{
  "threat_severity" : "Important",
  "public_date" : "2017-03-29T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Out-of-bounds heap access in xfrm",
    "id" : "1435153",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1435153"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.", "Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel's IP framework for transforming packets. An error dealing with netlink messages from an unprivileged user leads to arbitrary read/write and privilege escalation." ],
  "statement" : "This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.\nThis issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG-2. In a default or common use of Red Hat Enterprise Linux 7 and MRG-2 this issue does not allow an unprivileged local or remote user to elevate their privileges on the system.\nIn order to exploit this issue the attacker needs CAP_NET_ADMIN capability, which needs to be granted especially by the administrator to the attacker's process. This in turn requires granting CAP_NET_ADMIN capability to the process' binary and/or attacker's account.\nAnother possibility to obtain CAP_NET_ADMIN capability in Red Hat Enterprise Linux 7 for an attacker is running a process inside a user+network namespace with mapped root privileges inside the namespace. Since Red Hat Enterprise Linux 7 does not have unprivileged user namespaces enabled by default, local or remote unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.\nGiven the severity of this issue, future Linux kernel updates for the Red Hat Enterprise Linux 7 and MRG-2 products are planned to address it.",
  "acknowledgement" : "Red Hat would like to thank Chaitin Security Research Lab for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-10-19T00:00:00Z",
    "advisory" : "RHSA-2017:2931",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt:7",
    "package" : "kernel-rt-0:3.10.0-693.5.2.rt56.626.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-10-19T00:00:00Z",
    "advisory" : "RHSA-2017:2930",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-0:3.10.0-693.5.2.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Advanced Update Support",
    "release_date" : "2019-12-10T00:00:00Z",
    "advisory" : "RHSA-2019:4159",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.3",
    "package" : "kernel-0:3.10.0-514.71.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Telco Extended Update Support",
    "release_date" : "2019-12-10T00:00:00Z",
    "advisory" : "RHSA-2019:4159",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.3",
    "package" : "kernel-0:3.10.0-514.71.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions",
    "release_date" : "2019-12-10T00:00:00Z",
    "advisory" : "RHSA-2019:4159",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.3",
    "package" : "kernel-0:3.10.0-514.71.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "release_date" : "2017-10-19T00:00:00Z",
    "advisory" : "RHSA-2017:2918",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2:server:el6",
    "package" : "kernel-rt-1:3.10.0-693.5.2.rt56.592.el6rt"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-7184\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7184" ],
  "name" : "CVE-2017-7184",
  "csaw" : false
}