Executive Summary
Summary | |
---|---|
Title | lvm2-cluster security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0567 | First vendor Publication | 2010-07-28 |
Vendor | RedHat | Last vendor Modification | 2010-07-28 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated lvm2-cluster package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Cluster-Storage (v. 5 server) - i386, ia64, ppc, x86_64 3. Description: The lvm2-cluster package contains support for Logical Volume Management (LVM) in a clustered environment. It was discovered that the cluster logical volume manager daemon (clvmd) did not verify the credentials of clients connecting to its control UNIX abstract socket, allowing local, unprivileged users to send control commands that were intended to only be available to the privileged root user. This could allow a local, unprivileged user to cause clvmd to exit, or request clvmd to activate, deactivate, or reload any logical volume on the local system or another system in the cluster. (CVE-2010-2526) Note: This update changes clvmd to use a pathname-based socket rather than an abstract socket. As such, the lvm2 update RHBA-2010:0569, which changes LVM to also use this pathname-based socket, must also be installed for LVM to be able to communicate with the updated clvmd. All lvm2-cluster users should upgrade to this updated package, which contains a backported patch to correct this issue. After installing the updated package, clvmd must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 614248 - CVE-2010-2526 lvm2-cluster: insecurity when communicating between lvm2 and clvmd |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0567.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12539 | |||
Oval ID: | oval:org.mitre.oval:def:12539 | ||
Title: | DSA-2095-1 lvm2 -- insecure communication protocol | ||
Description: | Alasdair Kergon discovered that the cluster logical volume manager daemon in lvm2, The Linux Logical Volume Manager, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service. For the stable distribution, this problem has been fixed in version 2.02.39-8 For the testing distribution, and the unstable distribution, this problem has been fixed in version 2.02.66-3 We recommend that you upgrade your lvm2 package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2095-1 CVE-2010-2526 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | lvm2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:13264 | |||
Oval ID: | oval:org.mitre.oval:def:13264 | ||
Title: | USN-1001-1 -- lvm2 vulnerability | ||
Description: | The cluster logical volume manager daemon in LVM2 did not correctly validate credentials. A local user could use this flaw to manipulate logical volumes without root privileges and cause a denial of service in the cluster. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1001-1 CVE-2010-2526 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 10.04 Ubuntu 9.10 Ubuntu 6.06 Ubuntu 9.04 | Product(s): | lvm2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22225 | |||
Oval ID: | oval:org.mitre.oval:def:22225 | ||
Title: | RHSA-2010:0567: lvm2-cluster security update (Moderate) | ||
Description: | The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0567-01 CESA-2010:0567 CVE-2010-2526 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22792 | |||
Oval ID: | oval:org.mitre.oval:def:22792 | ||
Title: | ELSA-2010:0567: lvm2-cluster security update (Moderate) | ||
Description: | The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0567-01 CVE-2010-2526 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27685 | |||
Oval ID: | oval:org.mitre.oval:def:27685 | ||
Title: | DEPRECATED: ELSA-2010-0567 -- lvm2-cluster security update (moderate) | ||
Description: | [2.02.56-el5_5.4] - CVE-2010-2526: Fix insecurity when communicating between lvm2 and clvmd. Resolves: #616044 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0567 CVE-2010-2526 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | lvm2-cluster |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for lvm2-cluster CESA-2010:0567 centos5 i386 File : nvt/gb_CESA-2010_0567_lvm2-cluster_centos5_i386.nasl |
2010-12-02 | Name : Fedora Update for lvm2 FEDORA-2010-13239 File : nvt/gb_fedora_2010_13239_lvm2_fc14.nasl |
2010-10-19 | Name : Ubuntu Update for lvm2 vulnerability USN-1001-1 File : nvt/gb_ubuntu_USN_1001_1.nasl |
2010-10-10 | Name : Debian Security Advisory DSA 2095-1 (lvm2) File : nvt/deb_2095_1.nasl |
2010-10-01 | Name : Fedora Update for lvm2 FEDORA-2010-12250 File : nvt/gb_fedora_2010_12250_lvm2_fc12.nasl |
2010-09-14 | Name : Fedora Update for lvm2 FEDORA-2010-13708 File : nvt/gb_fedora_2010_13708_lvm2_fc13.nasl |
2010-09-14 | Name : Fedora Update for udisks FEDORA-2010-13708 File : nvt/gb_fedora_2010_13708_udisks_fc13.nasl |
2010-09-07 | Name : Mandriva Update for lvm2 MDVSA-2010:171 (lvm2) File : nvt/gb_mandriva_MDVSA_2010_171.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
66753 | LVM2 clvmd Abstract Socket Credential Check Weakness Local Privilege Escalation |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-09.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100728_lvm2_cluster_lvm2_for_SL5.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_lvm2-clvm2-100820.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_lvm2-100730.nasl - Type : ACT_GATHER_INFO |
2010-10-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1001-1.nasl - Type : ACT_GATHER_INFO |
2010-09-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-12250.nasl - Type : ACT_GATHER_INFO |
2010-09-16 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_lvm2-100812.nasl - Type : ACT_GATHER_INFO |
2010-09-12 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-13708.nasl - Type : ACT_GATHER_INFO |
2010-09-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-171.nasl - Type : ACT_GATHER_INFO |
2010-09-02 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13239.nasl - Type : ACT_GATHER_INFO |
2010-08-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2095.nasl - Type : ACT_GATHER_INFO |
2010-07-30 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2010-0567.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-12-05 13:27:44 |
|
2014-02-17 11:53:40 |
|