CVE-2018-6556
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/08/2018
Last modified:
31/05/2019
Description
lxc-user-nic when asked to delete a network interface will unconditionally open a user provided path. This code path may be used by an unprivileged user to check for the existence of a path which they wouldn't otherwise be able to reach. It may also be used to trigger side effects by causing a (read-only) open of special kernel files (ptmx, proc, sys). Affected releases are LXC: 2.0 versions above and including 2.0.9; 3.0 versions above and including 3.0.0, prior to 3.0.2.
Impact
Base Score 3.x
3.30
Severity 3.x
LOW
Base Score 2.0
2.10
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.0.9 (including) |
| cpe:2.3:a:linuxcontainers:lxc:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.2 (excluding) |
| cpe:2.3:a:suse:caas_platform:1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:suse:caas_platform:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:suse:openstack_cloud:6:*:*:*:*:*:*:* | ||
| cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:ltss:*:*:* | ||
| cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp4:*:*:*:*:*:* | ||
| cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00076.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html
- https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591
- https://bugzilla.suse.com/show_bug.cgi?id=988348
- https://security.gentoo.org/glsa/201808-02
- https://usn.ubuntu.com/usn/usn-3730-1