USN-3641-1: Linux kernel vulnerabilities
Severity
High
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.04
Description
Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service (system crash). This issue only affected the amd64 architecture. (CVE-2018-8897)
Andy Lutomirski discovered that the KVM subsystem of the Linux kernel did not properly emulate the ICEBP instruction following a MOV/POP to SS instruction. A local attacker in a KVM virtual machine could use this to cause a denial of service (guest VM crash) or possibly escalate privileges inside of the virtual machine. This issue only affected the i386 and amd64 architectures. (CVE-2018-1087)
Andy Lutomirski discovered that the Linux kernel did not properly perform error handling on virtualized debug registers. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-1000199)
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- Cloud Foundry BOSH stemcells are vulnerable, including:
- 3363.x versions prior to 3363.61
- 3421.x versions prior to 3421.59
- 3445.x versions prior to 3445.45
- 3468.x versions prior to 3468.42
- 3541.x versions prior to 3541.25
- 3586.x versions prior to 3586.7
- All other stemcells not listed.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- The Cloud Foundry project recommends upgrading the following BOSH stemcells:
- Upgrade 3363.x versions to 3363.61
- Upgrade 3421.x versions to 3421.59
- Upgrade 3445.x versions to 3445.45
- Upgrade 3468.x versions to 3468.42
- Upgrade 3541.x versions to 3541.25
- Upgrade 3586.x versions to 3586.7
- All other stemcells should be upgraded to the latest version available on bosh.io.