OpenSUSE Linux update for the Linux Kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-12134 CVE-2017-14051 |
| CWE-ID | CWE-264 CWE-190 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Xen Server applications / Virtualization software Linux kernel Operating systems & Components / Operating system |
| Vendor |
Xen Project Linux Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU7952
Risk: Low
CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12134
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker on a Linux-based guest system to gain elevated privileges on the host system.
The weakness exists due to aa flaw in merging adjacent block IO requests. A local attacker on the guest system can incorrectly access memory during block stream processing to obtain potentially sensitive information or gain elevated privileges on the host system.
Update the affected packages.
Xen: 4.6.0 - 4.9.0
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-09/msg00016.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Integer overflow
EUVDB-ID: #VU10715
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-14051
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.ct due to an integer overflow. A local attacker can gain root access and cause the service to crash.
Update the affected packages.
Linux kernel: 4.12.1 - 4.12.10
External linkshttp://lists.opensuse.org/opensuse-security-announce/2017-09/msg00016.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
