Ubuntu.comUB:CVE-2015-8709CVE-2015-8709
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
9.3%
DISPUTED kernel/ptrace.c in the Linux kernel through 4.4.1 mishandles
uid and gid mappings, which allows local users to gain privileges by
establishing a user namespace, waiting for a root process to enter that
namespace with an unsafe uid or gid, and then using the ptrace system call.
NOTE: the vendor states “there is no kernel bug here.”
Bugs
Notes
| Author | Note |
|---|---|
| sbeattie | published fix has been reverted and replaced by upstream commit. Published kernels are not vulnerable to this, the status is tracking the state of the replaced commit coming through the trees. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 14.04 | noarch | linux | < 3.13.0-103.150 | UNKNOWN |
| ubuntu | 15.04 | noarch | linux | < 3.19.0-75.83 | UNKNOWN |
| ubuntu | 15.10 | noarch | linux | < 4.2.0-22.27 | UNKNOWN |
| ubuntu | 16.04 | noarch | linux | < 4.4.0-51.72 | UNKNOWN |
| ubuntu | 16.10 | noarch | linux | < 4.8.0-28.30 | UNKNOWN |
| ubuntu | 12.04 | noarch | linux-lts-trusty | < 3.13.0-103.150~precise1 | UNKNOWN |
| ubuntu | 14.04 | noarch | linux-lts-utopic | < 3.16.0-57.77~14.04.1 | UNKNOWN |
| ubuntu | 14.04 | noarch | linux-lts-vivid | < 3.19.0-75.83~14.04.1 | UNKNOWN |
| ubuntu | 14.04 | noarch | linux-lts-wily | < 4.2.0-22.27~14.04.1 | UNKNOWN |
| ubuntu | 14.04 | noarch | linux-lts-xenial | < 4.4.0-51.72~14.04.1 | UNKNOWN |
References
www.openwall.com/lists/oss-security/2015/12/31/5
launchpad.net/bugs/cve/CVE-2015-8709
lkml.org/lkml/2015/12/12/259
nvd.nist.gov/vuln/detail/CVE-2015-8709
security-tracker.debian.org/tracker/CVE-2015-8709
ubuntu.com/security/notices/USN-2847-1
ubuntu.com/security/notices/USN-2848-1
ubuntu.com/security/notices/USN-2849-1
ubuntu.com/security/notices/USN-2850-1
ubuntu.com/security/notices/USN-2851-1
ubuntu.com/security/notices/USN-2852-1
ubuntu.com/security/notices/USN-2853-1
ubuntu.com/security/notices/USN-2854-1
www.cve.org/CVERecord?id=CVE-2015-8709
Related
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
9.3%