RHSA-2017:1567: Important: Red Hat Container Development Kit 3.0.0 security update
First published: Wed Jun 21 2017(Updated: )
Red Hat Container Development Kit is a platform for developing containerized applications — it is a set of tools that enables developers to quickly and easily set up an environment for developing and testing containerized applications on the Red Hat Enterprise Linux platform.<br>With this update, Container Development Kit has been updated to 3.0.0-2, which includes an updated Red Hat Enterprise Linux ISO that contains fixes for the following security issues.<br>Security Fix(es):<br><li> A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502)</li> <li> A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult. (CVE-2017-1000364)</li> <li> A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult. (CVE-2017-1000366)</li> Red Hat would like to thank Qualys Research Labs for reporting CVE-2017-1000364 and CVE-2017-1000366.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Container Development Kit | >=3.0.0-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1446631
- https://bugzilla.redhat.com/show_bug.cgi?id=1452543
- https://bugzilla.redhat.com/show_bug.cgi?id=1461333
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/downloads/content/293/
- https://access.redhat.com/errata/RHSA-2017:1567 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2017:1567?
The severity of RHSA-2017:1567 is classified as important.
How do I fix RHSA-2017:1567?
To fix RHSA-2017:1567, apply the latest updates provided by Red Hat for the Container Development Kit.
What vulnerabilities are addressed in RHSA-2017:1567?
RHSA-2017:1567 addresses multiple vulnerabilities related to the Red Hat Container Development Kit.
Is RHSA-2017:1567 applicable to all Red Hat users?
RHSA-2017:1567 is specifically applicable to users of the Red Hat Container Development Kit.
What impact does RHSA-2017:1567 have on application security?
RHSA-2017:1567 can potentially lead to security risks if the vulnerabilities are not addressed in the containerized applications.
- agent/references
- agent/severity
- agent/type
- agent/event
- agent/last-modified-date
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2017:1567
- agent/first-publish-date
- agent/trending
- agent/title
- agent/weakness
- agent/remedy
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup