CVE-2015-4700
Find out more about CVE-2015-4700 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6 as it does not contain the affected code. This does not affect the Red Hat Enterprise MRG 2 as it does not enable the affected code at compile time.
This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7.
CVSS v2 metrics
| Base Score | 7.2 |
|---|---|
| Base Metrics | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| Access Vector | Local |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Complete |
| Integrity Impact | Complete |
| Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (kernel) | RHSA-2015:1778 | 2015-09-15 |
| Red Hat Enterprise Linux for Real Time for NFV (v. 7) (kernel-rt) | RHSA-2015:1788 | 2015-09-15 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise MRG 2 | realtime-kernel | Not affected |
| Red Hat Enterprise Linux 6 | kernel | Not affected |
| Red Hat Enterprise Linux 5 | kernel | Not affected |
| Red Hat Enterprise Linux 4 | kernel | Not affected |
Acknowledgements
Red Hat would like to thank Daniel Borkmann for reporting this issue.Mitigation
This issue does not affect most systems by default. An administrator would need to have enabled the BPF JIT to be affected.
It can be disabled immediately with the command:
# echo 0 > /proc/sys/net/core/bpf_jit_enable
Or it can be disabled for all subsequent boots of the system by setting a value in /etc/sysctl.d/44-bpf-jit-disable
## start file ##
net.core.bpf_jit_enable=0
## end file ##