You are here

CVE-2013-2234

Vincent (CVE) Danen's picture
The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.

Details Source

Mitre

Statement

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG 2 may address this issue. This issue has been addressed for Red Hat Enterprise Linux 5 via RHSA-2013:1166 (https://rhn.redhat.com/errata/RHSA-2013-1166.html).

Public Date

2013-06-26 00:00:00

Impact

Low

Bugzilla

CVE-2013-2234 Kernel: net: information leak in AF_KEY notify

Bugzilla ID

980 995

CVSS Status

verified

Base Score

1.70

Base Metrics

AV:L/AC:L/Au:S/C:P/I:N/A:N

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (kernel) RHSA-2013:1645 2013-11-20
MRG Grid for RHEL 6 Server v.2 (kernel-rt) RHSA-2013:1264 2013-09-16
Red Hat Enterprise Linux 5 (kernel) RHSA-2013:1166 2013-08-20

Affected Packages State

Platform Package State
Red Hat Enterprise MRG 2 realtime-kernel Affected