CVE-2016-5195 Linux kernel vulnerability


Severity

High

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

It was discovered that a race condition existed in the memory manager of the Linux kernel when handling copy-on-write breakage of private read-only memory mappings. A local attacker could use this to gain administrative privileges.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.3
    • 3233.x versions prior to 3233.3
    • 3263.x versions prior to 3263.8
    • All other versions
  • Pivotal products using stemcells prior to these updated versions are vulnerable to this issue
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all versions prior to 3151.x to 3151.3
    • Upgrade 3233.x versions to 3233.3
    • Upgrade other versions to 3263.8
  • Upgrade Pivotal products using older stemcells to new versions using the new stemcells mentioned above. On the Pivotal Network product page for each release, check the Depends On section and/or Release Notes for this information.
  • Releases that have fixed this issue include:
    • PCF Operations Manager: 1.6.25, 1.7.17, and 1.8.8
    • PCF Elastic Runtime: 1.6.48, 1.7.30, and 1.8.10
    • MySQL for PCF: 1.6.19, 1.7.18, and 1.8.0-edge.15
    • RabbitMQ for PCF: 1.5.18, 1.6.10, and 1.7.6
    • Redis for PCF: 1.4.33, 1.5.23, 1.6.2
    • Push Notification for PCF: 1.4.27 and 1.6.3
    • PCF Metrics: 1.0.17 and 1.1.3
    • Ops Metrics / JMX Bridge: 1.4.27, 1.6.21, 1.7.4, and 1.8.6
    • PCF Log Search: 1.0.1
    • Spring Cloud Services for PCF: 1.0.17, 1.1.8, and 1.2.2
    • Single Sign-On for PCF: 1.1.8 and 1.2.2

Special Note for 1.7.x and 1.8.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x or 1.8.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.

References