Red Hat Enterprise Linux 7 operating systems also affected

Jan 21, 2017 03:32 GMT  ·  By

CentOS developer and maintainer Johnny Hughes is announcing the availability of a new, important Linux kernel security update for the CentOS 7 series of operating systems.

CentOS 7 is derived from the freely distributed source code of the commercial Red Hat Enterprise Linux 7 operating system series, which means that it also benefits from its security patches. According to the recently published RHSA-2017:0086-1 security advisory, which was marked as important, three security vulnerabilities are patched.

Two of these security flaws are marked as moderate and one as important. Documented as CVE-2016-7117, the latter is a use-after-free vulnerability discovered in Linux kernel's socket recvmmsg subsystem, which could allow a remote attacker to execute malicious code and corrupt memory.

As for the other two security issues, CVE-2016-6828 is a use-after-free vulnerability discovered in Linux kernel's tcp_xmit_retransmit_queue, as well as other tcp_* functions, allowing an attacker to send a false selective acknowledgment to current network connections, possibly resetting them.

On the other hand, CVE-2016-9555 is a security flaw discovered in Linux kernel's Stream Control Transmission Protocol (SCTP) transport-layer protocol implementation, which could allow a remote attacker to crash the vulnerable system by triggering an out-of-bounds read with an offset of up to 64kB.

To mitigate any security risks or vulnerabilities, it is recommended to install the new kernel-3.10.0-514.6.1.el7.x86_64 package from the official repositories as soon as possible. A standard system update should take care of that, but don't forget to reboot your machine(s) immediately for the new kernel version to take effect.

Please note that the upstream Red Hat security advisory notes the fact that the new kernel update resolves six other bugs discovered recently in the Linux kernel packages provided for the Red Hat Enterprise Linux 7 series of operating systems, but we don't know if these are affecting CentOS 7 or not, so updating is highly recommended.