It addresses a buffer overflow flaw in the Linux kernel

Oct 2, 2019 15:02 GMT  ·  By

Red Hat Product Security and CentOS Project have pushed a new Linux kernel security update for the Red Hat Enterprise Linux 6 and CentOS Linux 6 operating system series to fix an important vulnerability.

Marked by the Red Hat Product Security as having a security impact of "Important," the new Linux kernel security patch addresses a buffer overflow flaw (CVE-2019-14835) discovered in Linux kernel's vhost (virtual host) functionality, which apparently could allow a privileged guest user to escalate his/her privileges on the host system by passing descriptors with invalid length during migration.

"A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host," reads Red Hat's security advisory.

Users are urged to update their systems immediately

The security flaw is known to affect all supported Red Hat Enterprise Linux 6 variants, including Red Hat Enterprise Linux Server 6 (x86_64 and i386), Red Hat Enterprise Linux Workstation 6 (x86_64 and i386), Red Hat Enterprise Linux Desktop 6 (x86_64 and i386), Red Hat Enterprise Linux for IBM z Systems 6, Red Hat Enterprise Linux for Power, big endian 6, and Red Hat Enterprise Linux for Scientific Computing 6, as well as CentOS Linux 6 systems.

Users are urged to update their systems as soon as possible to Linux kernel 2.6.32-754.23.1.el6, which is available for all supported architectures on the main software repositories. After a kernel update, it is important to reboot your machines for the new changes to take effect, and you may also need to recompile and reinstall any third-party kernel modules you might have installed on your Red Hat Enterprise Linux or CentOS Linux systems.

Update 03/10/19: The kernel security update is now also available for Red Hat Enterprise Linux 7 and CentOS Linux 7 systems. Users are urged to update their computers to kernel 3.10.0-1062.1.2.el7, which is available now for all supported hardware architectures.