Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2017:2918 - Security Advisory
Issued:
2017-10-19
Updated:
2017-10-19

RHSA-2017:2918 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise MRG 2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation. (CVE-2017-7184, Important)
  • A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important)
  • An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges. (CVE-2017-1000112, Important)
  • Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is unlikely. (CVE-2017-7541, Moderate)
  • An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
  • A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. (CVE-2017-7558, Moderate)
  • The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. (CVE-2017-11176, Moderate)
  • A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)
  • A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. (CVE-2017-14340, Moderate)

Red Hat would like to thank Chaitin Security Research Lab for reporting CVE-2017-7184; Willem de Bruijn for reporting CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112. The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).

Bug Fix(es):

  • kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source tree, which provides number of bug fixes over the previous version. (BZ#1489085)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • MRG Realtime 2 x86_64

Fixes

  • BZ - 1435153 - CVE-2017-7184 kernel: Out-of-bounds heap access in xfrm
  • BZ - 1470659 - CVE-2017-11176 kernel: Use-after-free in sys_mq_notify()
  • BZ - 1473198 - CVE-2017-7541 kernel: Possible heap buffer overflow in brcmf_cfg80211_mgmt_tx()
  • BZ - 1473649 - CVE-2017-7542 kernel: Integer overflow in ip6_find_1stfragopt() causes infinite loop
  • BZ - 1479304 - CVE-2017-1000111 kernel: Heap out-of-bounds in AF_PACKET sockets
  • BZ - 1479307 - CVE-2017-1000112 kernel: Exploitable memory corruption due to UFO to non-UFO path switch
  • BZ - 1480266 - CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() in SCTP stack
  • BZ - 1487295 - CVE-2017-14106 kernel: Divide-by-zero in __tcp_select_window
  • BZ - 1489085 - update the MRG 2.5.z 3.10 kernel-rt sources
  • BZ - 1491344 - CVE-2017-14340 kernel: xfs: unprivileged user kernel oops

CVEs

  • CVE-2017-1000111
  • CVE-2017-1000112
  • CVE-2017-11176
  • CVE-2017-14106
  • CVE-2017-14340
  • CVE-2017-7184
  • CVE-2017-7541
  • CVE-2017-7542
  • CVE-2017-7558

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

MRG Realtime 2

SRPM
kernel-rt-3.10.0-693.5.2.rt56.592.el6rt.src.rpm SHA-256: edfa46b24bbf37dd6190456f78e3fcf36e0022ed24903a7f14578e8a786dc541
x86_64
kernel-rt-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 9727406089dbb9387e0f9d208e3ad7ddeaea0f2f1d67a6290d8fdfe26bba9561
kernel-rt-debug-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: cb9f3a425a382571175d4f34a3236d7448f46050943c888c94a6577f14b861ad
kernel-rt-debug-debuginfo-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 8c38b6907308e728970fa43ddd84f9ab77d4b657579d2b8036b06d465033a9ad
kernel-rt-debug-devel-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 1ba300d5a6973ce5d1ea11493ee0a42972d47b3cbd75b4017d17f8cbf2121a20
kernel-rt-debuginfo-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: a7baa43b60cd2e0594a96b27bddb41a06b058cb4e8b3ea8e3a3a37f58db9f240
kernel-rt-debuginfo-common-x86_64-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 1842dc892b1fd1a0e7cc9494ac6c3285458fee7a2221e5e60b3ea5830d9c8831
kernel-rt-devel-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: d30059718992c02f2b67bd45608b6280e279964f20719d0561e5bf378b55c42f
kernel-rt-doc-3.10.0-693.5.2.rt56.592.el6rt.noarch.rpm SHA-256: eea74d11bd8f96dcc2dae15a5f6a0d4b89544ed306eaa34eabc85f8b067b6619
kernel-rt-firmware-3.10.0-693.5.2.rt56.592.el6rt.noarch.rpm SHA-256: 18b4294b5f188eb9a5f2011f24cd9c7e341961bae38d6ab1ad360d25c6cfd95a
kernel-rt-trace-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 31805fe97c76c5937823915c88e263fa2e9174ccc301f0d54f7bdd6a0a2ad179
kernel-rt-trace-debuginfo-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 85020396f7122b0b5c111b51776df67e31b4d78622645ab92aa05eee18ea9b80
kernel-rt-trace-devel-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: b621cdb0a4cdd19183d2c4a551c9bcf55989ea05523fb52bc498aa91fefa409d
kernel-rt-vanilla-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 8aeaddfbabc7188c9acb773a23fdfb5cae8f72d4a99ec27e64d74eb101018b62
kernel-rt-vanilla-debuginfo-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: 26464f1a01e29478b8a96f44518d1598c228ef31c988d9b989543cd79c31611b
kernel-rt-vanilla-devel-3.10.0-693.5.2.rt56.592.el6rt.x86_64.rpm SHA-256: eb9a44422e974a1ab05394bb9cbd61288450ad476aba69b63599e438de8eca1e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility