SB2017101028 - Ubuntu update for Linux kernel (Xenial HWE)
Published: October 10, 2017
Security Bulletin ID
SB2017101028
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Adjecent network
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2017-12134)
The vulnerability allows a local attacker on a Linux-based guest system to gain elevated privileges on the host system.The weakness exists due to aa flaw in merging adjacent block IO requests. A local attacker on the guest system can incorrectly access memory during block stream processing to obtain potentially sensitive information or gain elevated privileges on the host system.
2) Divide by zero (CVE-ID: CVE-2017-14106)
The vulnerability allows a local attacker to cause DoS condition on the target system.The weakness exists due to divide-by-zero error in the tcp_disconnect() function in net/ipv4/tcp.c. A local attacker can trigger a disconnect within a certain tcp_recvmsg code path and cause kernel panic.
Successful exploitation of the vulnerability results in denial of service.
3) Information disclosure (CVE-ID: CVE-2017-14140)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists in mm/migrate.c due to improper check of the effective UID. A local attacker can learn the memory layout of a setuid executable despite ASLR and expose sensitive information.
Remediation
Install update from vendor's website.