SB2018091856 - Input validation error in Linux kernel

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2018-14641)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this crash remotely, thus leading to a remote denial-of-service.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2018:2948
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14641
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d407b071dc369c26a38398326ee2be53651cfe4
• https://seclists.org/oss-sec/2018/q3/248