[Users] Status of CVE-2014-0196 in RHEL6-based OpenVZ kernel?
Scott Dowdle
dowdle at montanalinux.org
Tue May 13 08:26:15 PDT 2014
Greetings,
I've seen some users (in IRC) asking about the status of CVE-2014-0196 in the RHEL6-based OpenVZ kernel. I believe the bug that is CVE-2014-0196 was added with 2.6.31-rc4 Linux mainline kernel and since the RHEL6 kernel is based on 2.6.32, it is vulnerable.
Red Hat has a statement here as well as a related bug report:
https://access.redhat.com/security/cve/CVE-2014-0196
https://bugzilla.redhat.com/show_bug.cgi?id=1094232
They do note that:
"This flaw requires shell access, and we are currently unaware of any working exploits affecting Red Hat Enterprise Linux 6"
I'm guessing they have an updated kernel package in testing that will be released ASAP... and that the OpenVZ kernel will follow suite.
Has anyone tried this exploit on the OpenVZ kernel to see what happens? I haven't but my guess is that because it doesn't work on the stock RHEL kernel that it is unlikely to work on the OpenVZ kernel but that's just a guess. Also, just because the published exploit doesn't work doesn't mean that a modified exploit can't.
TYL,
--
Scott Dowdle
704 Church Street
Belgrade, MT 59714
(406)388-0827 [home]
(406)994-3931 [work]
More information about the Users
mailing list