CVE-2018-16948

Name of the Vulnerable Software and Affected Versions OpenAFS versions prior to 1.6.23 OpenAFS versions 1.8.x prior to 1.8.2

Description An issue was discovered where several RPC server routines did not fully initialize their output variables before returning, resulting in memory contents leakage from both the stack and the heap. The OpenAFS cache manager, functioning as an Rx server for the AFSCB service, makes clients susceptible to information leakage. For instance, RXAFSCB TellMeAboutYourself leaks kernel memory and KAM ListEntry leaks kaserver memory.

Recommendations For OpenAFS versions prior to 1.6.23, update to version 1.6.23 or later. For OpenAFS versions 1.8.x prior to 1.8.2, update to version 1.8.2 or later.