Greetings, I've seen some users (in IRC) asking about the status of CVE-2014-0196 in the RHEL6-based OpenVZ kernel. I believe the bug that is CVE-2014-0196 was added with 2.6.31-rc4 Linux mainline kernel and since the RHEL6 kernel is based on 2.6.32, it is vulnerable.
Red Hat has a statement here as well as a related bug report: https://access.redhat.com/security/cve/CVE-2014-0196 https://bugzilla.redhat.com/show_bug.cgi?id=1094232 They do note that: "This flaw requires shell access, and we are currently unaware of any working exploits affecting Red Hat Enterprise Linux 6" I'm guessing they have an updated kernel package in testing that will be released ASAP... and that the OpenVZ kernel will follow suite. Has anyone tried this exploit on the OpenVZ kernel to see what happens? I haven't but my guess is that because it doesn't work on the stock RHEL kernel that it is unlikely to work on the OpenVZ kernel but that's just a guess. Also, just because the published exploit doesn't work doesn't mean that a modified exploit can't. TYL, -- Scott Dowdle 704 Church Street Belgrade, MT 59714 (406)388-0827 [home] (406)994-3931 [work] _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
