AnsweredAssumed Answered

CVE-2016-0728: kernel: Use-after-free vulnerability in keyring facility

Question asked by jerryl on Jan 20, 2016

A bug has been reported in many versions of Linux, including openSUSE.  It allows a non-root user to improperly execute code as a root user.

 

The impact of this bug on VMTurbo instances is minimal.  VMTurbo does not draw a security wall between root and non-root users on its instances.  There's nothing useful a non-root user on a VMTurbo instance would be allowed to do.  The only reason to create such users is for auditing purposes:  Users log in as themselves, then use the sudo command or something similar to actually undertake any (root-requiring) operations, such as OS updates.  There is no direct way to exploit this bug from the network - an attacker would first have to log in to a non-root account, and except for the "root-equivalent accounts" used for auditing, no such accounts should exist.

 

Nevertheless, many customers will wish to patch this bug, if only for conformance reasons.

 

  1. If you are running OpenSuSE 12.3, it's likely that no patch will ever be shipped.  The openSUSE project ended all support for 12.3 last summer.  You must migrate your instance to a new OVA based on openSUSE 13.2.  Note that the next release of VMTurbo will require this migration in any case.
  2. A patch is in the process of being developed for openSUSE 13.2, but at the time this was written, it appears not to be available yet.  You can use the zypper command to check for and apply available updates.

 

You can check the version of your instance by typing the command "cat /etc/os-release".

Outcomes