CloudLinux OS Blog - Patches for the Integer Overflow Flaw (CVE-2018-14634) are available
CloudLinux OS Blog

Patches for the Integer Overflow Flaw (CVE-2018-14634) are available

Patches for the Integer Overflow Flaw (CVE-2018-14634) are available

An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to an SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.

This issue does not affect systems that do not have a large enough address space to exploit this flaw. Systems with less than 32GB of RAM are also very unlikely to be affected by this issue due to the memory demand required during exploitation.

The fix for this flaw is available on the KernelCare test channel, and it covers all kernels except Xen PV. We still have some issues with Xen PV kernels, so, please do not apply the fix on Xen PV kernels. We are doing our best to release the fix for Xen PV as soon as possible.

To deploy a patch, edit /etc/sysconfig/kcare/kcare.conf and add the following line:

PREFIX=test

Then run the command:

kcarectl --update

If your tests reveal any issues or if you need any further details, please contact our support team at https://cloudlinux.zendesk.com/hc/requests/new.

 

Current statuses per distro:

 

centos6 - Released 
centos6-plus - Released 
CloudLinux 6 - Released
openvz - Released
rhel6 - Released 

 

centos7-plus: - Released (latest-version: 3.10.0-862.11.6.el7)
rhel7: - Released (latest-version: 3.10.0-862.11.6.el7)
centos7 - To be released 
CloudLinux 6 Hybrid - Released (latest-version: 3.10.0-714.10.2.lve1.5.19.6.el6h)
CloudLinux 7 - Released (latest-version: 3.10.0-962.3.2.lve1.5.19.6.el7)
 
CloudLinux 7 and CloudLinux 6 Hybrid kernel update...
CloudLinux 7 and CloudLinux 6 Hybrid kernel update...
 

Comments 4

Guest - Ryan Smith on Friday, 28 September 2018 15:10

Is there anything we need to do to stop KernelCare from automatically installing the patch on Xen PV systems once it is released to the main feed or will KernelCare check first and know not to install it?

Is there anything we need to do to stop KernelCare from automatically installing the patch on Xen PV systems once it is released to the main feed or will KernelCare check first and know not to install it?
Inessa Atmachian on Friday, 28 September 2018 17:50

Hi Ryan,
We believe that the issue is solved and next update would include a fixup module which would prevent XenPV machines from crashing. But to be extra safe we recommend disabling auto-update feature, by changing AUTO_UPDATE=True to AUTO_UPDATE=False in KernelCare config file(/etc/sysconfig/kcare/kcare.conf).

Hi Ryan, We believe that the issue is solved and next update would include a fixup module which would prevent XenPV machines from crashing. But to be extra safe we recommend disabling auto-update feature, by changing AUTO_UPDATE=True to AUTO_UPDATE=False in KernelCare config file(/etc/sysconfig/kcare/kcare.conf).
Guest - Ryan Smith on Monday, 22 October 2018 15:04

With that patches released for CL6 now, is it safe to install on Xen PV systems?

With that patches released for CL6 now, is it safe to install on Xen PV systems?
Guest - Alexandre on Wednesday, 24 October 2018 06:53

No, we don't advise to install the patch from TEST feed to Xen PV systems.

No, we don't advise to install the patch from TEST feed to Xen PV systems.
Already Registered? Login Here
Guest
Wednesday, 22 May 2019

Captcha Image