USN-2751-1 Linux Kernel (Vivid HWE) Vulnerability


Severity

Medium to Low

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

Several security issues were fixed in the kernel.

Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. (CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). (CVE-2015-6252)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE.
  • Products in the PCF Suite which reference BOSH stemcell v3093 or earlier are vulnerable to the aforementioned CVE:
    • Ops Manager v1.5.6 or earlier
    • Elastic Runtime v1.5.5 or earlier
    • MySQL for Pivotal Cloud Foundry v1.6.2 or earlier
    • Session State Caching Powered by Pivotal Gemfire v1.0.2 or earlier
    • RabbitMQ for Pivotal Cloud Foundry v1.4.4 or earlier
    • Redis for Pivotal Cloud Foundry v1.4.8 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

Credit

Benjamin Randazzo and Marc-André Lureau

References