Skip to main content
Delphix

Mission Control VM may be vulnerable to CVE-2016-5195 (TB039)

Alert Type

Security

Impact

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. This issue is documented publicly under CVE-2016-5195.

Contributing Factors

Any Delphix-provided Mission Control .ova release older than 1.4.1.0 which has not been patched since deployment may be vulnerable. 

The kernel revision may be checked manually or by using community scripts to cross-check the installed/running kernel revision with those affected by the issue. The kernel revision can be validated using a bash script provided by RedHat for evaluation of RHEL and CentOS platforms.

To retreive the script, click the link above and transfer to your Mission Control VM or fetch directly using wget:

Retrieve script with wget
[root@mission-control ~]# wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
--2016-11-21 14:08:10--  https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
Resolving access.redhat.com... 23.192.240.159
Connecting to access.redhat.com|23.192.240.159|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16478 (16K) [application/x-sh]
Saving to: “rh-cve-2016-5195_1.sh”

100%[==================================================================================================================================================================================================================================>] 16,478      --.-K/s   in 0.03s   

2016-11-21 14:08:11 (558 KB/s) - “rh-cve-2016-5195_1.sh” saved [16478/16478]

Resolution

As the Mission Control VM runs on CentOS, resolution of this issue is the same as any other CentOS installation. At a minimum, the kernel should be updated to the latest version, though a more complete system update can be performed if desired. To update the kernel, execute yum update kernel as a privileged user (or update using offline RPM or other internal repo, as appropriate). In any instance, a reboot is required for the change to be effective.

An updated Mission Control OVA is available at our download site, which contains an updated kernel which is not exposed to this CVE. This OVA may be used for new installations or replacement deployments; however, this does not contain any other product upgrade and cannot be installed on an existing VM.