Lucene search

K
mageiaGentoo FoundationMGASA-2018-0345
HistoryAug 19, 2018 - 2:24 p.m.

Updated kernel packages fix security vulnerabilities

2018-08-1914:24:54
Gentoo Foundation
advisories.mageia.org
40

CVSS2

5.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:P/A:N

CVSS3

6.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

0.002

Percentile

64.5%

This kernel update is based on the upstream 4.14.65 and adds fixes and mitigations for the now publically known security issue affecting Intel processors called L1 Terminal Fault (L1TF): Systems with microprocessors utilizing speculative execution and Intel Software Guard Extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis (CVE-2018-3615). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis (CVE-2018-3620). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis (CVE-2018-3646). The impact of the L1TF security issues: * Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications. * A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs. * Malicious software running outside of SMM may be able to infer values of data in SMM memory. * Malicious software running outside of an Intel® SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave. NOTE! You also need to install the the 0.20180807-1.mga6.nonfree microcode update (mga#23457) or a bios update from your hardware vendor containing the updated microcodes to get all current set of fixes and mitigations for L1TF. Other changes in this update: * WireGuard has been updated to 0.0.20180809 * added hwmon support for Threadripper2 For other upstream fixes in this update, see the referenced changelogs.

CVSS2

5.4

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:P/A:N

CVSS3

6.4

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS

0.002

Percentile

64.5%