A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. This issue is documented publicly under CVE-2016-5195.
Any Delphix-provided Mission Control .ova release older than 220.127.116.11 which has not been patched since deployment may be vulnerable.
The kernel revision may be checked manually or by using community scripts to cross-check the installed/running kernel revision with those affected by the issue. The kernel revision can be validated using a bash script provided by RedHat for evaluation of RHEL and CentOS platforms.
To retreive the script, click the link above and transfer to your Mission Control VM or fetch directly using
[root@mission-control ~]# wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh --2016-11-21 14:08:10-- https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh Resolving access.redhat.com... 18.104.22.168 Connecting to access.redhat.com|22.214.171.124|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 16478 (16K) [application/x-sh] Saving to: “rh-cve-2016-5195_1.sh” 100%[==================================================================================================================================================================================================================================>] 16,478 --.-K/s in 0.03s 2016-11-21 14:08:11 (558 KB/s) - “rh-cve-2016-5195_1.sh” saved [16478/16478]
As the Mission Control VM runs on CentOS, resolution of this issue is the same as any other CentOS installation. At a minimum, the kernel should be updated to the latest version, though a more complete system update can be performed if desired. To update the kernel, execute
yum update kernel as a privileged user (or update using offline RPM or other internal repo, as appropriate). In any instance, a reboot is required for the change to be effective.
An updated Mission Control OVA is available at our download site, which contains an updated kernel which is not exposed to this CVE. This OVA may be used for new installations or replacement deployments; however, this does not contain any other product upgrade and cannot be installed on an existing VM.