StarlingX

CVE: CVE-2018-5391: kernel: IP fragment re-assembly allows DOS (FragmentSmack)

Bug #1805759 reported by Ghada Khalil
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Lin Shuicheng

Bug Description

Brief Description
-----------------
The StarlingX kernel is vulnerable to CVE-2018-5391: kernel: IP fragment re-assembly allows DOS (FragmentSmack)
https://nvd.nist.gov/vuln/detail/CVE-2018-5391

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.

CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

https://access.redhat.com/errata/RHSA-2018:3083
https://lists.centos.org/pipermail/centos-cr-announce/2018-November/005315.html

Required kernel version: kernel-3.10.0-957.el7.src.rpm

Severity
--------
Major. CVSS v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
N/A

Actual Behavior
----------------
N/A

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
any

Timestamp/Logs
--------------
N/A

CVE References

Ghada Khalil (gkhalil)
tags: added: stx.security
Changed in starlingx:
importance: Undecided → High
Ghada Khalil (gkhalil)
tags: added: stx.2019.03
Ken Young (kenyis)
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
status: New → Triaged
Revision history for this message
Cindy Xie (xxie1) wrote :

Storyboard has been created for kernel upgrade: https://storyboard.openstack.org/#!/story/2004521
once the storbyboard implemented, we can make this launchpad as fixed.

Revision history for this message
Lin Shuicheng (shuicheng) wrote :

Hi all,
We meet issue with upgrade kernel to 957 version. It will cause several modules build failure, due to data structure/function api change in kernel.
here is the module list which has build issue with 957 kernel:
Mlnx-ofa_kernel
Intel-i40e
Intel-i40evf
Tpmdd
Intel-ixgbe
drbd
openvswitch

Another thing is based on info in below link, Redhat has an updated kernel srpm to fix this CVE issue for CentOS 7.5:
https://access.redhat.com/errata/RHSA-2018:3459
For this srpm kernel-3.10.0-862.20.2.el7.src.rpm, I cannot find it in CentOS repo, or online yet.
But I suppose CentOS should also have it soon?

So I suggest we fix this CVE issue in master with this 862 kernel after it is available.
And 957 kernel upgrade will be done as part of CentOS 7.6 upgrade in feature branch.
Thanks.

Revision history for this message
Brent Rowsell (brent-rowsell) wrote :

CentOS generally only publishes the latest kernel so it is unlikely there will be a 860.20.2 kernel available. As part of moving to 7.6 the work to move to the 957 kernel has to be done anyway.

Lin Shuicheng (shuicheng)
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Lin Shuicheng (shuicheng)
Ken Young (kenyis)
tags: added: stx.2019.05
removed: stx.2019.03
Revision history for this message
Lin Shuicheng (shuicheng) wrote :

Kernel has been upgraded in centos76 feature branch. We could close this issue after feature branch code merge back to master.

Cindy Xie (xxie1)
Changed in starlingx:
status: Triaged → Fix Committed
Lin Shuicheng (shuicheng)
Changed in starlingx:
status: Fix Committed → Fix Released
Ken Young (kenyis)
tags: added: stx.2.0
removed: stx.2019.05
Ken Young (kenyis)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.