EGI SVG Advisories

Advisory-SVG-CVE-2018-8897

Title:   EGI SVG 'ADVISORY' [TLP:WHITE]  'MODERATE' risk - multiple
         vulnerabilities in the Linux kernel (incl. CVE-2018-8897,
         CVE-2018-1087, CVE-2017-16939) [EGI-SVG-CVE-2018-8897]

Date:    2018-05-16
Updated:

Affected software and risk
==========================

Multiple vulnerabilities in the Linux kernel have been patched.

The patched version, kernel-3.10.0-862(.2.3) is released together with the
release of RHEL 7.5

Package : Linux Kernel
CVE ID  : CVE-2018-8897, CVE-2018-1087, CVE-2017-16939

- A vulnerability in the Linux kernel exception handling can allow an
  unprivileged user to crash the system and cause a Denial of Service (DoS)
  (CVE-2018-8897).

- A  vulnerability concerning the Linux kernel's KVM hypervisor exception
  handling can allow an unprivileged KVM guest user to crash the guest or,
  potentially, escalate their privileges in the guest (CVE-2018-1087).

- The 'use-after-free' vulnerability flaw in XFRM mentioned in a previous alert
  [EGI-SVG-CVE-2017-16939] can, in some circumstances, lead to privilege
  escalation.

None at present are considered by the SVG to be more than 'Moderate'.

Actions required/recommended
============================

Sites are recommended to update their linux kernel at their first convenient
opportunity, in particular:--

- WN & UI should be updated for CVE-2018-8897

- WN & UI with Singularity in non-suid mode should be updated for CVE-2017-16939

- Hypervisors should be updated for CVE-2018-1087

Note that a re-boot is required.

More information
================

These vulnerabilities mentioned above are the ones which are most relevant to
EGI and have been assessed as unlikely to pose more than 'Moderate' Risk for
the EGI infrastructure.

For a full list vulnerabilities which are fixed in this release see [R 1]

There is the possibility that the risk could be elevated to 'High',
particularly for CVE-2018-1087 if a privilege escalation exploit were to become
available.

Since the exception handling vulnerability has been highly publicised, see e.g.
[R 2], sites should update as soon as convenient.

Also see [R 3], [R 4], [R 5], [R 6]


Component installation information
==================================

Sites running RedHat should see [R 1]

Sites running Scientific Linux should see [R 7]

Sites running CentOS should see [R 8]

Sites running Ubuntu should see [R 9]

Sites running Debian should see [R 10]


TLP and URL
===========

** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions**

URL:   https://advisories.egi.eu/Advisory-SVG-CVE-2018-8897

Minor updates may be made without re-distribution to the sites

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 11]

Note that this has been updated and the latest version approved by the
Operations Management Board in November 2017


References
==========

[R 1] https://access.redhat.com/errata/RHSA-2018:1318

[R 2] http://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/

[R 3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8897

[R 4] https://access.redhat.com/security/cve/cve-2018-8897

[R 5] https://access.redhat.com/security/cve/cve-2018-1087

[R 6] https://access.redhat.com/Security/cve/cve-2017-16939

[R 7] https://www.scientificlinux.org/?s=cve-2018-8897

[R 8] https://lists.centos.org/pipermail/centos-announce/2018-May/022829.html

[R 9] http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-8897.html

[R 10] https://security-tracker.debian.org/tracker/CVE-2018-8897

[R 11] https://documents.egi.eu/public/ShowDocument?docid=3145


Credit
======

SVG was alerted to CVE-2018-8897 by Martin Bly from STFC
SVG was alerted to CVE-2018-1087 by Mischa Salle from Nikhef

Timeline
========
Yyyy-mm-dd  [EGI-SVG-2018-CVE-2018-8897]

2018-05-09 SVG alerted to CVE-2018-8897 by Martin Bly from STFC
2018-05-09 Acknowledgement from the EGI SVG to the reporter
2018-05-09 Investigation of vulnerability and relevance to EGI carried out
2018-05-09 EGI SVG Risk Assessment completed
2018-05-16 Advisory sent to sites

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 11] in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group



On behalf of the EGI SVG,