ID CVE-2016-4470
Summary The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command.
References
Vulnerable Configurations
  • cpe:2.3:o:oracle:vm_server:3.3
    cpe:2.3:o:oracle:vm_server:3.3
  • cpe:2.3:o:oracle:vm_server:3.4
    cpe:2.3:o:oracle:vm_server:3.4
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
  • Oracle Linux 6.0
    cpe:2.3:o:oracle:linux:6.0
  • cpe:2.3:o:oracle:linux:5.0
    cpe:2.3:o:oracle:linux:5.0
  • Linux Kernel 4.6.3
    cpe:2.3:o:linux:linux_kernel:4.6.3
  • cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
    cpe:2.3:o:novell:suse_linux_enterprise_real_time_extension:12.0:sp1
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.0
  • RedHat Enterprise Linux HPC Node 7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  • Red Hat Enterprise Linux Server AUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • cpe:2.3:o:redhat:enterprise_linux_for_real_time:7.0
    cpe:2.3:o:redhat:enterprise_linux_for_real_time:7.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Red Hat Enterprise Linux Server EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
  • RedHat Enterprise MRG 2.0
    cpe:2.3:a:redhat:enterprise_mrg:2.0
  • Red Hat Enterprise Linux 6
    cpe:2.3:o:redhat:enterprise_linux:6
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
CVSS
Base: 4.9 (as of 03-10-2016 - 15:45)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
redhat via4
advisories
  • bugzilla
    id 1341716
    title CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539025
        • comment kernel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842006
      • AND
        • comment kernel-abi-whitelists is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539007
        • comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131645028
      • AND
        • comment kernel-bootwrapper is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539029
        • comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842010
      • AND
        • comment kernel-debug is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539009
        • comment kernel-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842012
      • AND
        • comment kernel-debug-devel is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539021
        • comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842014
      • AND
        • comment kernel-devel is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539015
        • comment kernel-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842016
      • AND
        • comment kernel-doc is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539005
        • comment kernel-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842024
      • AND
        • comment kernel-headers is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539013
        • comment kernel-headers is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842008
      • AND
        • comment kernel-kdump is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539019
        • comment kernel-kdump is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842018
      • AND
        • comment kernel-kdump-devel is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539017
        • comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842020
      • AND
        • comment kernel-tools is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539033
        • comment kernel-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678010
      • AND
        • comment kernel-tools-libs is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539027
        • comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678012
      • AND
        • comment kernel-tools-libs-devel is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539031
        • comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140678020
      • AND
        • comment perf is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539023
        • comment perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100842022
      • AND
        • comment python-perf is earlier than 0:3.10.0-327.28.2.el7
          oval oval:com.redhat.rhsa:tst:20161539011
        • comment python-perf is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111849018
    rhsa
    id RHSA-2016:1539
    released 2016-08-02
    severity Important
    title RHSA-2016:1539: kernel security and bug fix update (Important)
  • bugzilla
    id 1350307
    title kernel-rt: update to the RHEL7.2.z batch#6 source tree
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment kernel-rt is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541011
        • comment kernel-rt is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727006
      • AND
        • comment kernel-rt-debug is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541009
        • comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727014
      • AND
        • comment kernel-rt-debug-devel is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541023
        • comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727016
      • AND
        • comment kernel-rt-debug-kvm is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541017
        • comment kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411008
      • AND
        • comment kernel-rt-devel is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541019
        • comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727012
      • AND
        • comment kernel-rt-doc is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541005
        • comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727022
      • AND
        • comment kernel-rt-kvm is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541015
        • comment kernel-rt-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411024
      • AND
        • comment kernel-rt-trace is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541021
        • comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727008
      • AND
        • comment kernel-rt-trace-devel is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541013
        • comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150727010
      • AND
        • comment kernel-rt-trace-kvm is earlier than 0:3.10.0-327.28.2.rt56.234.el7_2
          oval oval:com.redhat.rhsa:tst:20161541007
        • comment kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152411014
    rhsa
    id RHSA-2016:1541
    released 2016-08-02
    severity Important
    title RHSA-2016:1541: kernel-rt security and bug fix update (Important)
  • rhsa
    id RHSA-2016:1532
  • rhsa
    id RHSA-2016:1657
rpms
  • kernel-0:3.10.0-327.28.2.el7
  • kernel-abi-whitelists-0:3.10.0-327.28.2.el7
  • kernel-bootwrapper-0:3.10.0-327.28.2.el7
  • kernel-debug-0:3.10.0-327.28.2.el7
  • kernel-debug-devel-0:3.10.0-327.28.2.el7
  • kernel-devel-0:3.10.0-327.28.2.el7
  • kernel-doc-0:3.10.0-327.28.2.el7
  • kernel-headers-0:3.10.0-327.28.2.el7
  • kernel-kdump-0:3.10.0-327.28.2.el7
  • kernel-kdump-devel-0:3.10.0-327.28.2.el7
  • kernel-tools-0:3.10.0-327.28.2.el7
  • kernel-tools-libs-0:3.10.0-327.28.2.el7
  • kernel-tools-libs-devel-0:3.10.0-327.28.2.el7
  • perf-0:3.10.0-327.28.2.el7
  • python-perf-0:3.10.0-327.28.2.el7
  • kernel-rt-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-debug-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-debug-devel-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-debug-kvm-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-devel-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-doc-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-kvm-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-trace-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-trace-devel-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-rt-trace-kvm-0:3.10.0-327.28.2.rt56.234.el7_2
  • kernel-0:2.6.32-642.6.1.el6
  • kernel-abi-whitelists-0:2.6.32-642.6.1.el6
  • kernel-bootwrapper-0:2.6.32-642.6.1.el6
  • kernel-debug-0:2.6.32-642.6.1.el6
  • kernel-debug-devel-0:2.6.32-642.6.1.el6
  • kernel-devel-0:2.6.32-642.6.1.el6
  • kernel-doc-0:2.6.32-642.6.1.el6
  • kernel-firmware-0:2.6.32-642.6.1.el6
  • kernel-headers-0:2.6.32-642.6.1.el6
  • kernel-kdump-0:2.6.32-642.6.1.el6
  • kernel-kdump-devel-0:2.6.32-642.6.1.el6
  • perf-0:2.6.32-642.6.1.el6
  • python-perf-0:2.6.32-642.6.1.el6
refmap via4
confirm
debian DSA-3607
mlist [oss-security] 20160615 CVE-2016-4470: Linux kernel Uninitialized variable in request_key handling user controlled kfree().
sectrack 1036763
suse
  • SUSE-SU-2016:1937
  • SUSE-SU-2016:1961
  • SUSE-SU-2016:1985
  • SUSE-SU-2016:1994
  • SUSE-SU-2016:1995
  • SUSE-SU-2016:1998
  • SUSE-SU-2016:1999
  • SUSE-SU-2016:2000
  • SUSE-SU-2016:2001
  • SUSE-SU-2016:2002
  • SUSE-SU-2016:2003
  • SUSE-SU-2016:2005
  • SUSE-SU-2016:2006
  • SUSE-SU-2016:2007
  • SUSE-SU-2016:2009
  • SUSE-SU-2016:2010
  • SUSE-SU-2016:2011
  • SUSE-SU-2016:2014
  • SUSE-SU-2016:2018
  • SUSE-SU-2016:2105
  • openSUSE-SU-2016:2184
ubuntu
  • USN-3049-1
  • USN-3050-1
  • USN-3051-1
  • USN-3052-1
  • USN-3053-1
  • USN-3054-1
  • USN-3055-1
  • USN-3056-1
  • USN-3057-1
Last major update 28-11-2016 - 15:18
Published 27-06-2016 - 06:59
Last modified 12-08-2017 - 21:29
Back to Top