SB2019030105 - OpenSUSE Linux update for the Linux Kernel
Published: March 1, 2019 Updated: April 26, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2018-5391)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to an error when handling reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can send specially crafted packets, trigger time and calculation expensive fragment reassembly algorithms and cause the service to crash.
2) Memory leak (CVE-ID: CVE-2019-3459)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due heap address infoleak in use of l2cap_get_conf_opt. A local attacker can trigger memory leak and access important data.
3) Memory leak (CVE-ID: CVE-2019-3460)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due heap address infoleak in multiple locations including function l2cap_parse_conf_rsp. A local attacker can trigger memory leak and access important data.
4) Use-after-free (CVE-ID: CVE-2019-7221)
The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code.The weakness exists due to exists due to use-after-free error when using emulated vmx preemption timer. An adjacent attacker can cause the service to crash or execute arbitrary code with elevated privileges.
5) Memory leak (CVE-ID: CVE-2019-7222)
The vulnerability allows an adjacent attacker to obtain potentially sensitive information.The weakness exists due to exists due to memory leak in kvm_inject_page_fault. An adjacent attacker can gain access to important data and conduct further attacks.
Remediation
Install update from vendor's website.