{
  "threat_severity" : "Important",
  "public_date" : "2014-11-10T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet",
    "id" : "1163087",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1163087"
  },
  "cvss" : {
    "cvss_base_score" : "7.1",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:C",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.", "A flaw was found in the way the Linux kernel's SCTP implementation validated INIT chunks when performing Address Configuration Change (ASCONF). A remote attacker could use this flaw to crash the system by sending a specially crafted SCTP packet to trigger a NULL pointer dereference on the system." ],
  "statement" : "This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5.\nThis issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for the respective releases may address this issue.",
  "acknowledgement" : "This issue was discovered by Liu Wei (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-01-27T00:00:00Z",
    "advisory" : "RHSA-2015:0087",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "kernel-0:2.6.32-504.8.1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.2 Advanced Update Support",
    "release_date" : "2015-03-17T00:00:00Z",
    "advisory" : "RHSA-2015:0695",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:6.2",
    "package" : "kernel-0:2.6.32-220.60.2.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.4 Extended Update Support",
    "release_date" : "2015-03-03T00:00:00Z",
    "advisory" : "RHSA-2015:0285",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.4",
    "package" : "kernel-0:2.6.32-358.56.1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.5 Extended Update Support",
    "release_date" : "2015-03-03T00:00:00Z",
    "advisory" : "RHSA-2015:0284",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.5",
    "package" : "kernel-0:2.6.32-431.50.1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-01-28T00:00:00Z",
    "advisory" : "RHSA-2015:0102",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-123.20.1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Affected",
    "package_name" : "realtime-kernel",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-7841\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-7841" ],
  "name" : "CVE-2014-7841",
  "csaw" : false
}