Executive Summary

Summary
Title AppArmor update
Informations
Name USN-4008-2 First vendor Publication 2019-06-05
Vendor Ubuntu Last vendor Modification 2019-06-05
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several policy updates were made for running under the recently updated Linux kernel.

Software Description: - apparmor: Linux security system

Details:

USN-4008-1 fixed multiple security issues in the Linux kernel. This update provides the corresponding changes to AppArmor policy for correctly operating under the Linux kernel with fixes for CVE-2019-11190. Without these changes, some profile transitions may be unintentionally denied due to missing mmap ('m') rules.

Original advisory details:

Robert Święcki discovered that the Linux kernel did not properly apply
Address Space Layout Randomization (ASLR) in some situations for setuid elf
binaries. A local attacker could use this to improve the chances of
exploiting an existing vulnerability in a setuid elf binary.
(CVE-2019-11190)

It was discovered that a null pointer dereference vulnerability existed in
the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash). (CVE-2019-11810)

It was discovered that a race condition leading to a use-after-free existed
in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux
kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2019-11815)

Federico Manuel Bento discovered that the Linux kernel did not properly
apply Address Space Layout Randomization (ASLR) in some situations for
setuid a.out binaries. A local attacker could use this to improve the
chances of exploiting an existing vulnerability in a setuid a.out binary.
(CVE-2019-11191)

As a hardening measure, this update disables a.out support.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS:
apparmor-profiles 2.10.95-0ubuntu2.11
python3-apparmor 2.10.95-0ubuntu2.11

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4008-2
https://usn.ubuntu.com/4008-1
CVE-2019-11190

Package Information:
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.11

Original Source

Url : http://www.ubuntu.com/usn/USN-4008-2

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-362 Race Condition
33 % CWE-416 Use After Free
17 % CWE-476 NULL Pointer Dereference

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Hardware 1
Hardware 1
Os 4
Os 2
Os 3294
Os 3

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2019-06-06 00:18:45
  • First insertion