CVE-2016-3156
First published: Wed Mar 16 2016(Updated: )
Destroy of network interface with huge number of ipv4 addresses keeps rtnl_lock for a very long time (up to hour). It blocks many network related operations, including for example creation of new incoming ssh connections. The problem is especially important for containers, container owner have enough permission to enable this trigger and then can block network access on whole host node. Upstream fix: <a href="http://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2">http://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2</a> References: <a href="http://seclists.org/oss-sec/2016/q1/643">http://seclists.org/oss-sec/2016/q1/643</a> CVE assignment: <a href="http://seclists.org/oss-sec/2016/q1/647">http://seclists.org/oss-sec/2016/q1/647</a>
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.16-1 | |
| SUSE Linux Enterprise Software Development Kit | =11.0-sp4 | |
| SUSE Linux Enterprise Software Development Kit | =12.0 | |
| SUSE Linux Enterprise Debuginfo | =11.0-sp4 | |
| SUSE Linux Enterprise Desktop | =12.0 | |
| SUSE Linux Enterprise Live Patching | =12.0 | |
| SUSE Linux Enterprise Module for Public Cloud | =12.0 | |
| SUSE Linux Enterprise Real Time Extension | =11.0-sp4 | |
| SUSE Linux Enterprise Real Time Extension | =12.0-sp1 | |
| SUSE Linux Enterprise Server | =11.0-extra | |
| SUSE Linux Enterprise Server | =11.0-sp4 | |
| SUSE Linux Enterprise Server | =12.0 | |
| SUSE Linux Enterprise Workstation Extension | =12.0 | |
| Ubuntu | =12.04 | |
| Linux kernel | <=4.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/03/15/3
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2
- https://bugzilla.redhat.com/show_bug.cgi?id=1318172
- https://github.com/torvalds/linux/commit/fbd40ea0180a2d328c5adc61414dc8bab9335ce2
- http://www.ubuntu.com/usn/USN-2996-1
- http://www.ubuntu.com/usn/USN-2997-1
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00005.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
- http://www.debian.org/security/2016/dsa-3607
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html
- http://www.securityfocus.com/bid/84428
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00060.html
- http://www.ubuntu.com/usn/USN-2968-1
- http://www.ubuntu.com/usn/USN-2968-2
- http://www.ubuntu.com/usn/USN-2969-1
- http://www.ubuntu.com/usn/USN-2970-1
- http://www.ubuntu.com/usn/USN-2971-1
- http://www.ubuntu.com/usn/USN-2971-2
- http://www.ubuntu.com/usn/USN-2971-3
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00019.html
- http://rhn.redhat.com/errata/RHSA-2016-2574.html
- http://rhn.redhat.com/errata/RHSA-2016-2584.html
- https://launchpad.net/bugs/cve/CVE-2016-3156
- http://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=fbd40ea0180a2d328c5adc61414dc8bab9335ce2
- http://seclists.org/oss-sec/2016/q1/643
- http://seclists.org/oss-sec/2016/q1/647
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1318270
- https://access.redhat.com/support/policy/updates/errata/
- https://rhn.redhat.com/errata/RHSA-2016-2574.html
- https://rhn.redhat.com/errata/RHSA-2016-2584.html
- https://www.openwall.com/lists/oss-security/2016/03/15/3
- https://security-tracker.debian.org/tracker/CVE-2016-3156
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156
- https://nvd.nist.gov/vuln/detail/CVE-2016-3156
- https://ubuntu.com/security/CVE-2016-3156
Frequently Asked Questions
What is the severity of CVE-2016-3156?
CVE-2016-3156 carries a medium severity rating due to its impact on network operations.
How do I fix CVE-2016-3156?
To mitigate CVE-2016-3156, upgrading to the patched versions of kernel packages is recommended.
Which systems are affected by CVE-2016-3156?
CVE-2016-3156 affects various versions of SUSE Linux Enterprise and Ubuntu Linux among others.
What type of vulnerability is CVE-2016-3156?
CVE-2016-3156 is a vulnerability that causes prolonged locking of the rtnl_lock, affecting network functions.
What are the consequences of CVE-2016-3156?
The consequences of CVE-2016-3156 include the blocking of network operations like SSH connections, especially in container environments.
- agent/type
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-3156
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/trending
- agent/last-modified-date
- agent/source
- agent/event
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- package-manager/debian
- vendor/novell
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/11.0-sp4
- version/suse linux enterprise software development kit/12.0
- canonical/suse linux enterprise debuginfo
- version/suse linux enterprise debuginfo/11.0-sp4
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/12.0
- canonical/suse linux enterprise live patching
- version/suse linux enterprise live patching/12.0
- canonical/suse linux enterprise module for public cloud
- version/suse linux enterprise module for public cloud/12.0
- canonical/suse linux enterprise real time extension
- version/suse linux enterprise real time extension/11.0-sp4
- version/suse linux enterprise real time extension/12.0-sp1
- canonical/suse linux enterprise server
- version/suse linux enterprise server/11.0-extra
- version/suse linux enterprise server/11.0-sp4
- version/suse linux enterprise server/12.0
- canonical/suse linux enterprise workstation extension
- version/suse linux enterprise workstation extension/12.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.5.1