SB2019042327 - Red Hat Enterprise Linux 7 update for kernel-rt
Published: April 23, 2019
Security Bulletin ID
SB2019042327
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Race condition (CVE-ID: CVE-2019-6974)
The vulnerability allows an adjacent attacker to gain elevated privileges or cause a denial of service (DoS) condition.The weakness exists due to exists due to a race condition that causes the kvm_ioctl_create_device function, as defined in the virt/kvm/kvm_main.c source code file of the affected software, to improperly handle reference counting. An adjacent attacker can access the system and execute an application that submits malicious input, trigger a use-after-free condition and cause a targeted guest virtual machine to crash, resulting in a DoS condition. In addition, a successful exploit could allow the attacker to gain elevated privileges on a targeted system.
2) Use-after-free (CVE-ID: CVE-2019-7221)
The vulnerability allows an adjacent attacker to cause DoS condition or execute arbitrary code.The weakness exists due to exists due to use-after-free error when using emulated vmx preemption timer. An adjacent attacker can cause the service to crash or execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.