:4060 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141619);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\n \"CVE-2017-18551\",\n \"CVE-2018-20836\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-12614\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16994\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20636\",\n \"CVE-2020-1749\",\n \"CVE-2020-2732\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-14305\"\n );\n script_bugtraq_id(108196, 108550);\n script_xref(name:\"RHSA\", value:\"2020:4060\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2020:4060)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4060 advisory.\n\n - kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c\n (CVE-2017-18551)\n\n - kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c\n leads to use-after-free (CVE-2018-20836)\n\n - kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c\n causing denial of service (CVE-2019-12614)\n\n - kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver (CVE-2019-15217)\n\n - kernel: Memory leak in drivers/scsi/libsas/sas_expander.c (CVE-2019-15807)\n\n - kernel: use-after-free in drivers/bluetooth/hci_ldisc.c (CVE-2019-15917)\n\n - kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c (CVE-2019-16231)\n\n - kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c (CVE-2019-16233)\n\n - kernel: Memory leak in sit_init_net() in net/ipv6/sit.c (CVE-2019-16994)\n\n - kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol (CVE-2019-17053)\n\n - kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol (CVE-2019-17055)\n\n - kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c (CVE-2019-18808)\n\n - kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n (CVE-2019-19046)\n\n - kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS\n (CVE-2019-19055)\n\n - kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c\n allows for a DoS (CVE-2019-19058)\n\n - kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS (CVE-2019-19059)\n\n - kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS\n (CVE-2019-19062)\n\n - kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c\n allow for a DoS (CVE-2019-19063)\n\n - Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332)\n\n - kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a\n use-after-free in ext4_put_super in fs/ext4/super.c (CVE-2019-19447)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver\n (CVE-2019-19523)\n\n - kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free (CVE-2019-19524)\n\n - kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver\n (CVE-2019-19530)\n\n - kernel: information leak bug caused by a malicious USB device in the\n drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (CVE-2019-19534)\n\n - kernel: race condition caused by a malicious USB device in the USB character device driver layer\n (CVE-2019-19537)\n\n - kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c\n and fs/ext4/super.c (CVE-2019-19767)\n\n - kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n - kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c (CVE-2019-20054)\n\n - kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c (CVE-2019-20095)\n\n - kernel: out-of-bounds write via crafted keycode table (CVE-2019-20636)\n\n - kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n - kernel: use after free due to race condition in the video driver leads to local privilege escalation\n (CVE-2019-9458)\n\n - kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open\n (CVE-2020-10690)\n\n - kernel: uninitialized kernel data leak in userspace coredumps (CVE-2020-10732)\n\n - kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic\n (CVE-2020-10742)\n\n - kernel: SELinux netlink permission check bypass (CVE-2020-10751)\n\n - kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field (CVE-2020-10942)\n\n - kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c (CVE-2020-11565)\n\n - kernel: sg_write function lacks an sg_remove_request call in a certain failure case (CVE-2020-12770)\n\n - kernel: possible to send arbitrary signals to a privileged (suidroot) parent process (CVE-2020-12826)\n\n - kernel: memory corruption in Voice over IP nf_conntrack_h323 module (CVE-2020-14305)\n\n - kernel: some ipv6 protocols not encrypted over ipsec tunnel (CVE-2020-1749)\n\n - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources (CVE-2020-2732)\n\n - kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c (CVE-2020-8647)\n\n - kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c\n (CVE-2020-8649)\n\n - kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c (CVE-2020-9383)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-October/012745.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c5e7544c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/20.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/94.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/119.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/121.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/200.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/250.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/319.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/349.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/362.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/400.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/401.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/416.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/772.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/787.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-20836\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(20, 94, 119, 121, 125, 200, 250, 319, 349, 362, 400, 401, 416, 476, 772, 787);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'bpftool-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-abi-whitelists-3.10.0-1160.el7', 'release':'CentOS-7'},\n {'reference':'kernel-debug-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-debug-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-headers-3.10.0-1160.el7', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'kernel-headers-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-libs-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'kernel-tools-libs-devel-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'perf-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'python-perf-3.10.0-1160.el7', 'cpu':'x86_64', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-abi-whitelists / etc');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-30T06:24:43", "description": "[4.1.12-124.46.3]\n- mwifiex: fix possible heap overflow in mwifiex_process_country_ie() (Ganapathi Bhat) [Orabug: 30781859] {CVE-2019-14895} {CVE-2019-14895}\n- ext4: fix ext4_empty_dir() for directories with holes (Jan Kara) [Orabug: 31265320] {CVE-2019-19037} {CVE-2019-19037}\n- netlabel: cope with NULL catmap (Paolo Abeni) [Orabug: 31350493] {CVE-2020-10711}\n- scsi: mptfusion: Fix double fetch bug in ioctl (Dan Carpenter) [Orabug: 31350941] {CVE-2020-12652}\n- scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() (Dan Carpenter) [Orabug: 31350941] {CVE-2020-12652}\n- USB: core: Fix free-while-in-use bug in the USB S-Glibrary (Alan Stern) [Orabug: 31350967] {CVE-2020-12464}\n- drivers: usb: core: Minimize irq disabling in usb_sg_cancel() (David Mosberger) [Orabug: 31350967] {CVE-2020-12464}\n- drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. (David Mosberger) [Orabug: 31350967] {CVE-2020-12464}\n- ext4: work around deleting a file with i_nlink == 0 safely (Theodore Ts'o) [Orabug: 31351014] {CVE-2019-19447}\n- xen/events: avoid removing an event channel while handling it (Juergen Gross) [Orabug: 31984319] \n- xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage (Josh Abraham) [Orabug: 31984319] \n- ext4: fix fencepost in s_first_meta_bg validation (Theodore Ts'o) [Orabug: 32197511] \n- dm crypt: Allow unaligned bio buffer lengths for skcipher devices (Sudhakar Panneerselvam) [Orabug: 32202000] \n- sched/fair: Don't free p->numa_faults with concurrent readers (Jann Horn) [Orabug: 32212524] {CVE-2019-20934}\n- netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6 (Vasily Averin) [Orabug: 32222844] {CVE-2020-14305}\n- perf/core: Fix race in the perf_mmap_close() function (Jiri Olsa) [Orabug: 32233360] {CVE-2020-14351}\n- ext4: fix calculation of meta_bg descriptor backups (Andy Leiserson) [Orabug: 32245133]\n[4.1.12-124.46.2]\n- ocfs2: initialize ip_next_orphan (Wengang Wang) [Orabug: 31780626] \n- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts (Peilin Ye) [Orabug: 32176264] {CVE-2020-28915}\n- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h (Peilin Ye) [Orabug: 32176264] {CVE-2020-28915}\n- page_frag: Recover from memory pressure (Dongli Zhang) [Orabug: 32177993] \n- vt: Disable KD_FONT_OP_COPY (Daniel Vetter) [Orabug: 32187749] {CVE-2020-28974}\n- block: Fix use-after-free in blkdev_get() (Jason Yan) [Orabug: 32194609] {CVE-2020-15436}\n- icmp: randomize the global rate limiter (Eric Dumazet) [Orabug: 32227971] {CVE-2020-25705}\n[4.1.12-124.46.1]\n- KVM: x86: minor code refactor and comments fixup around dirty logging (Anthony Yznaga) [Orabug: 31722767] \n- KVM: x86: Manually flush collapsible SPTEs only when toggling flags (Sean Christopherson) [Orabug: 31722767] \n- KVM: x86: avoid unnecessary rmap walks when creating/moving slots (Anthony Yznaga) [Orabug: 31722767] \n- KVM: x86: remove unnecessary rmap walk of read-only memslots (Anthony Yznaga) [Orabug: 31722767] \n- xfs: catch inode allocation state mismatch corruption (Gautham Ananthakrishna) [Orabug: 32071488] \n- tty: make FONTX ioctl use the tty pointer they were actually passed (Linus Torvalds) [Orabug: 32122731] {CVE-2020-25668}\n- IB/mlx4: Adjust delayed work when a dup is observed (Hakon Bugge) [Orabug: 32136900] \n- IB/mlx4: Add support for REJ due to timeout (Hakon Bugge) [Orabug: 32136900] \n- IB/mlx4: Fix starvation in paravirt mux/demux (Hakon Bugge) [Orabug: 32136900] \n- IB/mlx4: Separate tunnel and wire bufs parameters (Hakon Bugge) [Orabug: 32136900] \n- IB/mlx4: Add support for MRA (Hakon Bugge) [Orabug: 32136900] \n- IB/mlx4: Add and improve logging (Hakon Bugge) [Orabug: 32136900]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-07T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14895", "CVE-2019-19037", "CVE-2019-19447", "CVE-2019-20934", "CVE-2020-10711", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-14305", "CVE-2020-14351", "CVE-2020-15436", "CVE-2020-25668", "CVE-2020-25705", "CVE-2020-28915", "CVE-2020-28974"], "modified": "2021-01-07T00:00:00", "id": "ELSA-2021-9002", "href": "http://linux.oracle.com/errata/ELSA-2021-9002.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-07-28T14:25:01", "description": "[3.10.0-1160.OL7]\n- Oracle Linux certificates (Ilya Okomin)\n- Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(alexey.petrenko@oracle.com)\n- Update x509.genkey [Orabug: 24817676]\n- Conflict with shim-ia32 and shim-x64 <= 15-2.0.3\n[3.10.0-1160]\n- [kernel] modsign: Add nomokvarconfig kernel parameter (Lenny Szubowicz) [1867857]\n- [firmware] modsign: Add support for loading certs from the EFI MOK config table (Lenny Szubowicz) [1867857]\n- [kernel] modsign: Move import of MokListRT certs to separate routine (Lenny Szubowicz) [1867857]\n- [kernel] modsign: Avoid spurious error message after last MokListRTn (Lenny Szubowicz) [1867857]\n[3.10.0-1159]\n- [kernel] modsign: Import certificates from optional MokListRT (Lenny Szubowicz) [1862840]\n- [crypto] crypto/pefile: Support multiple signatures in verify_pefile_signature (Lenny Szubowicz) [1862840]\n- [crypto] crypto/pefile: Tolerate other pefile signatures after first (Lenny Szubowicz) [1862840]\n[3.10.0-1158]\n- [redhat] switch secureboot kernel image signing to release keys (Jan Stancek) []\n[3.10.0-1157]\n- [fs] signal: Dont send signals to tasks that dont exist (Vladis Dronov) [1856166]\n[3.10.0-1156]\n- [fs] gfs2: Fix regression due to unwanted gfs2_qa_put (Robert S Peterson) [1798713]\n- [include] signal: Unfairly acquire tasklist_lock in send_sigio() if irq disabled (Waiman Long) [1838799]\n- [fs] signal: Dont take tasklist_lock if PID type is PIDTYPE_PID (Waiman Long) [1838799]\n- [vfio] vfio/pci: Fix SR-IOV VF handling with MMIO blocking (Alex Williamson) [1820632] {CVE-2020-12888}\n[3.10.0-1155]\n- [x86] Revert 'x86: respect memory size limiting via mem= parameter' (Joel Savitz) [1851576]\n- [mm] Revert 'mm/memory_hotplug.c: only respect mem= parameter during boot stage' (Joel Savitz) [1851576]\n- [fs] nfsd: only WARN once on unmapped errors ('J. Bruce Fields') [1850430]\n- [powerpc] pci/of: Fix OF flags parsing for 64bit BARs (Greg Kurz) [1840114]\n- [fs] cifs: fix NULL dereference in match_prepath (Leif Sahlberg) [1759852]\n[3.10.0-1154]\n- [fs] gfs2: move privileged user check to gfs2_quota_lock_check (Robert S Peterson) [1798713]\n- [fs] gfs2: Fix problems regarding gfs2_qa_get and _put (Robert S Peterson) [1798713]\n- [fs] gfs2: dont call quota_unhold if quotas are not locked (Robert S Peterson) [1798713]\n- [fs] gfs2: Remove unnecessary gfs2_qa_{get, put} pairs (Robert S Peterson) [1798713]\n- [fs] gfs2: Split gfs2_rsqa_delete into gfs2_rs_delete and gfs2_qa_put (Robert S Peterson) [1798713]\n- [fs] gfs2: Change inode qa_data to allow multiple users (Robert S Peterson) [1798713]\n- [fs] gfs2: eliminate gfs2_rsqa_alloc in favor of gfs2_qa_alloc (Robert S Peterson) [1798713]\n- [fs] gfs2: Switch to list_{first,last}_entry (Robert S Peterson) [1798713]\n- [fs] gfs2: Clean up inode initialization and teardown (Robert S Peterson) [1798713]\n- [fs] gfs2: Minor gfs2_alloc_inode cleanup (Robert S Peterson) [1798713]\n- [fs] gfs2: Fix busy-on-umount in gfs2_atomic_open() (Andrew Price) [1812558]\n[3.10.0-1153]\n- [x86] mm: Fix mremap not considering huge pmd devmap (Rafael Aquini) [1843437] {CVE-2020-10757}\n- [mm] mm, dax: check for pmd_none() after split_huge_pmd() (Rafael Aquini) [1843437] {CVE-2020-10757}\n- [mm] mm: mremap: streamline move_page_tables()s move_huge_pmd() corner case (Rafael Aquini) [1843437] {CVE-2020-10757}\n- [mm] mm: mremap: validate input before taking lock (Rafael Aquini) [1843437] {CVE-2020-10757}\n- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Jarod Wilson) [1844070] {CVE-2020-12654}\n- [wireless] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Jarod Wilson) [1844026] {CVE-2020-12653}\n- [net] netfilter: nf_conntrack_h323: lost .data_len definition for Q.931/ipv6 (Florian Westphal) [1845428]\n[3.10.0-1152]\n- [nvmem] nvmem: properly handle returned value nvmem_reg_read (Vladis Dronov) [1844409]\n- [mailbox] PCC: fix dereference of ERR_PTR (Vladis Dronov) [1844409]\n- [kernel] futex: Unlock hb->lock in futex_wait_requeue_pi() error path (Vladis Dronov) [1844409]\n- [fs] aio: fix inconsistent ring state (Jeff Moyer) [1845326]\n- [vfio] vfio/mdev: make create attribute static (Vladis Dronov) [1837549]\n- [vfio] treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Synchronize device create/remove with parent removal (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Avoid creating sysfs remove file on stale device removal (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Improve the create/remove sequence (Vladis Dronov) [1837549]\n- [vfio] treewide: Add SPDX license identifier - Makefile/Kconfig (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Avoid inline get and put parent helpers (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Fix aborting mdev child device removal if one fails (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Follow correct remove sequence (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Avoid masking error code to EBUSY (Vladis Dronov) [1837549]\n- [include] vfio/mdev: Drop redundant extern for exported symbols (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Removed unused kref (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Avoid release parent reference during error path (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: Add iommu related member in mdev_device (Vladis Dronov) [1837549]\n- [vfio] vfio/mdev: add static modifier to add_mdev_supported_type (Vladis Dronov) [1837549]\n- [vfio] vfio: mdev: make a couple of functions and structure vfio_mdev_driver static (Vladis Dronov) [1837549]\n- [char] tpm/tpm_tis: Free IRQ if probing fails (David Arcari) [1774698]\n- [kernel] audit: fix a memleak caused by auditing load module (Richard Guy Briggs) [1843370]\n- [kernel] audit: fix potential null dereference 'context->module.name' (Richard Guy Briggs) [1843370]\n- [nvme] nvme: limit number of IO queues on Dell/Samsung config (David Milburn) [1837617]\n[3.10.0-1151]\n- [netdrv] qede: Fix multicast mac configuration (Michal Schmidt) [1740064]\n- [scsi] sd_dif: avoid incorrect ref_tag errors on 4K devices larger than 2TB (Ewan Milne) [1833528]\n- [hid] HID: hiddev: do cleanup in failure of opening a device (Torez Smith) [1814257] {CVE-2019-19527}\n- [hid] HID: hiddev: avoid opening a disconnected device (Torez Smith) [1814257] {CVE-2019-19527}\n- [x86] x86: make mul_u64_u64_div_u64() 'static inline' (Oleg Nesterov) [1845864]\n- [mm] mm: page_isolation: fix potential warning from user (Rafael Aquini) [1845620]\n- [s390] s390/mm: correct return value of pmd_pfn (Claudio Imbrenda) [1841106]\n- [fs] fs/proc/vmcore.c:mmap_vmcore: skip non-ram pages reported by hypervisors (Lianbo Jiang) [1790799]\n- [kernel] kernel/sysctl.c: ignore out-of-range taint bits introduced via kernel.tainted (Rafael Aquini) [1845356]\n- [documentation] kernel: add panic_on_taint (Rafael Aquini) [1845356]\n- [fs] ext4: Remove unwanted ext4_bread() from ext4_quota_write() (Lukas Czerner) [1845379]\n- [scsi] scsi: sg: add sg_remove_request in sg_write ('Ewan D. Milne') [1840699] {CVE-2020-12770}\n- [fs] fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (Donghai Qiao) [1832062] {CVE-2020-10732}\n[3.10.0-1150]\n- [netdrv] net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget (Alaa Hleihel) [1845020]\n- [mm] memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (Waiman Long) [1842715]\n- [mm] memcg: only free spare array when readers are done (Waiman Long) [1842715]\n- [powerpc] powerpc/crashkernel: Take 'mem=' option into account (Pingfan Liu) [1751555]\n- [infiniband] IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode (Kamal Heib) [1597952]\n- [security] selinux: properly handle multiple messages in selinux_netlink_send() (Ondrej Mosnacek) [1839650] {CVE-2020-10751}\n- [netdrv] net: ena: Add PCI shutdown handler to allow safe kexec (Bhupesh Sharma) [1841578]\n- [x86] x86/speculation: Support old struct x86_cpu_id & x86_match_cpu() kABI (Waiman Long) [1827188] {CVE-2020-0543}\n- [documentation] x86/speculation: Add Ivy Bridge to affected list (Waiman Long) [1827188] {CVE-2020-0543}\n- [documentation] x86/speculation: Add SRBDS vulnerability and mitigation documentation (Waiman Long) [1827188] {CVE-2020-0543}\n- [x86] x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Waiman Long) [1827188] {CVE-2020-0543}\n- [x86] x86/cpu: Add 'table' argument to cpu_matches() (Waiman Long) [1827188] {CVE-2020-0543}\n- [x86] x86/cpu: Add a steppings field to struct x86_cpu_id (Waiman Long) [1827188] {CVE-2020-0543}\n- [x86] x86/cpu/bugs: Convert to new matching macros (Waiman Long) [1827188] {CVE-2020-0543}\n- [x86] x86/cpu: Add consistent CPU match macros (Waiman Long) [1827188] {CVE-2020-0543}\n- [cpufreq] x86/devicetable: Move x86 specific macro out of generic code (Waiman Long) [1827188] {CVE-2020-0543}\nheader (Waiman Long) [1827188] {CVE-2020-0543}\n[3.10.0-1149]\n- [mm] mm/memory_hotplug.c: only respect mem= parameter during boot stage (Joel Savitz) [1838795]\n- [netdrv] qed: Reduce the severity of ptp debug message (Manish Chopra) [1703770]\n- [kernel] pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes (Jay Shin) [1836620]\n- [fs] gfs2: remove BUG_ON() from gfs2_log_alloc_bio() (Abhijith Das) [1828454]\n- [fs] gfs2: Even more gfs2_find_jhead fixes (Abhijith Das) [1828454]\n- [fs] quota: fix return value in dqget() (Eric Sandeen) [1842761]\n- [fs] proc_sysctl.c: fix potential page fault while unregistering sysctl table (Carlos Maiolino) [1843368]\n- [fs] ext4: fix error handling in ext4_ext_shift_extents (Lukas Czerner) [1843366]\n- [vhost] vhost: Check docket sk_family instead of call getname (Vladis Dronov) [1823302] {CVE-2020-10942}\n- [input] hyperv-keyboard - add module description (Mohammed Gamal) [1842689]\n- [hv] hv: Add a module description line to the hv_vmbus driver (Mohammed Gamal) [1842689]\n- [hid] hyperv: Add a module description line (Mohammed Gamal) [1842689]\n- [x86] sched/cputime: Improve cputime_adjust() (Oleg Nesterov) [1511040]\n- [acpi] ACPI: APEI: call into AER handling regardless of severity (Al Stone) [1737246]\n- [acpi] ACPI: APEI: handle PCIe AER errors in separate function (Al Stone) [1737246]\n- [acpi] ras: acpi/apei: cper: add support for generic data v3 structure (Al Stone) [1737246]\n- [acpi] ACPICA: ACPI 6.1: Updates for the HEST ACPI table (Al Stone) [1737246]\n- [acpi] ACPI / APEI: Switch to use new generic UUID API (Al Stone) [1737246]\n- [x86] x86/efi-bgrt: Quirk for BGRT when memory encryption active (Lenny Szubowicz) [1723477]\n- [scsi] scsi: megaraid_sas: Update driver version to 07.714.04.00-rc1 (Tomas Henzl) [1840550]\n- [scsi] scsi: megaraid_sas: TM command refire leads to controller firmware crash (Tomas Henzl) [1840550]\n- [scsi] scsi: megaraid_sas: Replace undefined MFI_BIG_ENDIAN macro with __BIG_ENDIAN_BITFIELD macro (Tomas Henzl) [1840550]\n- [scsi] scsi: megaraid_sas: Limit device queue depth to controller queue depth (Tomas Henzl) [1840550]\n- [vfio] vfio-pci: Invalidate mmaps and block MMIO access on disabled memory (Alex Williamson) [1820632] {CVE-2020-12888}\n- [vfio] vfio-pci: Fault mmaps to enable vma tracking (Alex Williamson) [1820632] {CVE-2020-12888}\n- [vfio] vfio/type1: Support faulting PFNMAP vmas (Alex Williamson) [1820632] {CVE-2020-12888}\n- [vfio] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() (Alex Williamson) [1820632] {CVE-2020-12888}\n- [vfio] vfio/pci: call irq_bypass_unregister_producer() before freeing irq (Alex Williamson) [1820632] {CVE-2020-12888}\n- [vfio] vfio_pci: Enable memory accesses before calling pci_map_rom (Alex Williamson) [1820632] {CVE-2020-12888}\n- [fs] signal: Extend exec_id to 64bits (Chris von Recklinghausen) [1834650] {CVE-2020-12826}\n[3.10.0-1148]\n- [x86] hyper-v: Report crash data in die() when panic_on_oops is set (Mohammed Gamal) [1828450]\n- [hv] x86/hyper-v: Report crash register data when sysctl_record_panic_msg is not set (Mohammed Gamal) [1828450]\n- [x86] hyper-v: Report crash register data or kmsg before running crash kernel (Mohammed Gamal) [1828450]\n- [hv] x86/hyper-v: Trigger crash enlightenment only once during system crash (Mohammed Gamal) [1828450]\n- [hv] x86/hyper-v: Free hv_panic_page when fail to register kmsg dump (Mohammed Gamal) [1828450]\n- [hv] x86/hyper-v: Unload vmbus channel in hv panic callback (Mohammed Gamal) [1828450]\n- [hv] vmbus: Fix the issue with freeing up hv_ctl_table_hdr (Mohammed Gamal) [1828450]\n- [hv] vmus: Fix the check for return value from kmsg get dump buffer (Mohammed Gamal) [1828450]\n- [hv] Send one page worth of kmsg dump over Hyper-V during panic (Mohammed Gamal) [1828450]\n- [x86] kvm: x86: Allow suppressing prints on RDMSR/WRMSR of unhandled MSRs (Vitaly Kuznetsov) [1837412]\n- [fs] ext4: Fix race when checking i_size on direct i/o read (Lukas Czerner) [1506437]\n- [fs] copy_file_range should return ENOSYS not EOPNOTSUPP ('J. Bruce Fields') [1783554]\n- [fs] NFSv4.1 fix incorrect return value in copy_file_range ('J. Bruce Fields') [1783554]\n- [x86] Remove the unsupported check for Intel IceLake (Steve Best) [1841237]\n- [md] md/raid1: release pending accounting for an I/O only after write-behind is also finished (Nigel Croxon) [1792520]\n- [net] gre: fix uninit-value in __iptunnel_pull_header (Guillaume Nault) [1840321]\n- [net] inet: protect against too small mtu values. (Guillaume Nault) [1840321]\n- [net] Fix one possible memleak in ip_setup_cork (Guillaume Nault) [1840321]\n- [net] fix a potential recursive NETDEV_FEAT_CHANGE (Guillaume Nault) [1839130]\n- [net] fix null de-reference of device refcount (Guillaume Nault) [1839130]\n- [net] sch_choke: avoid potential panic in choke_reset() (Davide Caratti) [1839118]\n- [net] net_sched: fix datalen for ematch (Davide Caratti) [1839118]\n- [net] netem: fix error path for corrupted GSO frames (Davide Caratti) [1839118]\n- [net] avoid potential infinite loop in tc_ctl_action() (Davide Caratti) [1839118]\n- [net] net_sched: let qdisc_put() accept NULL pointer (Davide Caratti) [1839118]\n- [net] ipv4: really enforce backoff for redirects (Paolo Abeni) [1832332]\n- [net] ipv4: avoid mixed n_redirects and rate_tokens usage (Paolo Abeni) [1832332]\n- [net] ipv4: use a dedicated counter for icmp_v4 redirect packets (Paolo Abeni) [1832332]\n- [net] ipset: Update byte and packet counters regardless of whether they match (Phil Sutter) [1801366]\n- [net] xfrm: skip rt6i_idev update in xfrm6_dst_ifdown if loopback_idev is gone (Sabrina Dubroca) [1390049]\n[3.10.0-1147]\n- [nvme] nvme: fix the parameter order for nvme_get_log in nvme_get_fw_slot_info (Gopal Tiwari) [1839991]\n- [fs] pipe: actually allow root to exceed the pipe buffer limits (Jan Stancek) [1839629]\n- [scsi] Revert 'scsi: mpt3sas: Dont change the DMA coherent mask after allocations' (Tomas Henzl) [1839128]\n- [scsi] Revert 'scsi: mpt3sas: Rename function name is_MSB_are_same' (Tomas Henzl) [1839128]\n- [scsi] Revert 'scsi: mpt3sas: Separate out RDPQ allocation to new function' (Tomas Henzl) [1839128]\n- [scsi] Revert 'scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region' (Tomas Henzl) [1839128]\n- [netdrv] net/mlx5e: Avoid duplicating rule destinations (Alaa Hleihel) [1727593]\n- [netdrv] net/mlx5e: Extend encap entry with reference counter (Alaa Hleihel) [1727593]\n- [netdrv] net/mlx5e: Fix free peer_flow when refcount is 0 (Alaa Hleihel) [1727593]\n- [netdrv] net/mlx5e: Extend tc flow struct with reference counter (Alaa Hleihel) [1727593]\n- [netdrv] net/mlx5e: Dont make internal use of errno to denote missing neigh (Alaa Hleihel) [1727593]\n- [netdrv] net/mlx5e: Fix freeing flow with kfree() and not kvfree() (Alaa Hleihel) [1727593]\n- [drm] drm/nouveau/gr/gp107, gp108: implement workaround for HW hanging during init (Karol Herbst) [1834360 1834356 1833485]\n- [drm] drm/nouveau: workaround runpm fail by disabling PCI power management on certain intel bridges (Karol Herbst) [1834360 1834356 1833485]\n[3.10.0-1146]\n- [net] revert 'rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()' (Jiri Benc) [1839608]\n- [net] ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (Davide Caratti) [1838936]\n- [net] ipv6: Handle missing host route in __ipv6_ifa_notify (Davide Caratti) [1838936]\n- [net] ipv6: drop incoming packets having a v4mapped source address (Davide Caratti) [1838936]\n- [net] l2tp: fix infoleak in l2tp_ip6_recvmsg() (Andrea Claudi) [1837546]\n- [net] vti6: Fix memory leak of skb if input policy check fails (Patrick Talbert) [1836160]\n- [net] tcp: prevent bogus FRTO undos with non-SACK flows (Guillaume Nault) [1694860]\n- [scsi] scsi: smartpqi: fix controller lockup observed during force reboot (Don Brace) [1775369]\n- [fs] ext4: fix setting of referenced bit in ext4_es_lookup_extent() (Lukas Czerner) [1663720]\n- [fs] ext4: introduce aging to extent status tree (Lukas Czerner) [1663720]\n- [fs] ext4: cleanup flag definitions for extent status tree (Lukas Czerner) [1663720]\n- [fs] ext4: limit number of scanned extents in status tree shrinker (Lukas Czerner) [1663720]\n- [fs] ext4: move handling of list of shrinkable inodes into extent status code (Lukas Czerner) [1663720]\n- [fs] ext4: change LRU to round-robin in extent status tree shrinker (Lukas Czerner) [1663720]\n- [fs] ext4, jbd2: ensure panic when aborting with zero errno (Lukas Czerner) [1834783]\n- [fs] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record (Lukas Czerner) [1834783]\n- [fs] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal (Lukas Czerner) [1834783]\n- [fs] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path (Lukas Czerner) [1834783]\n- [fs] ext4: fix missing return values checks in ext4_cross_rename (Lukas Czerner) [1836819]\n- [fs] ext4: Fix POSIX ACL leak in ext4_xattr_set_acl (Lukas Czerner) [1543020]\n- [vfio] vfio-pci: Mask cap zero (Alex Williamson) [1838717]\n- [x86] Mark Intel Cooper Lake (CPX) supported (Steve Best) [1773681]\n- [fs] fs/bio-integrity: dont enable integrity for data-less bio (Ming Lei) [1835943]\n- [char] ipmi_si: Only schedule continuously in the thread in maintenance mode (Alexey Klimov) [1837127]\n- [kernel] wait/ptrace: assume __WALL if the child is traced (Oleg Nesterov) [1497808]\n- [mm] mm, hugetlb, soft_offline: save compound page order before page migration (Artem Savkov) [1751589]\n- [fs] fs/hugetlbfs/inode.c: fix hwpoison reserve accounting (Artem Savkov) [1751589]\n- [fs] mm: hwpoison: dissolve in-use hugepage in unrecoverable memory error (Artem Savkov) [1751589]\n- [mm] mm: soft-offline: dissolve free hugepage if soft-offlined (Artem Savkov) [1751589]\n- [mm] mm: hugetlb: soft-offline: dissolve source hugepage after successful migration (Artem Savkov) [1751589]\n- [mm] mm: hwpoison: change PageHWPoison behavior on hugetlb pages (Artem Savkov) [1751589]\n- [mm] mm: hugetlb: prevent reuse of hwpoisoned free hugepages (Artem Savkov) [1751589]\n- [netdrv] net/mlx5: Tidy up and fix reverse christmas ordring (Alaa Hleihel) [1831134]\n- [netdrv] net/mlx5: Expose port speed when possible (Alaa Hleihel) [1831134]\n- [include] net/mlx5: Expose link speed directly (Alaa Hleihel) [1831134]\n- [usb] USB: core: Fix races in character device registration and deregistraion (Torez Smith) [1785065] {CVE-2019-19537}\n- [usb] usb: cdc-acm: make sure a refcount is taken early enough (Torez Smith) [1802548] {CVE-2019-19530}\n- [usb] USB: adutux: fix use-after-free on disconnect (Torez Smith) [1798822] {CVE-2019-19523}\n- [media] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap (Torez Smith) [1795597] {CVE-2019-15217}\n[3.10.0-1145]\n- [scsi] scsi: qla2xxx: Do not log message when reading port speed via sysfs (Ewan Milne) [1837543]\n- [mm] mm: dmapool: add/remove sysfs file outside of the pool lock lock (Waiman Long) [1836837]\n- [mm] Fix unbalanced mutex in dma_pool_create() (Waiman Long) [1836837]\n- [mm] mm/dmapool.c: remove redundant NULL check for dev in dma_pool_create() (Waiman Long) [1836837]\n- [x86] x86/speculation: Prevent deadlock on ssb_state::lock (Waiman Long) [1836322]\n- [netdrv] can, slip: Protect tty->disc_data in write_wakeup and close with RCU (John Linville) [1805590]\n- [netdrv] slcan: Port write_wakeup deadlock fix from slip (John Linville) [1805590]\n- [fs] ext4: fix support for inode sizes > 1024 bytes (Lukas Czerner) [1817634] {CVE-2019-19767}\n- [fs] ext4: add more paranoia checking in ext4_expand_extra_isize handling (Lukas Czerner) [1817634] {CVE-2019-19767}\n- [fs] ext4: forbid i_extra_isize not divisible by 4 (Lukas Czerner) [1817634] {CVE-2019-19767}\n- [fs] ext4: validate the debug_want_extra_isize mount option at parse time (Lukas Czerner) [1817634] {CVE-2019-19767}\n- [fs] cachefiles: Fix race between read_waiter and read_copier involving op->to_do (Dave Wysochanski) [1829662]\n- [fs] jbd2: Fix possible overflow in jbd2_log_space_left() (Lukas Czerner) [1626092]\n- [media] media: v4l: event: Add subscription to list before calling 'add' operation (Jarod Wilson) [1828802] {CVE-2019-9458}\n- [media] media: v4l: event: Prevent freeing event subscriptions while accessed (Jarod Wilson) [1828802] {CVE-2019-9458}\n- [fs] block: Prevent hung_check firing during long sync IO (Ming Lei) [1724345]\n[3.10.0-1144]\n- [crypto] crypto: user - fix memory leak in crypto_report (Vladis Dronov) [1825132] {CVE-2019-18808 CVE-2019-19062}\n- [crypto] crypto: ccp - Release all allocated memory if sha type is invalid (Vladis Dronov) [1825132] {CVE-2019-18808}\n- [net] xfrm: policy: Fix doulbe free in xfrm_policy_timer (Xin Long) [1836813]\n- [net] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire (Xin Long) [1836813]\n- [net] xfrm: fix uctx len check in verify_sec_ctx_len (Xin Long) [1836813]\n- [net] rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() (Jiri Benc) [1835352]\n- [net] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices (Jiri Benc) [1835352]\n- [net] netlink: fix uninit-value in netlink_sendmsg (Jiri Benc) [1835352]\n- [net] netlink: make sure nladdr has correct size in netlink_connect() (Jiri Benc) [1835352]\n- [net] rtnetlink: fix info leak in RTM_GETSTATS call (Jiri Benc) [1835352]\n- [net] rtnetlink: release net refcnt on error in do_setlink() (Jiri Benc) [1835352]\n- [net] bridge: deny dev_set_mac_address() when unregistering (Hangbin Liu) [1834203]\n- [net] bridge/mdb: remove wrong use of NLM_F_MULTI (Hangbin Liu) [1834203]\n- [net] udp: disable inner UDP checksum offloads in IPsec case (Sabrina Dubroca) [1826244]\n- [net] sctp: Fix SHUTDOWN CTSN Ack in the peer restart case (Xin Long) [1833869]\n- [net] sctp: Fix bundling of SHUTDOWN with COOKIE-ACK (Xin Long) [1833869]\n- [net] sctp: fix possibly using a bad saddr with a given dst (Xin Long) [1833869]\n- [net] sctp: fix refcount bug in sctp_wfree (Xin Long) [1833869]\n- [net] sctp: move the format error check out of __sctp_sf_do_9_1_abort (Xin Long) [1833869]\n- [net] sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY (Xin Long) [1833869]\n- [net] sctp: fully initialize v4 addr in some functions (Xin Long) [1833869]\n- [net] sctp: simplify addr copy (Xin Long) [1833869]\n- [net] sctp: cache netns in sctp_ep_common (Xin Long) [1833869]\n- [net] sctp: destroy bucket if failed to bind addr (Xin Long) [1833869]\n- [net] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' (Xin Long) [1833869]\n- [net] netfilter: nat: never update the UDP checksum when its 0 (Guillaume Nault) [1834278]\n- [net] esp4: add length check for UDP encapsulation (Sabrina Dubroca) [1825155]\n- [net] sit: fix memory leak in sit_init_net() (Andrea Claudi) [1830011] {CVE-2019-16994}\n- [net] sched: cbs: fix NULL dereference in case cbs_init() fails (Davide Caratti) [1830245]\n- [net] netfilter: nf_tables: use-after-free in dynamic operations (Phil Sutter) [1819087]\n- [net] tcp: tcp_v4_err() should be more careful (Marcelo Leitner) [1749964]\n- [net] tcp: remove BUG_ON from tcp_v4_err (Marcelo Leitner) [1749964]\n- [net] tcp: clear icsk_backoff in tcp_write_queue_purge() (Marcelo Leitner) [1749964]\n- [net] psample: fix skb_over_panic (Sabrina Dubroca) [1823251]\n- [net] sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key (Patrick Talbert) [1823691]\n- [netdrv] fjes: Handle workqueue allocation failure (Masayoshi Mizuma) [1830563] {CVE-2019-16231}\n[3.10.0-1143]\n- [mm] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED (Rafael Aquini) [1834434] {CVE-2020-11565}\n- [fs] fs: avoid softlockups in s_inodes iterators (Jay Shin) [1760145]\n- [scsi] scsi: core: Add DID_ALLOC_FAILURE and DID_MEDIUM_ERROR to hostbyte_table (Maurizio Lombardi) [1832019]\n- [fs] locks: allow filesystems to request that ->setlease be called without i_lock (Jeff Layton) [1830606]\n- [fs] locks: move fasync setup into generic_add_lease (Jeff Layton) [1830606]\n- [fs] revert '[fs] xfs: catch bad stripe alignment configurations' (Carlos Maiolino) [1836292]\n- [scsi] scsi: scsi_debug: num_tgts must be >= 0 (Ewan Milne) [1834998]\n- [scsi] scsi: scsi_debug: Avoid PI being disabled when TPGS is enabled (Ewan Milne) [1834998]\n- [scsi] scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded (Ewan Milne) [1834998]\n- [scsi] scsi_debug: check for bigger value first (Ewan Milne) [1834998]\n- [scsi] scsi_debug: vfree is null safe so drop the check (Ewan Milne) [1834998]\n- [scsi] scsi_debug: error message should say scsi_host_alloc not scsi_register (Ewan Milne) [1834998]\n- [fs] xfs: Fix tail rounding in xfs_alloc_file_space() (Bill ODonnell) [1833223]\n- [fs] ceph: dont drop message if it contains more data than expected (Jeff Layton) [1828340]\n- [fs] ceph: dont error out on larger-than-expected session messages (Jeff Layton) [1828340]\n- [acpi] ACPI: disable BERT by default, add parameter to enable it (Aristeu Rozanski) [1525298]\n- [acpi] ACPI: APEI: Fix possible out-of-bounds access to BERT region (Aristeu Rozanski) [1525298]\n- [acpi] ACPI / sysfs: Extend ACPI sysfs to provide access to boot error region (Aristeu Rozanski) [1525298]\n- [acpi] ACPI: APEI: Fix BERT resources conflict with ACPI NVS area (Aristeu Rozanski) [1525298]\n- [acpi] ACPI / APEI: Add Boot Error Record Table (BERT) support (Aristeu Rozanski) [1525298]\n- [acpi] ACPICA: Restore error table definitions to reduce code differences between Linux and ACPICA upstream (Aristeu Rozanski) [1525298]\n[3.10.0-1142]\n- [fs] gfs2: Another gfs2_walk_metadata fix (Andreas Grunbacher) [1822230]\n- [fs] ext4: prevent ext4_quota_write() from failing due to ENOSPC (Lukas Czerner) [1068952]\n- [fs] ext4: do not zeroout extents beyond i_disksize (Lukas Czerner) [1834320]\n- [fs] pnfs: Ensure we layoutcommit before revalidating attributes (Benjamin Coddington) [1827647]\n- [fs] nfs: flush data when locking a file to ensure cache coherence for mmap (Scott Mayhew) [1813811]\n- [fs] call fsnotify_sb_delete after evict_inodes (Jay Shin) [1760145]\n- [fs] inode: dont softlockup when evicting inodes (Jay Shin) [1760145]\n- [fs] drop_caches.c: avoid softlockups in drop_pagecache_sb() (Jay Shin) [1760145]\n- [fs] gfs2: More gfs2_find_jhead fixes (Abhijith Das) [1828454]\n- [fs] gfs2: Another gfs2_find_jhead fix (Abhijith Das) [1828454]\n- [fs] nfs: fix mount/umount race in nlmclnt (Jay Shin) [1771205]\n- [fs] nlm_shutdown_hosts_net() cleanup (Jay Shin) [1771205]\n- [scsi] scsi: megaraid: Use true, false for bool variables (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid: make two symbols static in megaraid_sas_base.c (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid: make some symbols static in megaraid_sas_fusion.c (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid: make some symbols static in megaraid_sas_fp.c (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Use scnprintf() for avoiding potential buffer overflow (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: silence a warning (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: fix indentation issue (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Limit the number of retries for the IOCTLs causing firmware fault (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Re-Define enum DCMD_RETURN_STATUS (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Do not set HBA Operational if FW is not in operational state (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Do not kill HBA if JBOD Seqence map or RAID map is disabled (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Do not kill host bus adapter, if adapter is already dead (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Update optimal queue depth for SAS and NVMe devices (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Reset adapter if FW is not in READY state after device resume (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Make poll_aen_lock static (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Fix a compilation warning (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Make a bunch of functions static (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Make some functions static (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: remove unused variables 'debugBlk', 'fusion' (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: Unique names for MSI-X vectors (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: fix panic on loading firmware crashdump (Tomas Henzl) [1827037]\n- [scsi] scsi: megaraid_sas: fix spelling mistake 'megarid_sas' -> 'megaraid_sas' (Tomas Henzl) [1827037]\n- [scsi] scsi: mpt3sas: Disable DIF when prot_mask set to zero (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Handle RDPQ DMA allocation in same 4G region (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Separate out RDPQ allocation to new function (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Rename function name is_MSB_are_same (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Dont change the DMA coherent mask after allocations (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Fix kernel panic observed on soft HBA unplug (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Fix double free in attach error handling (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Use Component img header to get Package ver (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Fix module parameter max_msix_vectors (Tomas Henzl) [1832868]\n- [scsi] scsi: mpt3sas: Reject NVMe Encap cmnds to unsupported HBA (Tomas Henzl) [1832868]\n- [netdrv] hv_netvsc: Fix error handling in netvsc_set_features() (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Sync offloading features to VF NIC (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Fix IP header checksum for coalesced packets (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Fix rndis_per_packet_info internal field initialization (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Add handler for LRO setting change (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Add support for LRO/RSC in the vSwitch (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Add handlers for ethtool get/set msg level (Mohammed Gamal) [1821814]\n- [netdrv] hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (Mohammed Gamal) [1821814]\n- [fs] fix mntput/mntput race (Miklos Szeredi) [1828320]\n- [wireless] rtlwifi: prevent memory leak in rtl_usb_probe (Jarod Wilson) [1829847] {CVE-2019-19063}\n- [wireless] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable (Jarod Wilson) [1829375] {CVE-2019-19058}\n- [net] nl80211: fix memory leak in nl80211_get_ftm_responder_stats (Jarod Wilson) [1829289] {CVE-2019-19055}\n- [wireless] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init (Jarod Wilson) [1829393] {CVE-2019-19059}\n[3.10.0-1141]\n- [kernel] sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision (Artem Savkov) [1752067]\n- [edac] EDAC: skx_common: downgrade message importance on missing PCI device (Aristeu Rozanski) [1832683]\n- [s390] s390/qdio: consider ERROR buffers for inbound-full condition (Philipp Rudo) [1831791]\n- [s390] s390/ftrace: fix potential crashes when switching tracers (Philipp Rudo) [1813124]\n- [netdrv] ibmvnic: Skip fatal error reset after passive init (Steve Best) [1830992]\n- [scsi] smartpqi: bump driver version (Don Brace) [1822762]\n- [scsi] scsi: smartpqi: add bay identifier (Don Brace) [1822762]\n- [scsi] scsi: smartpqi: add module param to hide vsep (Don Brace) [1822762]\n- [scsi] scsi: bnx2fc: Update the driver version to 2.12.13 (Nilesh Javali) [1709542]\n- [scsi] scsi: bnx2fc: fix boolreturn.cocci warnings (Nilesh Javali) [1709542]\n- [scsi] scsi: bnx2fc: Fix SCSI command completion after cleanup is posted (Nilesh Javali) [1709542]\n- [scsi] scsi: bnx2fc: Process the RQE with CQE in interrupt context (Nilesh Javali) [1709542]\n- [scsi] scsi: qla2xxx: Fix a recently introduced kernel warning (Nilesh Javali) [1828875]\n- [scsi] Fix abort timeouts in CQ Full conditions (Dick Kennedy) [1802654]\n- [input] Input: add safety guards to input_set_keycode() (Chris von Recklinghausen) [1828222] {CVE-2019-20636}\n- [scsi] scsi: libsas: delete sas port if expander discover failed (Tomas Henzl) [1829965] {CVE-2019-15807}\n- [net] netlabel: cope with NULL catmap (Paolo Abeni) [1827240] {CVE-2020-10711}\n[3.10.0-1140]\n- [netdrv] mlx5: Remove unsupported tag for ConnectX-6 Dx device (Alaa Hleihel) [1829777]\n- [fs] xfs: clear PF_MEMALLOC before exiting xfsaild thread (Brian Foster) [1827910]\n- [fs] gfs2: fix O_EXCL|O_CREAT handling on cold dcache (Andrew Price) [1812558]\n- [fs] nfs: Correct an nfs page array calculation error (Jay Shin) [1824270]\n- [infiniband] RDMA/bnxt_re: Fix stat push into dma buffer on gen p5 devices (Jonathan Toppins) [1828475 1824438]\n- [netdrv] bnxt_en: Fix allocation of zero statistics block size regression (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Allocate the larger per-ring statistics block for 57500 chips (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Expand bnxt_tpa_info struct to support 57500 chips (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Refactor TPA logic (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Add TPA structure definitions for BCM57500 chips (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Update firmware interface spec. to 1.10.0.89 (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Update firmware interface to 1.10.0.69 (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Update firmware interface spec. to 1.10.0.47 (Jonathan Toppins) [1824438]\n- [netdrv] bnxt_en: Refactor ethtool ring statistics logic (Jonathan Toppins) [1824438]\n- [block] blk-mq: Put driver tag in blk_mq_dispatch_rq_list() when no budget (Ming Lei) [1825431]\n- [scsi] scsi: fnic: do not queue commands during fwreset (Govindarajulu Varadarajan) [1794150]\n- [scsi] scsi: fnic: fix invalid stack access (Govindarajulu Varadarajan) [1794150]\n- [scsi] scsi: fnic: fix use after free (Govindarajulu Varadarajan) [1794150]\n- [netdrv] enic: prevent waking up stopped tx queues over watchdog reset (Govindarajulu Varadarajan) [1794148]\n- [fs] ceph: use ceph_evict_inode to cleanup inodes resource (Jeff Layton) [1784016]\n- [fs] ceph: fix use-after-free in __ceph_remove_cap() (Jeff Layton) [1784016]\n- [fs] ceph: hold i_ceph_lock when removing caps for freeing inode (Jeff Layton) [1784016]\n- [input] Input: ff-memless - kill timer in destroy() (Chris von Recklinghausen) [1815021] {CVE-2019-19524}\n- [scsi] scsi: qla2xxx: fix a potential NULL pointer dereference ('Ewan D. Milne') [1829246] {CVE-2019-16233}\n[3.10.0-1139]\n- [fs] nfsd: Fix races between nfsd4_cb_release() and nfsd4_shutdown_callback() ('J. Bruce Fields') [1448750]\n- [fs] nfsd: minor 4.1 callback cleanup ('J. Bruce Fields') [1448750]\n- [fs] nfsd: Dont release the callback slot unless it was actually held (Benjamin Coddington) [1448750]\n- [lib] kobject: dont use WARN for registration failures (Ewan Milne) [1756495]\n- [lib] lib/kobject: Join string literals back (Ewan Milne) [1756495]\n- [scsi] scsi: ibmvfc: Dont send implicit logouts prior to NPIV login (Steve Best) [1828726]\n- [fs] nfs: Serialize O_DIRECT reads and writes (Benjamin Coddington) [1826571]\n- [mm] mm/page_owner: convert page_owner_inited to static key (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: set correct gfp_mask on page_owner (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: fix possible access violation (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: use late_initcall to hook in enabling (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: remove unnecessary stack_trace field (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: correct owner information for early allocated pages (Rafael Aquini) [1781726]\n- [mm] mm/page_owner: keep track of page owners (Rafael Aquini) [1781726]\n- [documentation] Documentation: add new page_owner document (Rafael Aquini) [1781726]\n- [kernel] stacktrace: introduce snprint_stack_trace for buffer output (Rafael Aquini) [1781726]\n[3.10.0-1138]\n- [infiniband] RDMA/bnxt_re: Fix chip number validation Broadcoms Gen P5 series (Jonathan Toppins) [1823679]\n- [scsi] scsi: qla2xxx: Silence fwdump template message (Ewan Milne) [1783191]\n- [scsi] scsi: hpsa: Update driver version (Joseph Szczypek) [1808403]\n- [scsi] scsi: hpsa: correct race condition in offload enabled (Joseph Szczypek) [1808403]\n- [netdrv] bonding: fix active-backup transition after link failure (Jarod Wilson) [1712235]\n- [netdrv] bonding: fix state transition issue in link monitoring (Jarod Wilson) [1712235]\n- [netdrv] bonding: fix potential NULL deref in bond_update_slave_arr (Jarod Wilson) [1712235]\n- [netdrv] bonding: Force slave speed check after link state recovery for 802.3ad (Jarod Wilson) [1712235]\n- [i2c] i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA (Vladis Dronov) [1822641] {CVE-2017-18551}\n- [acpi] ACPI / EC: Ensure lock is acquired before accessing ec struct (Al Stone) [1811132]\n- [x86] x86/mce: Do not log spurious corrected mce errors (Prarit Bhargava) [1797205]\n- [wireless] mwifiex: Fix mem leak in mwifiex_tm_cmd (Jarod Wilson) [1804971] {CVE-2019-20095}\n- [kernel] kernel/module.c: wakeup processes in module_wq on module unload (Prarit Bhargava) [1771939]\n- [acpi] ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Prarit Bhargava) [1790782]\n[3.10.0-1137]\n- [tty] tty/hvc: Use IRQF_SHARED for OPAL hvc consoles (Gustavo Duarte) [1600213]\n- [mm] mm/swap_slots.c: fix race conditions in swap_slots cache init (Rafael Aquini)\n- [block] loop: set PF_MEMALLOC_NOIO for the worker thread (Ming Lei) [1825950]\n- [tty] serial: 8250: drop the printk from serial8250_interrupt() (Prarit Bhargava) [1825049]\n- [net] net: linkwatch: add check for netdevice being present to linkwatch_do_dev (Alaa Hleihel) [1595302]\n[3.10.0-1136]\n- [fs] sunrpc: expiry_time should be seconds not timeval (Benjamin Coddington) [1794055]\n- [nvdimm] Revert 'driver boilerplate changes to properly manage device_rh' (Christoph von Recklinghausen) [1823750]\n- [base] call device_rh_free in device_release before driver/class/type release is called (Christoph von Recklinghausen) [1822888]\n- [md] md:md-faulty kernel panic is caused by QUEUE_FLAG_NO_SG_MERGE (Nigel Croxon) [1822462]\n- [firmware] efi: cper: print AER info of PCIe fatal error (Vladis Dronov) [1820646]\n- [scsi] qla2xxx: Update driver version to 10.01.00.22.07.9-k (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix message indicating vectors used by driver (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Move free of fcport out of interrupt context (Nilesh Javali) [1808129]\n- [scsi] qla2xxx: delete all sessions before unregister local nvme port (Nilesh Javali) [1808129]\n- [scsi] qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix a NULL pointer dereference in an error path (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix mtcp dump collection failure (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix RIDA Format-2 (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix stuck login session using prli_pend_timer (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Use common routine to free fcport struct (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix update_fcport for current_topology (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix fabric scan hang (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Complain if sp->done() is not called from the completion path (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Change discovery state before PLOGI (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Initialize free_work before flushing it (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Retry fabric Scan on IOCB queue full (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: initialize fc4_type_priority (Nilesh Javali) [1808129]\n- [scsi] scsi: qla2xxx: Fix a dma_pool_free() call (Nilesh Javali) [1808129]\n- [security] selinux: ensure we cleanup the internal AVC counters on error in avc_insert() (Artem Savkov) [1808675]\n- [acpi] ACPICA: Mark acpi_ut_create_internal_object_dbg() memory allocations as non-leaks (Artem Savkov) [1808675]\n- [x86] x86/microcode/AMD: Free unneeded patch before exit from update_cache() (Artem Savkov) [1808675]\n- [mm] memcg: ensure mem_cgroup_idr is updated in a coordinated manner (Aaron Tomlin) [1822405]\n- [mm] mm/page_alloc: increase default min_free_kbytes bound (Joel Savitz) [1704326]\n- [scsi] scsi: lpfc: Fix unexpected error messages during RSCN handling (Dick Kennedy) [1743667]\n- [scsi] scsi: lpfc: Fix discovery failures when target device connectivity bounces (Dick Kennedy) [1743667]\n- [scsi] scsi: lpfc: Fix devices that dont return after devloss followed by rediscovery (Dick Kennedy) [1743667]\n- [scsi] scsi: lpfc: Fix port relogin failure due to GID_FT interaction (Dick Kennedy) [1743667]\n- [video] vgacon: Fix a UAF in vgacon_invert_region (Vladis Dronov) [1818730] {CVE-2020-8647 CVE-2020-8649}\n- [x86] uprobes/x86: Fix detection of 32-bit user mode (Oleg Nesterov) [1804959]\n- [powerpc] module: Handle R_PPC64_ENTRY relocations (Yauheni Kaliuta) [1657540]\n- [scripts] recordmcount.pl: support data in text section on powerpc (Yauheni Kaliuta) [1657540]\n- [powerpc] boot: Request no dynamic linker for boot wrapper (Yauheni Kaliuta) [1657540]\n[3.10.0-1135]\n- [fs] fscache: Fix race in fscache_op_complete() due to split atomic_sub & read (Dave Wysochanski) [1683490]\n- [fs] fscache: Pass the correct cancelled indications to fscache_op_complete() (Dave Wysochanski) [1683490]\n- [char] tpm: ibmvtpm: Wait for buffer to be set before proceeding (Jerry Snitselaar) [1815536]\n- [fs] NFS: Fix a race between mmap() and O_DIRECT (Benjamin Coddington) [1813803]\n- [fs] NFS: Remove a redundant call to unmap_mapping_range() (Benjamin Coddington) [1813803]\n- [fs] NFS: Remove redundant waits for O_DIRECT in fsync() and write_begin() (Benjamin Coddington) [1813803]\n- [fs] NFS: Cleanup nfs_direct_complete() (Benjamin Coddington) [1813803]\n- [fs] NFS: Do not serialise O_DIRECT reads and writes (Benjamin Coddington) [1813803]\n- [fs] NFS: Move buffered I/O locking into nfs_file_write() (Benjamin Coddington) [1813803]\n- [fs] bdi: make inode_to_bdi() inline (Benjamin Coddington) [1813803]\n- [fs] NFS: Remove racy size manipulations in O_DIRECT (Benjamin Coddington) [1813803]\n- [fs] NFS: Dont hold the inode lock across fsync() (Benjamin Coddington) [1813803]\n- [fs] nfs: remove nfs_inode_dio_wait (Benjamin Coddington) [1813803]\n- [fs] nfs: remove nfs4_file_fsync (Benjamin Coddington) [1813803]\n- [fs] NFS: Kill NFS_INO_NFS_INO_FLUSHING: it is a performance killer (Benjamin Coddington) [1813803]\n- [fs] filesystem-dax: Fix dax_layout_busy_page() livelock (Carlos Maiolino) [1817866]\n- [block] blk-mq: fix hang caused by freeze/unfreeze sequence (Ming Lei) [1821718]\n- [fs] ceph: dont NULL terminate virtual xattrs (Jeff Layton) [1717454]\n- [fs] ceph: return -ERANGE if virtual xattr value didnt fit in buffer (Jeff Layton) [1717454]\n- [fs] ceph: make getxattr_cb return ssize_t (Jeff Layton) [1717454]\n- [fs] ceph: use bit flags to define vxattr attributes (Jeff Layton) [1717454]\n- [tty] tty: Prevent ldisc drivers from re-using stale tty fields (Vladis Dronov) [1820031]\n- [powerpc] powerpc64/kexec: Hard disable ftrace before switching to the new kernel (Jerome Marchand) [1731578]\n- [powerpc] powerpc64/ftrace: Delay enabling ftrace on secondary cpus (Jerome Marchand) [1731578]\n- [powerpc] powerpc64/ftrace: Add helpers to hard disable ftrace (Jerome Marchand) [1731578]\n- [powerpc] powerpc64/ftrace: Rearrange #ifdef sections in ftrace.h (Jerome Marchand) [1731578]\n- [powerpc] powerpc64/ftrace: Add a field in paca to disable ftrace in unsafe code paths (Jerome Marchand) [1731578]\n- [powerpc] powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS (Jerome Marchand) [1731578]\n- [isdn] mISDN: enforce CAP_NET_RAW for raw sockets (Andrea Claudi) [1779474] {CVE-2019-17055}\n- [virtio] virtio-balloon: fix managed page counts when migrating pages between zones (David Hildenbrand) [1780330]\n[3.10.0-1134]\n- [net] netfilter: nf_log: fix uninit read in nf_log_proc_dostring (Phil Sutter) [1770232]\n- [net] netfilter: nf_log: fix error on write NONE to logger choice sysctl (Phil Sutter) [1770232]\n- [net] ethtool: convert large order kmalloc allocations to vzalloc (Davide Caratti) [1786448]\n- [net] l2tp: Allow duplicate session creation with UDP (Guillaume Nault) [1808928]\n- [net] sched: flower: insert new filter to idr after setting its mask (Davide Caratti) [1785141]\n- [net] ipv6: remove printk (Hangbin Liu) [1779533]\n- [net] netfilter: ctnetlink: netns exit must wait for callbacks (Florian Westphal) [1766816]\n- [net] raw: do not report ICMP redirects to user space (Hangbin Liu) [1758386]\n[3.10.0-1133]\n- [powerpc] powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property() (Steve Best) [1806629] {CVE-2019-12614}\n- [s390] s390/pci: Recover handle in clp_set_pci_fn() (Philipp Rudo) [1816662]\n- [fs] xfs: fix attr leaf header freemap.size underflow (Bill ODonnell) [1808671]\n- [block] floppy: check FDC index for errors before assigning it (Ming Lei) [1815403] {CVE-2020-9383}\n- [block] virtio-blk: improve virtqueue error to BLK_STS (Philipp Rudo) [1818001]\n- [block] virtio-blk: fix hw_queue stopped on arbitrary error (Philipp Rudo) [1818001]\n- [s390] dasd: fix endless loop after read unit address configuration (Philipp Rudo) [1816661]\n- [fs] CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (Leif Sahlberg) [1504193]\n- [fs] cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs (Leif Sahlberg) [1504193]\n- [char] ipmi: Fix memory leak in __ipmi_bmc_register (Tony Camuso) [1812836] {CVE-2019-19046}\n- [net] ipvs: Remove noisy debug print from ip_vs_del_service (Alexey Klimov) [1769816]\n[3.10.0-1132]\n- [tools] tools/power turbostat: Support Ice Lake server (Steve Best) [1776508]\n- [nvme] nvme-fc: ensure association_id is cleared regardless of a Disconnect LS (Ewan Milne) [1816752]\n- [nvme] nvme-fc: clarify error messages (Ewan Milne) [1816752]\n- [nvme] nvme-fc: fix module unloads while lports still pending (Ewan Milne) [1816752]\n- [scsi] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (Ewan Milne) [1816307]\n- [scsi] scsi: core: Fix a compiler warning triggered by the SCSI logging code (Ewan Milne) [1816307]\n- [scsi] scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (Ewan Milne) [1816307]\n- [scsi] scsi: core: scsi_trace: Use get_unaligned_be*() (Ewan Milne) [1816307]\n- [scsi] scsi: core: try to get module before removing device (Ewan Milne) [1816307]\n- [scsi] scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions (Ewan Milne) [1816307]\n- [scsi] scsi: device_handler: remove VLAs (Ewan Milne) [1816307]\n- [scsi] scsi: scsi_dh: Document alua_rtpg_queue() arguments (Ewan Milne) [1816307]\n- [scsi] scsi: scsi_dh_alua: skip RTPG for devices only supporting active/optimized (Ewan Milne) [1816307]\n- [scsi] scsi: scsi_dh_emc: return success in clariion_std_inquiry() (Ewan Milne) [1816307]\n- [target] scsi: target: iscsi: rename some variables to avoid confusion (Maurizio Lombardi) [1806966]\n- [target] scsi: target: iscsi: tie the challenge length to the hash digest size (Maurizio Lombardi) [1806966]\n- [target] scsi: target: iscsi: CHAP: add support for SHA1, SHA256 and SHA3-256 (Maurizio Lombardi) [1806966]\n- [target] scsi: target: compare full CHAP_A Algorithm strings (Maurizio Lombardi) [1806966]\n- [base] device_release() can call device_rh_free() too (Christoph von Recklinghausen) [1793248]\n- [nvdimm] driver boilerplate changes to properly manage device_rh (Christoph von Recklinghausen) [1793248]\n- [base] Add an interface for certain drivers who manage their own struct devices to disassociate their device_rhs (Christoph von Recklinghausen) [1793248]\n- [base] kfree(dev->device_rh) in device_create_release() (Christoph von Recklinghausen) [1793248]\n- [base] kfree and zero device_rh in device_release() (Christoph von Recklinghausen) [1793248]\n- [input] Revert 'Fix device_rh memory leak' (Christoph von Recklinghausen) [1793248]\n- [scsi] Revert 'Fix device_rh leak in scsi_alloc_target()' (Christoph von Recklinghausen) [1793248]\n- [scsi] Revert 'Fix memory leaks in scsi_alloc_sdev()' (Christoph von Recklinghausen) [1793248]\n- [nvdimm] libnvdimm/security: Consolidate 'security' operations (Jeff Moyer) [1735364]\n- [nvdimm] libnvdimm/security: Tighten scope of nvdimm->busy vs security operations (Jeff Moyer) [1735364]\n- [nvdimm] libnvdimm/security: Introduce a 'frozen' attribute (Jeff Moyer) [1735364]\n- [acpi] libnvdimm/security, acpi/nfit: unify zero-key for all security commands (Jeff Moyer) [1735364]\n- [nvdimm] libnvdimm/security: provide fix for secure-erase to use zero-key (Jeff Moyer) [1735364]\n- [block] block: fix checking return value of blk_mq_init_queue (Maxim Levitsky) [1795777]\n- [bluetooth] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() (Aristeu Rozanski) [1808803] {CVE-2019-15917}\n[3.10.0-1131]\n- [x86] kvm: x86: clear stale x86_emulate_ctxt->intercept value (Jon Maloy) [1806818] {CVE-2020-2732}\n- [x86] kvm: vmx: check descriptor table exits on instruction emulation (Jon Maloy) [1806818] {CVE-2020-2732}\n- [x86] kvm: nvmx: Check IO instruction VM-exit conditions (Jon Maloy) [1806818] {CVE-2020-2732}\n- [x86] kvm: nvmx: Refactor IO bitmap checks into helper function (Jon Maloy) [1806818] {CVE-2020-2732}\n- [x86] kvm: nvmx: Dont emulate instructions in guest mode (Jon Maloy) [1806818] {CVE-2020-2732}\n- [x86] kvm: x86: Fix kvm_bitmap_or_dest_vcpus() to use irq shorthand (Nitesh Narayan Lal) [1772082]\n- [x86] kvm: x86: Initializing all kvm_lapic_irq fields in ioapic_write_indirect (Nitesh Narayan Lal) [1772082]\n- [virt] kvm: x86: remove set but not used variable 'called' (Nitesh Narayan Lal) [1772082]\n- [x86] kvm: x86: Zero the IOAPIC scan request dest vCPUs bitmap (Nitesh Narayan Lal) [1772082]\n- [x86] kvm: x86: deliver KVM IOAPIC scan request to target vCPUs (Nitesh Narayan Lal) [1772082]\n- [kernel] kvm: remember position in kvm->vcpus array (Nitesh Narayan Lal) [1772082]\n- [x86] kvm: x86: Drop KVM_APIC_SHORT_MASK and KVM_APIC_DEST_MASK (Nitesh Narayan Lal) [1772082]\n- [virt] kvm: introduce kvm_make_vcpus_request_mask() API (Nitesh Narayan Lal) [1772082]\n- [virt] kvm: avoid unused variable warning for UP builds (Nitesh Narayan Lal) [1772082]\n- [kernel] smp, cpumask: Use non-atomic cpumask_{set, clear}_cpu() (Nitesh Narayan Lal) [1772082]\n- [fs] nfs: change sign of nfs_fh length ('J. Bruce Fields') [1813326]\n- [netdrv] ibmvnic: Do not process device remove during device reset (Steve Best) [1813903]\n- [x86] x86/debug: Extend the lower bound of crash kernel low reservations (Pingfan Liu) [1811511]\n- [net] tcp: make tcp_space() aware of socket backlog (Guillaume Nault) [1790840]\n- [net] ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup (Sabrina Dubroca) [1774447] {CVE-2020-1749}\n- [net] ipv6: add net argument to ip6_dst_lookup_flow (Sabrina Dubroca) [1774447] {CVE-2020-1749}\n- [net] ipv6: constify ip6_dst_lookup_{flow|tail}() sock arguments (Sabrina Dubroca) [1774447] {CVE-2020-1749}\n- [net] macvlan: return correct error value (Matteo Croce) [1654878]\n- [net] ieee802154: enforce CAP_NET_RAW for raw sockets (Andrea Claudi) [1779494] {CVE-2019-17053}\n- [net] ipv4: fix fnhe usage by non-cached routes (Hangbin Liu) [1788435]\n- [net] route: do not cache fib route info on local routes with oif (Hangbin Liu) [1788435]\n- [net] ip6_tunnel: fix potential NULL pointer dereference (Hangbin Liu) [1767045]\n- [net] net_sched: remove a bogus warning in hfsc (Davide Caratti) [1781323]\n- [netdrv] net/mlx5e: allow TSO on VXLAN over VLAN topologies (Davide Caratti) [1780646]\n[3.10.0-1130]\n- [scsi] scsi: avoid repetitive logging of device offline messages (Nilesh Javali) [1798042]\n- [scsi] qla2xxx: Fix I/Os being passed down when FC device is being deleted (Nilesh Javali) [1798042]\n- [scsi] scsi: qla2xxx: Fix unbound sleep in fcport delete path (Nilesh Javali) [1798042]\n- [scsi] scsi: qla2xxx: Fix hang in fcport delete path (Nilesh Javali) [1798042]\n- [scsi] scsi: qla2xxx: Fix stuck session in GNL (Nilesh Javali) [1798042]\n- [scsi] scsi: qla2xxx: Correct fcport flags handling (Nilesh Javali) [1798042]\n- [scsi] scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (Nilesh Javali) [1798042]\n- [scsi] iscsi: Avoid potential deadlock in iscsi_if_rx func (Oleksandr Natalenko) [1715986]\n- [netdrv] hv/netvsc: Fix NULL dereference at single queue mode fallback (Mohammed Gamal) [1806488]\n- [netdrv] hv/netvsc: fix handling of fallback to single queue mode (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix unwanted rx_table reset (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix tx_table init in rndis_set_subchannel() (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: fix typos in code comments (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix hash key value reset after other ops (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Refactor assignments of struct netvsc_device_info (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: split sub-channel setup into async and sync (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix send_table offset in case of a host bug (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Add NetVSP v6 and v6.1 into version negotiation (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: Fix offset usage in netvsc_send_table() (Mohammed Gamal) [1806488]\n- [netdrv] hv_netvsc: simplify receive side calling arguments (Mohammed Gamal) [1806488]\n- [scsi] scsi: ibmvfc: Fix NULL return compiler warning (Steve Best) [1810643]\n- [scsi] scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (Steve Best) [1810643]\n- [s390] s390/vdso: add vdso support for coarse clocks (Philipp Rudo) [1791822]\n- [s390] s390/vdso: remove NULL pointer check from clock_gettime (Philipp Rudo) [1791822]\n- [s390] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host (Philipp Rudo) [1804807]\n[3.10.0-1129]\n- [tools] perf header: Use last modification time for timestamp (Michael Petlan) [1789947]\n- [tools] perf header: Fix up argument to ctime() (Michael Petlan) [1789947]\n- [hid] HID: multitouch: Add pointstick support for ALPS Touchpad (Benjamin Tissoires) [1672425]\n- [kernel] blktrace: fix dereference after null check (Ming Lei) [1798318] {CVE-2019-19768}\n- [kernel] blktrace: Protect q->blk_trace with RCU (Ming Lei) [1798318] {CVE-2019-19768}\n- [kernel] blktrace: fix trace mutex deadlock (Ming Lei) [1798318] {CVE-2019-19768}\n- [kernel] blktrace: fix unlocked registration of tracepoints (Ming Lei) [1798318] {CVE-2019-19768}\n- [kernel] blktrace: fix unlocked access to init/start-stop/teardown (Ming Lei) [1798318] {CVE-2019-19768}\n- [kernel] tracing: Handle NULL formats in hold_module_trace_bprintk_format() (Oleksandr Natalenko) [1811565]\n- [kernel] tracing: Fix trace_printk() to print when not using bprintk() (Oleksandr Natalenko) [1811565]\n- [sound] ALSA: timer: Fix incorrectly assigned timer instance (Jaroslav Kysela) [1798457] {CVE-2019-19807}\n- [x86] kvm: OOB memory write via kvm_dev_ioctl_get_cpuid (CVE-2019-19332) (Philippe Mathieu-Daud) [1783455] {CVE-2019-19332}\n- [x86] kvm: x86: do not reset microcode version on INIT or RESET (Paolo Bonzini) [1801852]\n- [x86] kvm: x86: list MSR_IA32_UCODE_REV as an emulated MSR (Paolo Bonzini) [1801852]\n- [x86] kvm: x86: Allow userspace to define the microcode version (Paolo Bonzini) [1801852]\n[3.10.0-1128]\n- [fs] ceph: only use d_name directly when parent is locked (Jeff Layton) [1699402]\n- [fs] ext4: work around deleting a file with i_nlink == 0 safely (Carlos Maiolino) [1801046]\n- [fs] xfs: attach dquots and reserve quota blocks during unwritten conversion (Carlos Maiolino) [1786005]\n- [fs] Revert 'xfs: attach dquots and reserve quota blocks during unwritten conversion' (Carlos Maiolino) [1786005]\n- [md] dm mpath: call clear_request_fn_mpio() in multipath_release_clone() (Mike Snitzer) [1806400]\n- [scsi] scsi: implement .cleanup_rq callback (Mike Snitzer) [1806400]\n- [md] blk-mq: add callback of .cleanup_rq (Mike Snitzer) [1806400]\n- [target] target: call init_timer_on_stack() to initialize login_timer (Maurizio Lombardi) [1810037]\n- [scsi] scsi: megaraid_sas: fixup MSIx interrupt setup during resume (Tomas Henzl) [1807077]\n- [tools] selftests/livepatch: Test interaction with ftrace_enabled (Yannick Cote) [1806653]\n- [tools] selftests/livepatch: Make dynamic debug setup and restore generic (Yannick Cote) [1806653]\n- [kernel] ftrace: Introduce PERMANENT ftrace_ops flag (Yannick Cote) [1806653]\n- [tools] selftests/livepatch: push and pop dynamic debug config (Yannick Cote) [1806653]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-06T00:00:00", "type": "oraclelinux", "title": "kernel security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19527", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19768", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-0543", "CVE-2020-10690", "CVE-2020-10711", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10757", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-12888", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-10-06T00:00:00", "id": "ELSA-2020-4060", "href": "http://linux.oracle.com/errata/ELSA-2020-4060.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-06-08T22:16:38", "description": "Google patched more than 90 security vulnerabilities in its Android operating system impacting its [Pixel devices](<https://threatpost.com/google-apple-track-mobile-opting-out/165147/>) and third-party Android handsets, including a critical remote code-execution bug that could allow an attacker to commandeer a targeted vulnerable mobile device.\n\nThat bug (CVE-2021-0507) exists in the System component in the Android OS, and could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process, according to Google\u2019s [June security bulletin](<https://source.android.com/security/bulletin/2021-06-01>). It\u2019s the most severe bug of those patched so far this June, the company said.\n\nThe Android System component of the OS also has a second critical vulnerability, an elevation-of-privilege (EoP) issue tracked as CVE-2021-0516. Further details were not given on that flaw. Typically, Google does not release the technical details of patched vulnerabilities until a overwhelming majority of vulnerable handsets receive the fixes.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nGoogle also addressed several high-severity EoP issues in other components within the OS, including one in Android runtime (CVE-2021-0511) that could enable a local attacker to execute arbitrary code and bypass user interaction requirements in order to gain access to additional permissions.\n\nMedia Framework meanwhile has four EoP issues (CVE-2021-0508, CVE-2021-0509, CVE-2021-0510, CVE-2021-0520), the most severe of which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.\n\nTwo additional high-severity EoP issues (CVE-2020-14305, CVE-2021-0512) exist in the upstream kernel as well, the most severe vulnerability of which could lead to local escalation of privilege with no additional execution privileges needed.\n\nThe internet giant also addressed several high-severity information-disclosure issues for Android, such as one in Framework (CVE-2021-0521) that could lead to local information disclosure of cross-user permissions with no additional execution privileges needed.\n\n## **Pixel Device Fixes**\n\nThe bugs in Google\u2019s Pixel devices are [mainly rated moderate](<https://source.android.com/security/bulletin/pixel/2021-06-01>) in severity, including a pair of denial-of-service (DoS) problems in Android runtime (CVE-2020-1971 and CVE-2021-0555), and an RCE issue in Media Framework (CVE-2021-0557).\n\nIn all, Pixel has 43 security holes, affecting Android runtime, Framework, Media Framework, System, kernel components and Pixel components (Knowles IAXXX adnc driver and Pixel Launcher).\n\nOnly four of them are high-severity. These are: Two EoP issues in Pixel components (CVE-2021-0607 and CVE-2021-0608); an EoP issue in Media Framework (CVE-2021-0565) and another EoP bug in Framework (CVE-2021-0571).\n\nGoogle didn\u2019t release further details on any of the flaws. The security patch level of 2021-06-05 or later resolves all issues.\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-08T19:02:25", "type": "threatpost", "title": "Google Patches Critical Android RCE Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14305", "CVE-2020-1971", "CVE-2021-0507", "CVE-2021-0508", "CVE-2021-0509", "CVE-2021-0510", "CVE-2021-0511", "CVE-2021-0512", "CVE-2021-0516", "CVE-2021-0520", "CVE-2021-0521", "CVE-2021-0555", "CVE-2021-0557", "CVE-2021-0565", "CVE-2021-0571", "CVE-2021-0607", "CVE-2021-0608"], "modified": "2021-06-08T19:02:25", "id": "THREATPOST:C408DF21547B7B4327FBAB82B97A4C96", "href": "https://threatpost.com/android-critical-rce-bug/166723/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "photon": [{"lastseen": "2021-11-03T11:49:05", "description": "An update of {'python3', 'envoy', 'mysql', 'python2', 'bindutils', 'linux-esx', 'linux', 'apache-tomcat'} packages of Photon OS has been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-25T00:00:00", "type": "photon", "title": "Home\nDownload Photon OS\nUser Documentation\nFAQ\nSecurity Advisories\nRelated Information\n\nLightwave - PHSA-2020-1.0-0309", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20907", "CVE-2020-12603", "CVE-2020-12604", "CVE-2020-12605", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14305", "CVE-2020-14422", "CVE-2020-14539", "CVE-2020-14540", "CVE-2020-14547", "CVE-2020-14550", "CVE-2020-14553", "CVE-2020-14559", "CVE-2020-14567", "CVE-2020-14576", "CVE-2020-15393", "CVE-2020-15436", "CVE-2020-8618", "CVE-2020-8619", "CVE-2020-8663"], "modified": "2020-07-25T00:00:00", "id": "PHSA-2020-1.0-0309", "href": "https://github.com/vmware/photon/wiki/Security-Updates-1.0-309", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-05-12T18:00:24", "description": "Updates of ['envoy', 'python3', 'linux', 'apache-tomcat', 'linux-esx', 'python2', 'mysql', 'bindutils'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-25T00:00:00", "type": "photon", "title": "Important Photon OS Security Update - PHSA-2020-0309", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20907", "CVE-2020-12603", "CVE-2020-12604", "CVE-2020-12605", "CVE-2020-12888", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14305", "CVE-2020-14422", "CVE-2020-14539", "CVE-2020-14540", "CVE-2020-14547", "CVE-2020-14550", "CVE-2020-14553", "CVE-2020-14559", "CVE-2020-14567", "CVE-2020-14576", "CVE-2020-15393", "CVE-2020-15436", "CVE-2020-8618", "CVE-2020-8619", "CVE-2020-8663"], "modified": "2020-07-25T00:00:00", "id": "PHSA-2020-0309", "href": "https://github.com/vmware/photon/wiki/Security-Update-1.0-309", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-06-29T11:20:38", "description": "Updates of ['linux-aws', 'linux-secure', 'icu', 'linux-esx', 'linux', 'nodejs', 'gnutls'] packages of Photon OS have been released.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-10T00:00:00", "type": "photon", "title": "Critical Photon OS Security Update - PHSA-2020-0288", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4844", "CVE-2016-0494", "CVE-2016-6293", "CVE-2016-7415", "CVE-2017-14952", "CVE-2017-15396", "CVE-2017-15422", "CVE-2017-17484", "CVE-2017-7867", "CVE-2017-7868", "CVE-2020-0427", "CVE-2020-10531", "CVE-2020-12655", "CVE-2020-12771", "CVE-2020-12888", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14390", "CVE-2020-15393", "CVE-2020-15436", "CVE-2020-15437", "CVE-2020-24659", "CVE-2020-25212", "CVE-2020-25220", "CVE-2020-25284", "CVE-2020-25285", "CVE-2020-25641", "CVE-2020-26088", "CVE-2020-8252"], "modified": "2020-10-10T00:00:00", "id": "PHSA-2020-0288", "href": "https://github.com/vmware/photon/wiki/Security-Update-2.0-288", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2021-10-01T10:30:39", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2420-2 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Ben Hutchings\nOctober 31, 2020 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : linux\nVersion : 4.9.240-2\nCVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448\n CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771\n CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331\n CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393\n CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212\n CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641\n CVE-2020-25643 CVE-2020-26088\n\nThis update corrects a regression in some Xen virtual machine\nenvironments. For reference the original advisory text follows.\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to the execution of arbitrary code, privilege escalation,\ndenial of service or information leaks.\n\nCVE-2019-9445\n\n A potential out-of-bounds read was discovered in the F2FS\n implementation. A user permitted to mount and access arbitrary\n filesystems could potentially use this to cause a denial of\n service (crash) or to read sensitive information.\n\nCVE-2019-19073, CVE-2019-19074\n\n Navid Emamdoost discovered potential memory leaks in the ath9k and\n ath9k_htc drivers. The security impact of these is unclear.\n\nCVE-2019-19448\n\n &quot;Team bobfuzzer&quot; reported a bug in Btrfs that could lead to a\n use-after-free, and could be triggered by crafted filesystem\n images. A user permitted to mount and access arbitrary\n filesystems could use this to cause a denial of service (crash or\n memory corruption) or possibly for privilege escalation.\n\nCVE-2020-12351\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation in\n the way L2CAP packets with A2MP CID are handled. A remote attacker\n within a short distance, knowing the victim&#x27;s Bluetooth device\n address, can send a malicious l2cap packet and cause a denial of\n service or possibly arbitrary code execution with kernel\n privileges.\n\nCVE-2020-12352\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation.\n Stack memory is not properly initialised when handling certain AMP\n packets. A remote attacker within a short distance, knowing the\n victim&#x27;s Bluetooth device address address, can retrieve kernel\n stack information.\n\nCVE-2020-12655\n\n Zheng Bin reported that crafted XFS volumes could trigger a system\n hang. An attacker able to mount such a volume could use this to\n cause a denial of service.\n\nCVE-2020-12771\n\n Zhiqiang Liu reported a bug in the bcache block driver that could\n lead to a system hang. The security impact of this is unclear.\n\nCVE-2020-12888\n\n It was discovered that the PCIe Virtual Function I/O (vfio-pci)\n driver allowed users to disable a device&#x27;s memory space while it\n was still mapped into a process. On some hardware platforms,\n local users or guest virtual machines permitted to access PCIe\n Virtual Functions could use this to cause a denial of service\n (hardware error and crash).\n\nCVE-2020-14305\n\n Vasily Averin of Virtuozzo discovered a potential heap buffer\n overflow in the netfilter nf_contrack_h323 module. When this\n module is used to perform connection tracking for TCP/IPv6, a\n remote attacker could use this to cause a denial of service (crash\n or memory corruption) or possibly for remote code execution with\n kernel privilege.\n\nCVE-2020-14314\n\n A bug was discovered in the ext4 filesystem that could lead to an\n out-of-bound read. A local user permitted to mount and access\n arbitrary filesystem images could use this to cause a denial of\n service (crash).\n\nCVE-2020-14331\n\n A bug was discovered in the VGA console driver&#x27;s soft-scrollback\n feature that could lead to a heap buffer overflow. On a system\n with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK\n enabled, a local user with access to a console could use this to\n cause a denial of service (crash or memory corruption) or possibly\n for privilege escalation.\n\nCVE-2020-14356, CVE-2020-25220\n\n A bug was discovered in the cgroup subsystem&#x27;s handling of socket\n references to cgroups. In some cgroup configurations, this could\n lead to a use-after-free. A local user might be able to use this\n to cause a denial of service (crash or memory corruption) or\n possibly for privilege escalation.\n\n The original fix for this bug introudced a new security issue,\n which is also addressed in this update.\n\nCVE-2020-14386\n\n Or Cohen discovered a bug in the packet socket (AF_PACKET)\n implementation which could lead to a heap buffer overflow. A\n local user with the CAP_NET_RAW capability (in any user namespace)\n could use this to cause a denial of service (crash or memory\n corruption) or possibly for privilege escalation.\n\nCVE-2020-14390\n\n Minh Yuan discovered a bug in the framebuffer console driver&#x27;s\n scrollback feature that could lead to a heap buffer overflow. On\n a system using framebuffer consoles, a local user with access to a\n console could use this to cause a denial of service (crash or\n memory corruption) or possibly for privilege escalation.\n\n The scrollback feature has been disabled for now, as no other fix\n was available for this issue.\n\nCVE-2020-15393\n\n Kyungtae Kim reported a memory leak in the usbtest driver. The\n security impact of this is unclear.\n\nCVE-2020-16166\n\n Amit Klein reported that the random number generator used by the\n network stack might not be re-seeded for long periods of time,\n making e.g. client port number allocations more predictable. This\n made it easier for remote attackers to carry out some network-\n based attacks such as DNS cache poisoning or device tracking.\n\nCVE-2020-24490\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation that\n can lead to a heap buffer overflow. On systems with a Bluetooth 5\n hardware interface, a remote attacker within a short distance can\n use this to cause a denial of service (crash or memory corruption)\n or possibly for remote code execution with kernel privilege.\n\nCVE-2020-25211\n\n A flaw was discovered in netfilter subsystem. A local attacker\n able to inject conntrack Netlink configuration can cause a denial\n of service.\n\nCVE-2020-25212\n\n A bug was discovered in the NFSv4 client implementation that could\n lead to a heap buffer overflow. A malicious NFS server could use\n this to cause a denial of service (crash or memory corruption) or\n possibly to execute arbitrary code on the client.\n\nCVE-2020-25284\n\n It was discovered that the Rados block device (rbd) driver allowed\n tasks running as uid 0 to add and remove rbd devices, even if they\n dropped capabilities. On a system with the rbd driver loaded,\n this might allow privilege escalation from a container with a task\n running as root.\n\nCVE-2020-25285\n\n A race condition was discovered in the hugetlb filesystem&#x27;s sysctl\n handlers, that could lead to stack corruption. A local user\n permitted to write to hugepages sysctls could use this to cause a\n denial of service (crash or memory corruption) or possibly for\n privilege escalation. By default only the root user can do this.\n\nCVE-2020-25641\n\n The syzbot tool found a bug in the block layer that could lead to\n an infinite loop. A local user with access to a raw block device\n could use this to cause a denial of service (unbounded CPU use and\n possible system hang).\n\nCVE-2020-25643\n\n ChenNan Of Chaitin Security Research Lab discovered a flaw in the\n hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()\n function may lead to memory corruption and information disclosure.\n\nCVE-2020-26088\n\n It was discovered that the NFC (Near Field Communication) socket\n implementation allowed any user to create raw sockets. On a\n system with an NFC interface, this allowed local users to evade\n local network security policy.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.9.240-1. This update additionally includes many more bug fixes from\nstable updates 4.9.229-4.9.240 inclusive.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/linux\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-31T16:14:20", "type": "debian", "title": "[SECURITY] [DLA 2420-2] linux regression update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19448", "CVE-2020-16166", "CVE-2020-26088", "CVE-2020-12888", "CVE-2019-9445", "CVE-2020-25641", "CVE-2020-25285", "CVE-2020-14305", "CVE-2020-25643", "CVE-2020-24490", "CVE-2020-14331", "CVE-2020-15393", "CVE-2020-25211", "CVE-2020-25284", "CVE-2020-14356", "CVE-2020-25220", "CVE-2020-14386", "CVE-2020-25212", "CVE-2019-19073", "CVE-2020-14390", "CVE-2020-12352", "CVE-2020-14314", "CVE-2019-19074", "CVE-2020-12771", "CVE-2020-12655", "CVE-2020-12351"], "modified": "2020-10-31T16:14:20", "id": "DEBIAN:DLA-2420-2:175D1", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202010/msg00034.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-03-26T19:00:34", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2420-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Ben Hutchings\nOctober 29, 2020 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : linux\nVersion : 4.9.240-1\nCVE ID : CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448\n CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771\n CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331\n CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393\n CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212\n CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641\n CVE-2020-25643 CVE-2020-26088\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to the execution of arbitrary code, privilege escalation,\ndenial of service or information leaks.\n\nCVE-2019-9445\n\n A potential out-of-bounds read was discovered in the F2FS\n implementation. A user permitted to mount and access arbitrary\n filesystems could potentially use this to cause a denial of\n service (crash) or to read sensitive information.\n\nCVE-2019-19073, CVE-2019-19074\n\n Navid Emamdoost discovered potential memory leaks in the ath9k and\n ath9k_htc drivers. The security impact of these is unclear.\n\nCVE-2019-19448\n\n &quot;Team bobfuzzer&quot; reported a bug in Btrfs that could lead to a\n use-after-free, and could be triggered by crafted filesystem\n images. A user permitted to mount and access arbitrary\n filesystems could use this to cause a denial of service (crash or\n memory corruption) or possibly for privilege escalation.\n\nCVE-2020-12351\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation in\n the way L2CAP packets with A2MP CID are handled. A remote attacker\n within a short distance, knowing the victim&#x27;s Bluetooth device\n address, can send a malicious l2cap packet and cause a denial of\n service or possibly arbitrary code execution with kernel\n privileges.\n\nCVE-2020-12352\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation.\n Stack memory is not properly initialised when handling certain AMP\n packets. A remote attacker within a short distance, knowing the\n victim&#x27;s Bluetooth device address address, can retrieve kernel\n stack information.\n\nCVE-2020-12655\n\n Zheng Bin reported that crafted XFS volumes could trigger a system\n hang. An attacker able to mount such a volume could use this to\n cause a denial of service.\n\nCVE-2020-12771\n\n Zhiqiang Liu reported a bug in the bcache block driver that could\n lead to a system hang. The security impact of this is unclear.\n\nCVE-2020-12888\n\n It was discovered that the PCIe Virtual Function I/O (vfio-pci)\n driver allowed users to disable a device&#x27;s memory space while it\n was still mapped into a process. On some hardware platforms,\n local users or guest virtual machines permitted to access PCIe\n Virtual Functions could use this to cause a denial of service\n (hardware error and crash).\n\nCVE-2020-14305\n\n Vasily Averin of Virtuozzo discovered a potential heap buffer\n overflow in the netfilter nf_contrack_h323 module. When this\n module is used to perform connection tracking for TCP/IPv6, a\n remote attacker could use this to cause a denial of service (crash\n or memory corruption) or possibly for remote code execution with\n kernel privilege.\n\nCVE-2020-14314\n\n A bug was discovered in the ext4 filesystem that could lead to an\n out-of-bound read. A local user permitted to mount and access\n arbitrary filesystem images could use this to cause a denial of\n service (crash).\n\nCVE-2020-14331\n\n A bug was discovered in the VGA console driver&#x27;s soft-scrollback\n feature that could lead to a heap buffer overflow. On a system\n with a custom kernel that has CONFIG_VGACON_SOFT_SCROLLBACK\n enabled, a local user with access to a console could use this to\n cause a denial of service (crash or memory corruption) or possibly\n for privilege escalation.\n\nCVE-2020-14356, CVE-2020-25220\n\n A bug was discovered in the cgroup subsystem&#x27;s handling of socket\n references to cgroups. In some cgroup configurations, this could\n lead to a use-after-free. A local user might be able to use this\n to cause a denial of service (crash or memory corruption) or\n possibly for privilege escalation.\n\n The original fix for this bug introudced a new security issue,\n which is also addressed in this update.\n\nCVE-2020-14386\n\n Or Cohen discovered a bug in the packet socket (AF_PACKET)\n implementation which could lead to a heap buffer overflow. A\n local user with the CAP_NET_RAW capability (in any user namespace)\n could use this to cause a denial of service (crash or memory\n corruption) or possibly for privilege escalation.\n\nCVE-2020-14390\n\n Minh Yuan discovered a bug in the framebuffer console driver&#x27;s\n scrollback feature that could lead to a heap buffer overflow. On\n a system using framebuffer consoles, a local user with access to a\n console could use this to cause a denial of service (crash or\n memory corruption) or possibly for privilege escalation.\n\n The scrollback feature has been disabled for now, as no other fix\n was available for this issue.\n\nCVE-2020-15393\n\n Kyungtae Kim reported a memory leak in the usbtest driver. The\n security impact of this is unclear.\n\nCVE-2020-16166\n\n Amit Klein reported that the random number generator used by the\n network stack might not be re-seeded for long periods of time,\n making e.g. client port number allocations more predictable. This\n made it easier for remote attackers to carry out some network-\n based attacks such as DNS cache poisoning or device tracking.\n\nCVE-2020-24490\n\n Andy Nguyen discovered a flaw in the Bluetooth implementation that\n can lead to a heap buffer overflow. On systems with a Bluetooth 5\n hardware interface, a remote attacker within a short distance can\n use this to cause a denial of service (crash or memory corruption)\n or possibly for remote code execution with kernel privilege.\n\nCVE-2020-25211\n\n A flaw was discovered in netfilter subsystem. A local attacker\n able to inject conntrack Netlink configuration can cause a denial\n of service.\n\nCVE-2020-25212\n\n A bug was discovered in the NFSv4 client implementation that could\n lead to a heap buffer overflow. A malicious NFS server could use\n this to cause a denial of service (crash or memory corruption) or\n possibly to execute arbitrary code on the client.\n\nCVE-2020-25284\n\n It was discovered that the Rados block device (rbd) driver allowed\n tasks running as uid 0 to add and remove rbd devices, even if they\n dropped capabilities. On a system with the rbd driver loaded,\n this might allow privilege escalation from a container with a task\n running as root.\n\nCVE-2020-25285\n\n A race condition was discovered in the hugetlb filesystem&#x27;s sysctl\n handlers, that could lead to stack corruption. A local user\n permitted to write to hugepages sysctls could use this to cause a\n denial of service (crash or memory corruption) or possibly for\n privilege escalation. By default only the root user can do this.\n\nCVE-2020-25641\n\n The syzbot tool found a bug in the block layer that could lead to\n an infinite loop. A local user with access to a raw block device\n could use this to cause a denial of service (unbounded CPU use and\n possible system hang).\n\nCVE-2020-25643\n\n ChenNan Of Chaitin Security Research Lab discovered a flaw in the\n hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()\n function may lead to memory corruption and information disclosure.\n\nCVE-2020-26088\n\n It was discovered that the NFC (Near Field Communication) socket\n implementation allowed any user to create raw sockets. On a\n system with an NFC interface, this allowed local users to evade\n local network security policy.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.9.240-1. This update additionally includes many more bug fixes from\nstable updates 4.9.229-4.9.240 inclusive.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/linux\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams\nAttachment:\nsignature.asc\nDescription: This is a digitally signed message part\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-30T14:21:51", "type": "debian", "title": "[SECURITY] [DLA 2420-1] linux security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19448", "CVE-2019-9445", "CVE-2020-12351", "CVE-2020-12352", "CVE-2020-12655", "CVE-2020-12771", "CVE-2020-12888", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14356", "CVE-2020-14386", "CVE-2020-14390", "CVE-2020-15393", "CVE-2020-16166", "CVE-2020-24490", "CVE-2020-25211", "CVE-2020-25212", "CVE-2020-25220", "CVE-2020-25284", "CVE-2020-25285", "CVE-2020-25641", "CVE-2020-25643", "CVE-2020-26088"], "modified": "2020-10-30T14:21:51", "id": "DEBIAN:DLA-2420-1:692E7", "href": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "androidsecurity": [{"lastseen": "2021-11-26T23:22:27", "description": "The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2021-06-05 or later address all of these issues. To learn how to check a device's security patch level, see [Check and update your Android version](<https://support.google.com/pixelphone/answer/4457705>).\n\nAndroid partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. \n\nThe most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. \n\n## Announcements\n\n * For July, the Android public security bulletin will be released on July 7, 2021\n\nRefer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.\n\n**Note**: Information on the latest over-the-air update (OTA) and firmware images for Google devices is available in the June 2021 Pixel Update Bulletin. \n\n## Android and Google service mitigations\n\nThis is a summary of the mitigations provided by the Android security platform and service protections such as [Google Play Protect](<https://developers.google.com/android/play-protect>). These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.\n\n * Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.\n * The Android security team actively monitors for abuse through [Google Play Protect](<https://developers.google.com/android/play-protect>) and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with [Google Mobile Services](<http://www.android.com/gms>), and is especially important for users who install apps from outside of Google Play. \n\n## 2021-06-01 security patch level vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2021-06-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as [Google Play system updates](<https://support.google.com/android/answer/7680439>). \n\n### Android runtime\n\nThe vulnerability in this section could enable a local attacker to execute arbitrary code and bypass user interaction requirements in order to gain access to additional permissions. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2021-0511 | [A-178055795](<https://android.googlesource.com/platform/art/+/7c7cae75a80eece7cf009ea12da644ea7c893c1d>) [[2](<https://android.googlesource.com/platform/art/+/2c4ee9b7ff3a8ce17ba4e0cfd841eb2027d51619>)] [[3](<https://android.googlesource.com/platform/art/+/c802c3713270b363240dc48409a66c5c35601281>)] | EoP | High | 9, 10, 11 \n \n### Framework\n\nThe vulnerability in this section could lead to local information disclosure of cross-user permissions with no additional execution privileges needed. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2021-0521 | [A-174661955](<https://android.googlesource.com/platform/frameworks/base/+/9b694ef4d45ca54bcc4b7de6940f5608047a1a16>) | ID | High | 8.1, 9, 10, 11 \n \n### Media Framework\n\nThe most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2021-0508 | [A-176444154](<https://android.googlesource.com/platform/frameworks/av/+/e07417a9b7829cfb32505947f700fd8dad9e12e6>) | EoP | High | 8.1, 9, 10, 11 \nCVE-2021-0509 | [A-176444161](<https://android.googlesource.com/platform/frameworks/av/+/79a6ffbdaf14cfbb597efd8545ba401f1da28a4f>) [[2](<https://android.googlesource.com/platform/hardware/interfaces/+/a4e76aab230a565dd0cef11e2e6e2d782b685327>)] | EoP | High | 8.1, 9, 10, 11 \nCVE-2021-0510 | [A-176444622](<https://android.googlesource.com/platform/hardware/interfaces/+/9191787d0e73712608eff22fca9aea9480d4691e>) | EoP | High | 8.1, 9, 10, 11 \nCVE-2021-0520 | [A-176237595](<https://android.googlesource.com/platform/frameworks/av/+/3b1141d44f448ea9a528ff8af8f128686c35039d>) | EoP | High | 10, 11 \n \n### System\n\nThe most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2021-0507 | [A-181860042](<https://android.googlesource.com/platform/system/bt/+/4deeb022c7efe39e9ce34d9373ba900d9ed2741f>) | RCE | Critical | 8.1, 9, 10, 11 \nCVE-2021-0516 | [A-181660448](<https://android.googlesource.com/platform/external/wpa_supplicant_8/+/13c4cdae55e840a1a47e57e19bfa59135358b8ca>) | EoP | Critical | 8.1, 9, 10, 11 \nCVE-2021-0505 | [A-179975048](<https://android.googlesource.com/platform/packages/apps/Settings/+/735a216da31d8440d23fed4355521013ead630f3>) | EoP | High | 11 \nCVE-2021-0506 | [A-181962311](<https://android.googlesource.com/platform/packages/apps/Settings/+/ceb2e28da4f29954fbf6b6c2f10678458ef4a288>) | EoP | High | 8.1, 9, 10, 11 \nCVE-2021-0523 | [A-174047492](<https://android.googlesource.com/platform/packages/apps/Settings/+/05d6fa9bcb90886ac2611f86bb7d2af7078eb3ad>) | EoP | High | 10, 11 \nCVE-2021-0504 | [A-179162665](<https://android.googlesource.com/platform/system/bt/+/6e3c984806aa0ba9e8a836ef9fed12c1207a161e>) | ID | High | 11 \nCVE-2021-0517 | [A-179053823](<https://android.googlesource.com/platform/frameworks/base/+/5b90ebaf4d9edefcd9648b46cd0226f882169476>) | ID | High | 11 \nCVE-2021-0522 | [A-174182139](<https://android.googlesource.com/platform/system/bt/+/71c573ae67b6a15c33ad1036b37b999c54d7236b>) | ID | High | 9, 10, 11 \n \n### Google Play system updates\n\nThere are no security issues addressed in Google Play system updates (Project Mainline) this month.\n\n## 2021-06-05 security patch level vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2021-06-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. \n\n### Framework\n\nThe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2021-0513 | [A-156090809](<https://android.googlesource.com/platform/frameworks/base/+/8cb7e0a881fed2a7d80b69aed77275bd483043ad>) | EoP | High | 8.1, 9, 10, 11 \n \n### System\n\nThe most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to gain access to additional permissions. \n\nCVE | References | Type | Severity | Updated AOSP versions \n---|---|---|---|--- \nCVE-2020-26555 | [A-174626251](<https://android.googlesource.com/platform/system/bt/+/374bb0401a5649af4a97e8d8c7373c7daf37f6ac>) | EoP | High | 8.1, 9, 10, 11 \nCVE-2020-26558 | [A-174886838](<https://android.googlesource.com/platform/system/bt/+/45678238713ba15cca8dd453b992caedf1d43ec5>) | EoP | High | 8.1, 9, 10, 11 \nCVE-2021-0478 | [A-169255797](<https://android.googlesource.com/platform/frameworks/base/+/bca2b3aeabd164c1cf4bdc113366665976b0c831>) | EoP | High | 8.1, 9, 10, 11 \n \n### Kernel components\n\nThe most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. \n\nCVE | References | Type | Severity | Component \n---|---|---|---|--- \nCVE-2020-14305 | A-174904512 [Upstream kernel](<https://android.googlesource.com/kernel/common/+/396ba2fc4f27ef6c44bbc0098bfddf4da76dc4c9>) | EoP | High | Voice Over IP H.323 \nCVE-2021-0512 | A-173843328 [Upstream kernel](<https://android.googlesource.com/kernel/common/+/ed9be64eefe2>) | EoP | High | HID \n \n### MediaTek components\n\nThese vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. \n\nCVE | References | Severity | Component \n---|---|---|--- \nCVE-2021-0525 | A-185193929 M-ALPS05403499* | High | memory management driver \nCVE-2021-0526 | A-185195264 M-ALPS05403499* | High | memory management driver \nCVE-2021-0527 | A-185193931 M-ALPS05403499* | High | memory management driver \nCVE-2021-0528 | A-185195266 M-ALPS05403499 * | High | memory management driver \nCVE-2021-0529 | A-185195268 M-ALPS05403499* | High | memory management driver \nCVE-2021-0530 | A-185196175 M-ALPS05403499 * | High | memory management driver \nCVE-2021-0531 | A-185195272 M-ALPS05403499* | High | memory management driver \nCVE-2021-0532 | A-185196177 M-ALPS05403499* | High | memory management driver \nCVE-2021-0533 | A-185193932 M-ALPS05403499* | High | memory management driver \n \n### Qualcomm components\n\nThis vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm. \n\nCVE | References | Severity | Component \n---|---|---|--- \nCVE-2020-11267 | A-168918351 [QC-CR#2723768](<https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=6b3e480f729f291ec9e89e9864582795f02ac1d9>) [[2](<https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=b2d624743de45b07bffc53224fa8987dd7199fae>)] [[3](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=4e921964bd0686950>)] | High | Security \n \n### Qualcomm closed-source components\n\nThese vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. \n\nCVE | References | Severity | Component \n---|---|---|--- \nCVE-2020-11176 | A-175038159* | Critical | Closed-source component \nCVE-2020-11291 | A-175038624* | Critical | Closed-source component \nCVE-2020-26558 | A-179039983* | Critical | Closed-source component \nCVE-2020-11292 | A-171309888* | High | Closed-source component \nCVE-2020-11298 | A-175038385* | High | Closed-source component \nCVE-2020-11304 | A-167567084* | High | Closed-source component \nCVE-2020-11306 | A-175038981* | High | Closed-source component \nCVE-2020-26555 | A-181682537* | High | Closed-source component \nCVE-2021-1900 | A-181682536* | High | Closed-source component \nCVE-2021-1925 | A-179040020* | High | Closed-source component \nCVE-2021-1937 | A-181682513* | High | Closed-source component \n \n## Common questions and answers\n\nThis section answers common questions that may occur after reading this bulletin.\n\n**1\\. How do I determine if my device is updated to address these issues?**\n\nTo learn how to check a device's security patch level, see [Check and update your Android version](<https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices>).\n\n * Security patch levels of 2021-06-01 or later address all issues associated with the 2021-06-01 security patch level.\n * Security patch levels of 2021-06-05 or later address all issues associated with the 2021-06-05 security patch level and all previous patch levels.\n\nDevice manufacturers that include these updates should set the patch string level to:\n\n * [ro.build.version.security_patch]:[2021-06-01]\n * [ro.build.version.security_patch]:[2021-06-05]\n\nFor some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2021-06-01 security patch level. Please see [this article](<https://support.google.com/android/answer/7680439>) for more details on how to install security updates.\n\n**2\\. Why does this bulletin have two security patch levels?**\n\nThis bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.\n\n * Devices that use the 2021-06-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.\n * Devices that use the security patch level of 2021-06-05 or newer must include all applicable patches in this (and previous) security bulletins.\n\nPartners are encouraged to bundle the fixes for all issues they are addressing in a single update.\n\n**3\\. What do the entries in the _Type_ column mean?**\n\nEntries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.\n\nAbbreviation | Definition \n---|--- \nRCE | Remote code execution \nEoP | Elevation of privilege \nID | Information disclosure \nDoS | Denial of service \nN/A | Classification not available \n \n**4\\. What do the entries in the _References_ column mean?**\n\nEntries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.\n\nPrefix | Reference \n---|--- \nA- | Android bug ID \nQC- | Qualcomm reference number \nM- | MediaTek reference number \nN- | NVIDIA reference number \nB- | Broadcom reference number \n \n**5\\. What does an * next to the Android bug ID in the _References_ column mean?**\n\nIssues that are not publicly available have an * next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the [Google Developer site](<https://developers.google.com/android/drivers>). \n\n**6\\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**\n\nSecurity vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as [Google](<https://source.android.com/security/bulletin/pixel>), [Huawei](<https://consumer.huawei.com/en/support/bulletin/>), [LGE](<https://lgsecurity.lge.com/security_updates_mobile.html>), [Motorola](<https://motorola-global-portal.custhelp.com/app/software-security-page/g_id/6806>), [Nokia](<https://www.nokia.com/phones/en_int/security-updates>), or [Samsung](<https://security.samsungmobile.com/securityUpdate.smsb>).\n\n## Versions\n\nVersion | Date | Notes \n---|---|--- \n1.0 | June 7, 2021 | Bulletin published \n1.1 | June 8, 2021 | Bulletin revised to include AOSP links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-07T00:00:00", "type": "androidsecurity", "title": "Android Security Bulletin\u2014June 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11176", "CVE-2020-11267", "CVE-2020-11291", "CVE-2020-11292", "CVE-2020-11298", "CVE-2020-11304", "CVE-2020-11306", "CVE-2020-14305", "CVE-2020-26555", "CVE-2020-26558", "CVE-2021-0478", "CVE-2021-0504", "CVE-2021-0505", "CVE-2021-0506", "CVE-2021-0507", "CVE-2021-0508", "CVE-2021-0509", "CVE-2021-0510", "CVE-2021-0511", "CVE-2021-0512", "CVE-2021-0513", "CVE-2021-0516", "CVE-2021-0517", "CVE-2021-0520", "CVE-2021-0521", "CVE-2021-0522", "CVE-2021-0523", "CVE-2021-0525", "CVE-2021-0526", "CVE-2021-0527", "CVE-2021-0528", "CVE-2021-0529", "CVE-2021-0530", "CVE-2021-0531", "CVE-2021-0532", "CVE-2021-0533", "CVE-2021-1900", "CVE-2021-1925", "CVE-2021-1937"], "modified": "2021-06-08T00:00:00", "id": "ANDROID:2021-06-01", "href": "https://source.android.com/security/bulletin/2021-06-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:37:38", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n* kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n* kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n* kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n* kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\nSpace precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:\n\nhttps://access.redhat.com/articles/5442481\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-09-29T18:41:41", "type": "redhat", "title": "(RHSA-2020:4062) Important: kernel-rt security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-09-29T18:42:38", "id": "RHSA-2020:4062", "href": "https://access.redhat.com/errata/RHSA-2020:4062", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-19T20:36:16", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n* kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n* kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n* kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n* kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\nSpace precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:\n\nhttps://access.redhat.com/articles/5442421\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-09-29T18:42:12", "type": "redhat", "title": "(RHSA-2020:4060) Important: kernel security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-09-29T18:43:41", "id": "RHSA-2020:4060", "href": "https://access.redhat.com/errata/RHSA-2020:4060", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2022-02-27T16:05:06", "description": "**CentOS Errata and Security Advisory** CESA-2020:4060\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)\n\n* kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)\n\n* kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)\n\n* kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)\n\n* kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)\n\nSpace precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:\n\nhttps://access.redhat.com/articles/5442421\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-October/019435.html\n\n**Affected packages:**\nbpftool\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2020:4060", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-10-20T18:20:15", "type": "centos", "title": "bpftool, kernel, perf, python security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18551", "CVE-2018-20836", "CVE-2019-12614", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16994", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20636", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-14305", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2020-10-20T18:20:15", "id": "CESA-2020:4060", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2020-October/019435.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2022-06-28T22:06:13", "description": "## Summary\n\nIBM Data Risk Manager has addressed the following vulnerabilities:\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-14305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14305>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to gain elevated privileges on the system, caused by an out-of-bounds memory write flaw in how the Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. An attacker could exploit this vulnerability to gain elevated privileges on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192482](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192482>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10942](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178539](<https://exchange.xforce.ibmcloud.com/vulnerabilities/178539>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-2732](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2732>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an issue with the vmx_check_intercept function not fully implemented by KVM on Intel processors. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive L1 resource information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176766](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176766>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-9383](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9383>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the set_fdc function in drivers/block/floppy.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition. \nCVSS Base score: 7.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176792](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176792>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) \n \n** CVEID: **[CVE-2021-24122](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when serving resources from a network location using the NTFS file system. By sending a specially-crafted request, an attacker could exploit this vulnerability to view the source code for JSPs in some configurations, and use this information to launch further attacks against the affected system. \nCVSS Base score: 8.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/194894](<https://exchange.xforce.ibmcloud.com/vulnerabilities/194894>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2020-25695](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25695>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when creating non-temporary objects in at least one schema. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under the identity of a superuser. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191771](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191771>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25694](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25694>) \n** DESCRIPTION: **PostgreSQL could allow a remote attacker to obtain sensitive information, caused by the use of clear-text transmissions when reusing the basic connection parameters while dropping security-relevant parameters. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/191770](<https://exchange.xforce.ibmcloud.com/vulnerabilities/191770>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-5412](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5412>) \n** DESCRIPTION: **Spring Cloud Netflix could allow a remote attacker to bypass security restrictions, caused by a flaw when using the Hystrix Dashboard proxy.stream endpoint. An attacker could exploit this vulnerability to send a request to other servers that should not be exposed publicly. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186504](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186504>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-11656](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11656>) \n** DESCRIPTION: **SQLite could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the ALTER TABLE implementation. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180285](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180285>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11655](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11655>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by mishandling the AggInfo object's initialization. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180289](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180289>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-10754](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10754>) \n** DESCRIPTION: **NetworkManager could allow a remote authenticated attacker to bypass security restrictions, caused by improper configuration in the nmcli. By connecting to a network, an attacker could exploit this vulnerability to bypass authentication. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184636](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184636>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-5411](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5411>) \n** DESCRIPTION: **VMware Spring Batch could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configured to enable default typing. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183336>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25696](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25696>) \n** DESCRIPTION: **PostgreSQL could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the psql interactive terminal. If an interactive psql session uses \\gset when querying a compromised server, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192321](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192321>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19768](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19768>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19338](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19338>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172836](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172836>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-19767](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19767>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __ext4_expand_extra_isize and ext4_xattr_set_entry functions in fs/ext4/inode.c and fs/ext4/super.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173054](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173054>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19332](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19332>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory write in KVM hypervisor. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173143](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173143>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-19447](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19447>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the ext4_put_super function in fs/ext4/super.c. By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172760](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172760>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-5408](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408>) \n** DESCRIPTION: **VMware Tanzu Spring Security could allow a remote attacker to obtain sensitive information, caused by the use of a fixed null initialization vector with CBC Mode. By using dictionary attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181969](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181969>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-5407](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5407>) \n** DESCRIPTION: **Spring Security could allow a remote attacker to bypass security restrictions, caused by a signature wrapping vulnerability during SAML response validation. An attacker could exploit this vulnerability to modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181939](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181939>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13943](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13943>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to see the responses for unexpected resources, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189643](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189643>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-9327](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9327>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference in isAuxiliaryVtabOperator. By generating column optimization, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/176691](<https://exchange.xforce.ibmcloud.com/vulnerabilities/176691>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-17527](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527>) \n** DESCRIPTION: **Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue when the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192612](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192612>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-8647](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8647>) \n** DESCRIPTION: **Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vc_do_resize function of drivers/tty/vt/vt.c. An attacker could exploit this vulnerability to read memory that should not be available for access. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175842](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175842>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2020-8649](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8649>) \n** DESCRIPTION: **Linux kernel could allow a remote attacker to obtain sensitive information, caused by a use-after-free in the vgacon_invert_region function of drivers/video/console/vgacon.c. An attacker could exploit this vulnerability to read memory that should not be available for access. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175844](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175844>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n** CVEID: **[CVE-2020-2590](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174538](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174538>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14792](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14792>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Hotspot component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190110](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190110>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-14797](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14797>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190115>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14779](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14779>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190097](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190097>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14796](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14796>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190114](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190114>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-12352](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12352>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by improper access control in the BlueZ implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189720](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189720>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-12351](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12351>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation in the BlueZ implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain elevated privileges. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189719](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189719>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-12770](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12770>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by an issue with sg_write lacks an sg_remove_request call in a certain failure case. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a panic. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-10693](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10693>) \n** DESCRIPTION: **Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message interpolation processor. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass input sanitation controls when handling user-controlled data in error messages. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182240](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182240>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-11565](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11565>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a stack-based out-of-bounds write flaw in the mpol_parse_str function in mm/mempolicy.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/179100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/179100>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10690>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. \nCVSS Base score: 4.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180182>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13934](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13934>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by not releasing the HTTP/1.1 processor after the upgrade to HTTP/2 in an h2c direct connection. By sending specially-crafted requests, a remote attacker could exploit this vulnerability to cause OutOfMemoryException resulting in a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185239](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185239>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-5413](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5413>) \n** DESCRIPTION: **VMware Tanzu Spring Integration could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring Kryo in code. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186211](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186211>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10751](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182451>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) \n \n** CVEID: **[CVE-2020-2601](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174548>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-10732](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10732>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash. \nCVSS Base score: 3.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181554](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181554>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-18282](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18282>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to obtain sensitive information, caused by a device tracking vulnerability in flow_dissector feature. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174716](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174716>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-14349](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14349>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to execute arbitrary command on the system, caused by improper sanitization of search_path during logical replication. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL command in the context of the user used for replication. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187185](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187185>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14350](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14350>) \n** DESCRIPTION: **PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the failure to use search_path safely in their installation script. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary script. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-25212](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25212>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a TOCTOU mismatch in the NFS client code. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or corrupt memory. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188137](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188137>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2020-15358](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15358>) \n** DESCRIPTION: **SQLite is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mishandling of query-flattener optimization in select.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184103>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-24394](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24394>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by the lack of ACL support to the filesystems in fs/nfsd/vfs.c (in the NFS server). By sending a specially-crafted request, an attacker could exploit this vulnerability to set incorrect permissions on new filesystem objects. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186968](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186968>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2019-20636](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20636>) \n** DESCRIPTION: **Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. \nCVSS Base score: 8.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181202](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181202>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14331](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14331>) \n** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an out-of-bounds write flaw in the implementation of the invert video code on VGA consoles. By sending a specially-crafted request to resize the console, an authenticated attacker could exploit this vulnerability to gain elevated privileges or crash the system. \nCVSS Base score: 6.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185987](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185987>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11971](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11971>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to obtain sensitive information, caused by a rebind flaw in JMX. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181961](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181961>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-11973](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11973>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in Netty. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181963>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-11972](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11972>) \n** DESCRIPTION: **Apache Camel could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Java application component in RabbitMQ. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181962](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181962>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-13435](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13435>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by flaw in the sqlite3ExprCodeTarget function in expr.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a segmentation fault. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182406](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182406>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-13434](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13434>) \n** DESCRIPTION: **SQLite is vulnerable to a stack-based buffer overflow, caused by an integer overflow in the sqlite3_str_vappendf function. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182405](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182405>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-10757](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10757>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a flaw when mremap a mmaped DAX nvdimm to a mmaped anonymous memory region. By executing a specially-crafted program, a local attacker could exploit this vulnerability to cause corrupted page table resulting in a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182919](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182919>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-12826](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826>) \n** DESCRIPTION: **Linux Kernel could allow a local attacker to bypass security restrictions, caused by a signal access-control issue in exec_id in include/linux/sched.h. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass checks to send any signal to a privileged process. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182113](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182113>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-1749](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749>) \n** DESCRIPTION: **Linux Kernel could allow a remote attacker to obtain sensitive information, caused by an error in the implementation of some ipv6 protocols in encrypted Ipsec tunnels. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to read the traffic unencrypted. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181872](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181872>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2020-14583](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14583>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 8.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185061](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185061>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-14593](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14593>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185071](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185071>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-14621](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185099](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185099>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14556](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14556>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base score: 4.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185034](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185034>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2020-14581](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14581>) \n** DESCRIPTION: **An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the 2D component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185059](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185059>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-14579](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14579>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14578](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185056](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185056>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14577](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577>) \n** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185055](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185055>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2019-17639](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17639>) \n** DESCRIPTION: **Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185437](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185437>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n** CVEID: **[CVE-2020-13631](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13631>) \n** DESCRIPTION: **SQLite could allow a remote attacker to bypass security restrictions, caused by a flaw in the alter.c and build.c. By sending a specially crafted request, an attacker could exploit this vulnerability to rename the virtual table to the name of one of its shadow tables. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182611](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182611>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-13632](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13632>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a NULL pointer dereference in ext/fts3/fts3_snippet.c. By sending a specially crafted matchinfo() query, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182610](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182610>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13630](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13630>) \n** DESCRIPTION: **SQLite is vulnerable to a denial of service, caused by a use-after-free in fts3EvalNextRow in ext/fts3/fts3.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182613](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182613>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-5421](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5421>) \n** DESCRIPTION: **VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188530](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188530>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2020-14385](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14385>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a failure of the file system metadata validator in XFS. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the system to shutdown. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188394](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188394>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-14314](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory out-of-bounds read flaw. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the system to crash. \nCVSS Base score: 4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188395](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188395>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-13935](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935>) \n** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by improper validation of the payload length in a WebSocket frame. By sending multiple requests with invalid payload lengths, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185227](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185227>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-25643](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25643>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory corruption and a read overflow flaws in the ppp_cp_parse_cr function in the HDLC_PPP module. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause the system to crash or a denial of service condition. \nCVSS Base score: 6.2 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189415](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189415>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2020-25638](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25638>) \n** DESCRIPTION: **Hibernate ORM is vulnerable to SQL injection, caused by misconfiguration for hibernate.use_sql_comments. A remote attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database. \nCVSS Base score: 7.4 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192057](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192057>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2019-14895](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14895>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_country_ie function in drivers/net/wireless/marvell/mwifiex/sta_ioctl.c. By sending a specially-crafted beacon packet, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172101](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172101>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17133>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the cfg80211_mgd_wext_giwessid functions in net/wireless/wext-sme.c. By sending an overly long long SSID IE, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/168370](<https://exchange.xforce.ibmcloud.com/vulnerabilities/168370>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-18660](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18660>) \n** DESCRIPTION: **Linux Kernel for PowerPC could allow a local authenticated attacker to obtain sensitive information, caused by the failure to activate the mitigation for Spectre-RSB on context switch. By using side channel attacks, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172297](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172297>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \n** CVEID: **[CVE-2019-19046](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19046>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171754](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171754>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-17666](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17666>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the rtl_p2p_noa_ie function in drivers/net/wireless/realtek/rtlwifi/ps.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169487](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169487>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-19062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19062>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/171776](<https://exchange.xforce.ibmcloud.com/vulnerabilities/171776>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-14901](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14901>) \n** DESCRIPTION: **Linux Kernel is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mwifiex_process_tdls_action_frame function in marvell/mwifiex/tdls.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172100>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-20907](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907>) \n** DESCRIPTION: **Python is vulnerable to a denial of service, caused by a flaw in the tarfile module in Lib/tarfile.py. By persuading a victim to open a specially-craft a TAR archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/185442](<https://exchange.xforce.ibmcloud.com/vulnerabilities/185442>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM DRM| 2.0.6 \n \n\n\n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.6, and then apply the latest FixPack 2.0.6.7. The FixPack is not cumulative. So it must be applied on top of 2.0.6.6 in sequence.\n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n5) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n4) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n3) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.3| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n2) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.4| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.5| \n\n- \n\n\n| \n\n1) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.6| \n\n- \n\n\n| \n\n1) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>) \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n28 Jan 2021: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSJQ6V\",\"label\":\"IBM Data Risk Manager\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF004\",\"label\":\"Appliance\"}],\"Version\":\"2.0.6\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T05:06:51", "type": "ibm", "title": "Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14895", "CVE-2019-14901", "CVE-2019-17133", "CVE-2019-17639", "CVE-2019-17666", "CVE-2019-18282", "CVE-2019-18660", "CVE-2019-19046", "CVE-2019-19062", "CVE-2019-19332", "CVE-2019-19338", "CVE-2019-19447", "CVE-2019-19767", "CVE-2019-19768", "CVE-2019-20636", "CVE-2019-20907", "CVE-2020-10690", "CVE-2020-10693", "CVE-2020-10732", "CVE-2020-10751", "CVE-2020-10754", "CVE-2020-10757", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-12351", "CVE-2020-12352", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14349", "CVE-2020-14350", "CVE-2020-14385", "CVE-2020-14556", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14581", "CVE-2020-14583", "CVE-2020-14593", "CVE-2020-14621", "CVE-2020-14779", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-15358", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25638", "CVE-2020-25643", "CVE-2020-25694", "CVE-2020-25695", "CVE-2020-25696", "CVE-2020-2590", "CVE-2020-2601", "CVE-2020-2732", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5411", "CVE-2020-5412", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9327", "CVE-2020-9383", "CVE-2021-24122"], "modified": "2021-02-02T05:06:51", "id": "F0AFFAB5446BEF6A6B346CA7237A1583252E55B1EA002352E7DFDFFB5796363C", "href": "https://www.ibm.com/support/pages/node/6410788", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}