Lucene search

K
virtuozzo
VirtuozzoVZA-2020-048
HistoryJul 06, 2020 - 12:00 a.m.

Important kernel security update: Virtuozzo ReadyKernel patch 110.0 for Virtuozzo Hybrid Server 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0 and Virtuozzo Hybrid Infrastructure 3.5

2020-07-0600:00:00
help.virtuozzo.com
142

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

0.006 Low

EPSS

Percentile

77.9%

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server 7.0 and Virtuozzo Infrastructure Platform.
Vulnerability id: CVE-2020-10711
[3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] netlabel: kernel crash (null pointer dereference) while processing a specially crafted CIPSO packet. A NULL pointer dereference was found in the implementation of SELinux. The issue occurs while importing the Commercial IP Security Option (CIPSO) protocol category bitmap into SELinux extensible bitmap. Parsing of a specially crafted CIPSO packet sent by a remote attacker could lead to a kernel crash (remote DoS).

Vulnerability id: CVE-2019-20812
[3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] af_packet: potential soft lockup in case of certain errors when using TPACKET_V3. It was found that if TPACKET_V3 was used and the kernel failed to obtain certain settings from a relevant network device, the retirement timer could be set incorrectly in the implementation AF_PACKET protocol. This could result in soft lockups and excessive CPU usage.

Vulnerability id: CVE-2020-10732
[3.10.0-862.20.2.vz7.73.24 to 3.10.0-1127.8.2.vz7.151.14] Core dumps of some processes could contain uninitialized kernel data. It was discovered that core dumps of userspace processes could contain copies of uninitialized kernel memory areas in certain cases. Although it is difficult for an attacker to control what data is in these areas, this issue, in theory, could be used to obtain sensitive information from the kernel.

Vulnerability id: CVE-2020-10769
[3.10.0-862.20.2.vz7.73.24 to 3.10.0-1062.12.1.vz7.131.10] crypto/authenc: kernel crash in crypto_ahash_setkey() when payload of a key is longer than 4 bytes and is not aligned. An out-of-bounds read was found in the implementation of IPsec cryptographic algorithms (β€˜authenc’ module). When payload of a key was longer than 4 bytes but was not properly aligned, crypto_authenc_extractkeys() function could try to read data from a wrong location. This could lead to a kernel crash in crypto_ahash_setkey().

Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.9 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:N/I:N/A:C

0.006 Low

EPSS

Percentile

77.9%

Related for VZA-2020-048