All Vulnerability Reports

CVE-2014-8159 Linux Kernel Infiniband Vulnerability

Severity

High

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 10.04 LTS and 14.04 LTS

Description

It was found that the Linux kernel's Infiniband subsystem did not properly sanitize input parameters while registering memory regions from the userspace via the (u)verbs API. As a result, an unrestricted physical memory access could be achieved. A local user with access to /dev/infiniband/uverbsX could use this flaw to crash the system or, potentially, escalate their privileges on the system.

The Cloud Foundry team is aware of vulnerable versions of the Linux kernel but has determined that the project is not affected by this vulnerability.

Pivotal is aware of vulnerable versions of the Linux kernel but has determined that Pivotal Cloud Foundry products are not affected by this vulnerability.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• The Cloud Foundry team is expecting to release a patched BOSH stemcell with an upgraded Linux kernel. We will update this page when it is released.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry team has determined that the project is not exposed to this vulnerability and therefore do not require any upgrades.
• The Pivotal CF team has determined that Pivotal CF products, such as Pivotal Operations Manager and Pivotal Elastic Runtime, are not exposed to this vulnerability and therefore do not require any upgrades.

Credit

Mellanox

References

• http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8159.html
• https://bosh.io/stemcells
• https://github.com/cloudfoundry/cf-release
• https://network.tanzu.vmware.com/