Dear Server Administrators,
As part of our commitment to provide premier infrastructure services, we are informing you of a critical security vulnerability affecting linux servers. Please read the details below carefully as action will be required on your end:
Kernel Local Privilege Escalation - CVE-2016-5195
https://access.redhat.com/security/vulnerabilities/2706661
Action to be taken:
It is important that you install the most recent kernel updates which include the necessary security patch on your server(s). This kernel update will require the server to be rebooted as soon as possible.
=====================================================
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
Find out more about CVE-2016-5195 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG 2.x. This issue has been rated as having Important security impact. Updates for each affected version are in progress and will be released as soon as possible.
Shipping versions of Fedora are affected and Fedora is aware of this flaw.
For additional information about this flaw, please see https://access.redhat.com/security/vulnerabilities/2706661
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
Base Score |
6.9 |
Base Metrics |
|
Access Vector |
Local |
Access Complexity |
Medium |
Authentication |
None |
Confidentiality Impact |
Complete |
Integrity Impact |
Complete |
Availability Impact |
Complete |
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score |
7.8 |
CVSS3 Base Metrics |
|
Attack Vector |
Local |
Attack Complexity |
Low |
Privileges Required |
Low |
User Interaction |
None |
Scope |
Unchanged |
Confidentiality |
High |
Integrity Impact |
High |
Availability Impact |
High |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
?xml version="1.0"?
Platform |
Errata |
Release Date |
Red Hat Enterprise Linux Extended Update Support 7.1 (kernel) |
2016-10-26 |
|
Other (kernel) |
2016-10-27 |
|
Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) |
2016-10-26 |
|
Red Hat Enterprise Linux Extended Update Support 6.7 (kernel) |
2016-10-26 |
|
Red Hat Enterprise Linux 6 (kernel) |
2016-10-26 |
|
MRG Grid for RHEL 6 Server v.2 (kernel-rt) |
2016-10-26 |
|
Red Hat Enterprise Linux Advanced Update Support 6.5 (kernel) |
2016-10-27 |
|
Red Hat Enterprise Linux 7 (kernel) |
2016-10-24 |
Affected Packages State
?xml version="1.0"?
Platform |
Package |
State |
Red Hat Enterprise MRG 2 |
realtime-kernel |
Affected |
Red Hat Enterprise Linux 5 |
kernel |
Affected |
Acknowledgements
Red Hat would like to thank Phil Oester for reporting this issue.
Mitigation
Please see bug 1384344 comment #13 (https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13) for details on how to mitigate this issue.
Thursday, October 27, 2016