Security March, 2017: Linux Kernel Security Fixes CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084

eva2000 · Mar 4, 2017

New Linux Kernel security vulnerability fixes are out for CentOS 7 ONLY for CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084. CentOS 5 and 6 are NOT affected. The updated fixed Linux Kernel for CentOS 7 is 3.10.0-514.10.2.el7 and yum update and server reboot is required unless you are using KernelCare for auto Kernel patched updates which do not require a server reboot.

Information

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support
is vulnerable to a null pointer dereference flaw. It could occur on x86
platform, when emulating an undefined instruction. An attacker could use this
flaw to crash the host kernel resulting in DoS. (CVE-2016-8630, Important)

* A race condition issue leading to a use-after-free flaw was found in the way
the raw packet sockets implementation in the Linux kernel networking subsystem
handled synchronization while creating the TPACKET_V3 ring buffer. A local user
able to open a raw packet socket (requires the CAP_NET_RAW capability) could use
this flaw to elevate their privileges on the system. (CVE-2016-8655, Important)

* A flaw was discovered in the Linux kernel's implementation of VFIO. An
attacker issuing an ioctl can create a situation where memory is corrupted and
modify memory outside of the expected area. This may overwrite kernel memory and
subvert kernel execution. (CVE-2016-9083, Important)

* The use of a kzalloc with an integer multiplication allowed an integer
overflow condition to be reached in vfio_pci_intrs.c. This combined with
CVE-2016-9083 may allow an attacker to craft an attack and use unallocated
memory, potentially crashing the machine. (CVE-2016-9084, Moderate)

Red Hat would like to thank Philip Pettersson for reporting CVE-2016-8655.

Additional Changes:

Space precludes documenting all of the bug fixes and enhancements included in
this advisory. To see the complete list of bug fixes and enhancements, refer to
the following KnowledgeBase article: RHSA-2017:0386 Important: kernel security, bug fix, and enhancement update - Red Hat Customer Portal.
Click to expand...

Update Fixes

For CentOS 7 and Redhat 7 there's kernel update 3.10.0-514.10.2.el7

So need to do 2 steps for non-openvz systems. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.

Do a yum update
Code (Text):
```
yum -y update
```
then check if 3.10.0-514.10.2.el7 kernel is updated via
Code (Text):
```
yum list kernel
```
output
Then reboot your server for Kernel update to take effect. If you use KernelCare KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS they auto patch your kernel every 4hrs and do not require server reboots. Then verify after reboot of kernel version via
Code (Text):
```
uname -r
```
or if using KernelCare via
Code (Text):
```
kcare-uname -r
```

Example listing updates which include Kernel

Code (Text):

yum list updates

Code (Text):

Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: ca.mirror.babylon.network
 * elrepo: ca.mirror.babylon.network
 * epel: ca.mirror.babylon.network
 * extras: ca.mirror.babylon.network
 * rpmforge: repoforge.mirror.constant.com
 * updates: ca.mirror.babylon.network
383 packages excluded due to repository priority protections
Updated Packages
kernel.x86_64 3.10.0-514.10.2.el7 updates
kernel-devel.x86_64 3.10.0-514.10.2.el7 updates
kernel-headers.x86_64 3.10.0-514.10.2.el7 updates

Updating yum packages via yum update

Code (Text):

yum -y update

Code (Text):

yum -y update
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: mirror2.evolution-host.com
 * elrepo: ca.mirror.babylon.network
 * epel: ca.mirror.babylon.network
 * extras: mirror2.evolution-host.com
 * rpmforge: repoforge.mirror.constant.com
 * updates: mirror2.evolution-host.com
383 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-514.10.2.el7 will be installed
---> Package kernel-devel.x86_64 0:3.10.0-514.10.2.el7 will be installed
---> Package kernel-headers.x86_64 0:3.10.0-514.6.2.el7 will be updated
---> Package kernel-headers.x86_64 0:3.10.0-514.10.2.el7 will be an update
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.36.3.el7 will be erased
---> Package kernel-devel.x86_64 0:3.10.0-327.36.3.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================================================================
 Package                                                        Arch                                                   Version                                                             Repository                                                Size
==========================================================================================================================================================================================================================================================
Installing:
 kernel                                                         x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                   37 M
 kernel-devel                                                   x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                   13 M
Updating:
 kernel-headers                                                 x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                  4.8 M
Removing:
 kernel                                                         x86_64                                                 3.10.0-327.36.3.el7                                                 @updates                                                 136 M
 kernel-devel                                                   x86_64                                                 3.10.0-327.36.3.el7                                                 @updates                                                  33 M

Transaction Summary
==========================================================================================================================================================================================================================================================
Install  2 Packages
Upgrade  1 Package
Remove   2 Packages

Total download size: 55 M
Downloading packages:
Delta RPMs reduced 13 M of updates to 5.8 M (54% saved)
(1/3): kernel-3.10.0-514.10.2.el7.x86_64.rpm                                                                                                                                                                                       |  37 MB  00:00:00  
(2/3): kernel-devel-3.10.0-514.6.2.el7_3.10.0-514.10.2.el7.x86_64.drpm                                                                                                                                                             | 5.8 MB  00:00:00  
(3/3): kernel-headers-3.10.0-514.10.2.el7.x86_64.rpm                                                                                                                                                                               | 4.8 MB  00:00:00  
Finishing delta rebuilds of 1 package(s) (13 M)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                                                      11 MB/s |  48 MB  00:00:04  
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : kernel-devel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                1/6
  Updating   : kernel-headers-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                              2/6
  Installing : kernel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                      3/6
  Cleanup    : kernel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                      4/6
  Cleanup    : kernel-headers-3.10.0-514.6.2.el7.x86_64                                                                                                                                                                                               5/6
  Cleanup    : kernel-devel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                6/6
  Verifying  : kernel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                      1/6
  Verifying  : kernel-headers-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                              2/6
  Verifying  : kernel-devel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                3/6
  Verifying  : kernel-devel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                4/6
  Verifying  : kernel-headers-3.10.0-514.6.2.el7.x86_64                                                                                                                                                                                               5/6
  Verifying  : kernel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                      6/6

Removed:
  kernel.x86_64 0:3.10.0-327.36.3.el7                                                                                      kernel-devel.x86_64 0:3.10.0-327.36.3.el7                                                                                  

Installed:
  kernel.x86_64 0:3.10.0-514.10.2.el7                                                                                      kernel-devel.x86_64 0:3.10.0-514.10.2.el7                                                                                  

Updated:
  kernel-headers.x86_64 0:3.10.0-514.10.2.el7                                                                                                                                                                                                          

Complete!

After update and server reboot verify updated kernel with command

Code (Text):

uname -r

or if using KernelCare via

Code (Text):

kcare-uname -r

eva2000 · Mar 4, 2017

Updated and rebooted on CentOS 7
Code (Text):
uname -r
3.10.0-514.10.2.el7.x86_64
Remember only non-OpenVZ systems can update their Linux Kernels. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.

eva2000 · Mar 4, 2017

KernelCare users would of auto updated and DO NOT require server reboot

Code (Text):

kcare-uname -r
3.10.0-514.6.2.el7

Code (Text):

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-514.6.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Jan 18 13:06:36 UTC 2017
kpatch-build-time: Wed Feb 22 12:34:36 2017
kpatch-description: 5;3.10.0-514.6.2.el7

Code (Text):

kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-514.6.1.el7
time: 2017-02-23 23:09:11
uname: 3.10.0-514.6.2.el7



kpatch-name: 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
kpatch-description: KEYS: Fix handling of stored error in a negatively instantiated user key
kpatch-kernel: >kernel-3.10.0-514.6.1.el7
kpatch-cve: CVE-2015-8539
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-8539
kpatch-patch-url: https://git.kernel.org/linus/096fe9eaea40a17e125569f9e657e34cdb6d73bd

kpatch-name: 3.10.0/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
kpatch-description: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
kpatch-kernel: kernel-3.10.0-514.6.2.el7
kpatch-cve: CVE-2017-6074
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-6074
kpatch-patch-url: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4

kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
kpatch-description: RDS: verify the underlying transport exists before creating a connection
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-6937
kpatch-cvss: 7.1
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
kpatch-patch-url:

eva2000 · Mar 5, 2017

Linode support says these bugs don't apply to their provided Linux 4.9.x Kernels

Hi George,

Thanks for reaching out to us. That looks like a security advisory and a set of fixes coming from RedHat for their kernel; I'll go through each of their vulnerabilities individually:

1. CVE - CVE-2016-8630

This one looks to be fixed after 4.8.7 which would mean that 4.9.* is fine for this.

2. CVE - CVE-2016-8655

This one is through 4.8.12, still does not affect 4.9.*

3. CVE - CVE-2016-9083

This one is through 4.8.11.

4. CVE - CVE-2016-9084

Also through 4.8.11.

From the looks of it (looking at all the references in the CVEs), these were already patched and fixed in the upstream/mainline kernel well before 4.9; I think what's happening here is that Redhat has their own separate line of builds and is "backporting" their patches via this advisory.

I feel confident in saying that our offered kernel is safe for this. Please let us know if you have any additional questions.
Click to expand...

BamaStangGuy · Mar 7, 2017

My kernel care is outputting this:
Code:
[11:47][root@christianforums.whippmedia.com ~]# kcare-uname -r
3.10.0-514.6.2.el7
Is this correct?

eva2000 · Mar 7, 2017

@BamaStangGuy yup

Log in / Register

Forums

Join the community today

Security March, 2017: Linux Kernel Security Fixes CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084

eva2000 Administrator Staff Member

Information

Update Fixes

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

BamaStangGuy Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security March, 2017: Linux Kernel Security Fixes CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084

eva2000 Administrator Staff Member

Information

Update Fixes

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

BamaStangGuy Active Member

eva2000 Administrator Staff Member

.