Important CentOS kernel Security Update

Metadata

high
7.2
kernel-3.10.0-229.el7.x86_64.rpm, kernel-abi-whitelists-3.10.0-229.el7.noarch.rpm, kernel-debug-3.10.0-229.el7.x86_64.rpm, kernel-debug-devel-3.10.0-229.el7.x86_64.rpm, kernel-devel-3.10.0-229.el7.x86_64.rpm, kernel-doc-3.10.0-229.el7.noarch.rpm, kernel-headers-3.10.0-229.el7.x86_64.rpm, kernel-tools-3.10.0-229.el7.x86_64.rpm, kernel-tools-libs-3.10.0-229.el7.x86_64.rpm, kernel-tools-libs-devel-3.10.0-229.el7.x86_64.rpm, perf-3.10.0-229.el7.x86_64.rpm, python-perf-3.10.0-229.el7.x86_64.rpm
CVE-2014-3690, CVE-2014-3940, CVE-2014-7825, CVE-2014-7826, CVE-2014-8086, CVE-2014-8160, CVE-2014-8172, CVE-2014-8173, CVE-2014-8709, CVE-2014-8884, CVE-2015-0274
rhn.redhat.com, lists.centos.org
2015-03-17
2017-07-27 19:08
ALAS-2015-489
Important CentOS kernel Security Update
Moderate CentOS kernel Security Update
Important CentOS kernel Security Update
CVE-2014-8884 linux
CVE-2014-3940 linux
CVE-2014-8086 linux
CVE-2014-8173 linux
CVE-2014-8172 linux
CVE-2014-7825 linux
CVE-2014-3690 linux
CVE-2014-8160 linux
CVE-2014-7826 linux
CVE-2014-8709 linux
CVE-2015-0274 linux
CVE-2014-3690
CVE-2014-8172
CVE-2014-8884
CVE-2014-8160
CVE-2014-8709
CVE-2015-0274
CVE-2014-7826
CVE-2014-3940
CVE-2014-8173
CVE-2014-8086
CVE-2014-7825
2017-04-01 19:08
2017-01-05 20:12

Description


Updated kernel packages that fix multiple security issues, address several
hundred bugs, and add numerous enhancements are now available as part of
the ongoing support and maintenance of Red Hat Enterprise Linux version 7.
This is the first regular update.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

* A flaw was found in the way the Linux kernel's XFS file system handled
replacing of remote attributes under certain conditions. A local user with
access to XFS file system mount could potentially use this flaw to escalate
their privileges on the system. (CVE-2015-0274, Important)

* It was found that the Linux kernel's KVM implementation did not ensure
that the host CR4 control register value remained unchanged across VM
entries on the same virtual CPU. A local, unprivileged user could use this
flaw to cause denial of service on the system. (CVE-2014-3690, Moderate)

* A flaw was found in the way Linux kernel's Transparent Huge Pages (THP)
implementation handled non-huge page migration. A local, unprivileged user
could use this flaw to crash the kernel by migrating transparent hugepages.
(CVE-2014-3940, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing
functionality of the Linux kernel's perf subsystem. A local, unprivileged
user could use this flaw to crash the system. (CVE-2014-7825, Moderate)

* An out-of-bounds memory access flaw was found in the syscall tracing
functionality of the Linux kernel's ftrace subsystem. On a system with
ftrace syscall tracing enabled, a local, unprivileged user could use this
flaw to crash the system, or escalate their privileges. (CVE-2014-7826,
Moderate)

* A race condition flaw was found in the Linux kernel's ext4 file system
implementation that allowed a local, unprivileged user to crash the system
by simultaneously writing to a file and toggling the O_DIRECT flag using
fcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)

* A flaw was found in the way the Linux kernel's netfilter subsystem
handled generic protocol tracking. As demonstrated in the Stream Control
Transmission Protocol (SCTP) case, a remote attacker could use this flaw to
bypass intended iptables rule restrictions when the associated connection
tracking module was not loaded on the system. (CVE-2014-8160, Moderate)

* It was found that due to excessive files_lock locking, a soft lockup
could be triggered in the Linux kernel when performing asynchronous I/O
operations. A local, unprivileged user could use this flaw to crash the
system. (CVE-2014-8172, Moderate)

* A NULL pointer dereference flaw was found in the way the Linux kernel's
madvise MADV_WILLNEED functionality handled page table locking. A local,
unprivileged user could use this flaw to crash the system. (CVE-2014-8173,
Moderate)

* An information leak flaw was found in the Linux kernel's IEEE 802.11
wireless networking implementation. When software encryption was used, a
remote attacker could use this flaw to leak up to 8 bytes of plaintext.
(CVE-2014-8709, Low)

* A stack-based buffer overflow flaw was found in the TechnoTrend/Hauppauge
DEC USB device driver. A local user with write access to the corresponding
device could use this flaw to crash the kernel or, potentially, elevate
their privileges on the system. (CVE-2014-8884, Low)

Red Hat would like to thank Eric Windisch of the Docker project for
reporting CVE-2015-0274, Andy Lutomirski for reporting CVE-2014-3690, and
Robert Święcki for reporting CVE-2014-7825 and CVE-2014-7826.

This update also fixes several hundred bugs and adds numerous enhancements.
Refer to the Red Hat Enterprise Linux 7.1 Release Notes for information on
the most significant of these changes, and the following Knowledgebase
article for further information: https://access.redhat.com/articles/1352803

All Red Hat Enterprise Linux 7 users are advised to install these updated
packages, which correct these issues and add these enhancements. The system
must be rebooted for this update to take effect.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
7 kernel kernel-3.10.0-229.el7.x86_64.rpm
kernel-abi-whitelists kernel-abi-whitelists-3.10.0-229.el7.noarch.rpm
kernel-debug kernel-debug-3.10.0-229.el7.x86_64.rpm
kernel-debug-devel kernel-debug-devel-3.10.0-229.el7.x86_64.rpm
kernel-devel kernel-devel-3.10.0-229.el7.x86_64.rpm
kernel-doc kernel-doc-3.10.0-229.el7.noarch.rpm
kernel-headers kernel-headers-3.10.0-229.el7.x86_64.rpm
kernel-tools kernel-tools-3.10.0-229.el7.x86_64.rpm
kernel-tools-libs kernel-tools-libs-3.10.0-229.el7.x86_64.rpm
kernel-tools-libs-devel kernel-tools-libs-devel-3.10.0-229.el7.x86_64.rpm
perf perf-3.10.0-229.el7.x86_64.rpm
python-perf python-perf-3.10.0-229.el7.x86_64.rpm