Red Hat update for kernel-alt

1) Null pointer dereference

EUVDB-ID: #VU13851

Risk: Low

CVSSv3.1: 6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-13095

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists in the xfs_bmap_extents_to_btree() function in the Extended File System (XFS) component, as defined in the source code file fs/xfs/libxfs/xfs_inode_buf.c due to boundary error when mounting XFS filesystems. A local attacker can access the system, mount an XFS filesystem that submits malicious input, trigger a NULL pointer dereference memory error and cause the affected software to terminate abnormally.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for IBM System z (Structure A): 7.0

Red Hat Enterprise Linux for Power 9: 7.0

Red Hat Enterprise Linux for ARM 64: 7.0

kernel-alt (Red Hat package): 4.14.0-49.2.2.el7a - 4.14.0-115.7.1.el7a

:

External links

http://access.redhat.com/errata/RHSA-2019:1350

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.