First published: Mon Apr 27 2020(Updated: )
A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel-rt | <0:3.10.0-1160.rt56.1131.el7 | 0:3.10.0-1160.rt56.1131.el7 |
redhat/kernel | <0:3.10.0-1160.el7 | 0:3.10.0-1160.el7 |
redhat/kernel-rt | <0:4.18.0-240.rt7.54.el8 | 0:4.18.0-240.rt7.54.el8 |
redhat/kernel | <0:4.18.0-240.el8 | 0:4.18.0-240.el8 |
kernel SELinux | <5.7 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server | =8.0 | |
Google Android | ||
ubuntu/linux | <4.15.0-106.107 | 4.15.0-106.107 |
ubuntu/linux | <5.3.0-62.56 | 5.3.0-62.56 |
ubuntu/linux | <5.4.0-37.41 | 5.4.0-37.41 |
ubuntu/linux | <5.7~ | 5.7~ |
ubuntu/linux | <4.4.0-184.214 | 4.4.0-184.214 |
ubuntu/linux-aws | <4.15.0-1073.77 | 4.15.0-1073.77 |
ubuntu/linux-aws | <5.3.0-1030.32 | 5.3.0-1030.32 |
ubuntu/linux-aws | <5.4.0-1015.15 | 5.4.0-1015.15 |
ubuntu/linux-aws | <4.4.0-1073.77 | 4.4.0-1073.77 |
ubuntu/linux-aws | <5.7~ | 5.7~ |
ubuntu/linux-aws | <4.4.0-1109.120 | 4.4.0-1109.120 |
ubuntu/linux-aws-5.0 | <5.7~ | 5.7~ |
ubuntu/linux-aws-5.3 | <5.3.0-1030.32~18.04.1 | 5.3.0-1030.32~18.04.1 |
ubuntu/linux-aws-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-aws-5.4 | <5.7~ | 5.7~ |
ubuntu/linux-aws-hwe | <5.7~ | 5.7~ |
ubuntu/linux-aws-hwe | <4.15.0-1073.77~16.04.1 | 4.15.0-1073.77~16.04.1 |
ubuntu/linux-azure | <5.3.0-1032.33 | 5.3.0-1032.33 |
ubuntu/linux-azure | <5.4.0-1016.16 | 5.4.0-1016.16 |
ubuntu/linux-azure | <4.15.0-1089.99~14.04.1 | 4.15.0-1089.99~14.04.1 |
ubuntu/linux-azure | <5.7~ | 5.7~ |
ubuntu/linux-azure | <4.15.0-1089.99~16.04.1 | 4.15.0-1089.99~16.04.1 |
ubuntu/linux-azure-4.15 | <4.15.0-1089.99 | 4.15.0-1089.99 |
ubuntu/linux-azure-4.15 | <5.7~ | 5.7~ |
ubuntu/linux-azure-5.3 | <5.3.0-1032.33~18.04.1 | 5.3.0-1032.33~18.04.1 |
ubuntu/linux-azure-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-azure-5.4 | <5.7~ | 5.7~ |
ubuntu/linux-azure-edge | <5.7~ | 5.7~ |
ubuntu/linux-gcp | <5.3.0-1030.32 | 5.3.0-1030.32 |
ubuntu/linux-gcp | <5.4.0-1015.15 | 5.4.0-1015.15 |
ubuntu/linux-gcp | <5.7~ | 5.7~ |
ubuntu/linux-gcp | <4.15.0-1077.87~16.04.1 | 4.15.0-1077.87~16.04.1 |
ubuntu/linux-gcp-4.15 | <4.15.0-1077.87 | 4.15.0-1077.87 |
ubuntu/linux-gcp-4.15 | <5.7~ | 5.7~ |
ubuntu/linux-gcp-5.3 | <5.3.0-1030.32~18.04.1 | 5.3.0-1030.32~18.04.1 |
ubuntu/linux-gcp-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-gcp-edge | <5.7~ | 5.7~ |
ubuntu/linux-gke-4.15 | <4.15.0-1063.66 | 4.15.0-1063.66 |
ubuntu/linux-gke-4.15 | <5.7~ | 5.7~ |
ubuntu/linux-gke-5.0 | <5.0.0-1043.44 | 5.0.0-1043.44 |
ubuntu/linux-gke-5.0 | <5.7~ | 5.7~ |
ubuntu/linux-gke-5.3 | <5.3.0-1030.32~18.04.1 | 5.3.0-1030.32~18.04.1 |
ubuntu/linux-gke-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-hwe | <5.3.0-62.56~18.04.1 | 5.3.0-62.56~18.04.1 |
ubuntu/linux-hwe | <5.7~ | 5.7~ |
ubuntu/linux-hwe | <4.15.0-106.107~16.04.1 | 4.15.0-106.107~16.04.1 |
ubuntu/linux-hwe-5.4 | <5.7~ | 5.7~ |
ubuntu/linux-hwe-edge | <5.7~ | 5.7~ |
ubuntu/linux-kvm | <4.15.0-1067.68 | 4.15.0-1067.68 |
ubuntu/linux-kvm | <5.3.0-1024.26 | 5.3.0-1024.26 |
ubuntu/linux-kvm | <5.4.0-1015.15 | 5.4.0-1015.15 |
ubuntu/linux-kvm | <5.7~ | 5.7~ |
ubuntu/linux-kvm | <4.4.0-1075.82 | 4.4.0-1075.82 |
ubuntu/linux-lts-trusty | <5.7~ | 5.7~ |
ubuntu/linux-lts-xenial | <4.4.0-184.214~14.04.1 | 4.4.0-184.214~14.04.1 |
ubuntu/linux-lts-xenial | <5.7~ | 5.7~ |
ubuntu/linux-oem | <4.15.0-1087.97 | 4.15.0-1087.97 |
ubuntu/linux-oem | <5.7~ | 5.7~ |
ubuntu/linux-oem-5.6 | <5.6.0-1011.11 | 5.6.0-1011.11 |
ubuntu/linux-oem-5.6 | <5.7~ | 5.7~ |
ubuntu/linux-oem-osp1 | <5.0.0-1063.68 | 5.0.0-1063.68 |
ubuntu/linux-oem-osp1 | <5.7~ | 5.7~ |
ubuntu/linux-oracle | <4.15.0-1045.49 | 4.15.0-1045.49 |
ubuntu/linux-oracle | <5.3.0-1028.30 | 5.3.0-1028.30 |
ubuntu/linux-oracle | <5.4.0-1015.15 | 5.4.0-1015.15 |
ubuntu/linux-oracle | <5.7~ | 5.7~ |
ubuntu/linux-oracle | <4.15.0-1045.49~16.04.1 | 4.15.0-1045.49~16.04.1 |
ubuntu/linux-oracle-5.0 | <5.7~ | 5.7~ |
ubuntu/linux-oracle-5.3 | <5.3.0-1028.30~18.04.1 | 5.3.0-1028.30~18.04.1 |
ubuntu/linux-oracle-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-raspi | <5.4.0-1012.12 | 5.4.0-1012.12 |
ubuntu/linux-raspi | <5.7~ | 5.7~ |
ubuntu/linux-raspi-5.4 | <5.7~ | 5.7~ |
ubuntu/linux-raspi2 | <4.15.0-1063.67 | 4.15.0-1063.67 |
ubuntu/linux-raspi2 | <5.3.0-1028.30 | 5.3.0-1028.30 |
ubuntu/linux-raspi2 | <5.7~ | 5.7~ |
ubuntu/linux-raspi2 | <4.4.0-1134.143 | 4.4.0-1134.143 |
ubuntu/linux-raspi2-5.3 | <5.3.0-1028.30~18.04.2 | 5.3.0-1028.30~18.04.2 |
ubuntu/linux-raspi2-5.3 | <5.7~ | 5.7~ |
ubuntu/linux-riscv | <5.4.0-27.31 | 5.4.0-27.31 |
ubuntu/linux-riscv | <5.7~ | 5.7~ |
ubuntu/linux-snapdragon | <4.15.0-1080.87 | 4.15.0-1080.87 |
ubuntu/linux-snapdragon | <5.7~ | 5.7~ |
ubuntu/linux-snapdragon | <4.4.0-1138.146 | 4.4.0-1138.146 |
debian/linux | 4.19.249-2 4.19.304-1 5.10.209-2 5.10.205-2 6.1.76-1 6.1.85-1 6.6.15-2 6.7.12-1 |
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)