perfsonar-announce - [perfsonar-announce] Recent kernel CVE
Subject: perfSONAR Announcements
- From: Andrew Lake <>
- To: "" <>,
- Subject: [perfsonar-announce] Recent kernel CVE
- Date: Fri, 21 Oct 2016 11:26:30 -0700
- Ironport-phdr: 9a23:hbHemx99ju6F//9uRHKM819IXTAuvvDOBiVQ1KB90e0cTK2v8tzYMVDF4r011RmSAtWdtqkP0reempujcFJDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBWB6kG1uHQKFw/xLg1zL/6wB5Xfley20fy/4Zvef18OiTagK/smNBisox7WsMAMxJZ5J7wZyx3Vr2FOdvgMg25kOATX1w7x/Mmr+5hq6WFZvfQm6shLXI37ebg1V7pVEG5gPmwot+PxshyWZA2D/HYDGkEfkRcAVwHD4ADSU4y3tCbm4LkukBKGNNH7GOhnEQ+p6L1mHUfl
- Ironport-phdr: 9a23:bY8tvxEdmvLNE/P2nPkY9p1GYnF86YWxBRYc798ds5kLTJ74p8ywAkXT6L1XgUPTWs2DsrQf2rCQ7firADZZqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ3p7xibj5oseKKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP5Xz247bXianhL7+9vitMU7q3cY6Lod8JsKSajgcb8/S7VCSSk9Pnod5cv3uAPFQBfVoHYQTy9exgJFGQbe6xfzRNLsqSbgnut7xCSAO8DqF/Y5VSn0q+9zRQXmkyABPiR8+WfRjdF2h69zoRS9qgZ5zpKOJoyZKalQZKTYKPocSXBMQY51Xi9MSte1aYceJ+cae+BVs9+u9BM1sRKiCFz0V6vUwThSiyqu0A==
We just wanted to make everyone aware of kernel CVE-2016-5195 since it appears to be making it rounds on the newswire and wanted to make sure people are aware of what it means to your perfSONAR hosts since we often get questions. Details of the CVE from RedHat can be found here: https://access.redhat.com/security/cve/cve-2016-5195
Basically the CVE is about an exploit in the kernel that has likely been around for about 9 years and affects pretty much every Linux distribution out there today. In other words, it is in no-way specific to perfSONAR and affects almost all Linux boxes of any type. The ubiquity is one of the main reasons it is getting attention in the media. It’s a privilege escalation vulnerability meaning someone with a normal Unix account on a system can use it to relatively easily become root. They key here, though, is they first need a regular login on the system to do anything bad. If you are keeping your system patched and following common sense security procedures with regards to passwords/ssh keys, who you give accounts to, etc, getting this regular login should be a non-trivial task for a would-be attacker.
As for resolution, kernel updates are in various stages of availability from the operating system vendors at this point. It looks like maybe Debian already has a patch out and CentOS is still working on it. Once we have the CentOS kernel we will build the web100 version. Both OS vendors and our team need time to patch and test these things, and we all try to do so in a timely manner, so appreciate your patience. You of course can upgrade to the non-web100 version once CentOS makes their standard version available and forgo NDT in the meantime. Please let us know if you have any questions with regards to perfSONAR and hope you found this helpful.
The perfSONAR Development Team
- [perfsonar-announce] Recent kernel CVE, Andrew Lake, 10/21/2016
Archive powered by MHonArc 2.6.19.