CVE-2018-20856

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 4.18.7 ZENworks Configuration Management (ZCM) version 10.3 and versions 11.2 prior to 11.2.4

Description An issue was discovered in the Linux kernel related to a use-after-free error in the blk drain queue() function in block/blk-core.c due to mishandling of a certain error case. This issue may allow an attacker to impact data integrity, gain unauthorized access to protected information, and cause a denial of service. Additionally, a vulnerability in the ZENworks Configuration Management (ZCM) server allows remote attackers to perform directory traversal attacks and load and execute arbitrary programs by sending a request to TCP port 443 due to improper authentication for the zenworks/jsp/index.jsp file.

Recommendations For Linux kernel versions prior to 4.18.7, update to version 4.18.7 or later to resolve the issue. For ZENworks Configuration Management (ZCM) version 10.3, update to a version later than 10.3. For ZENworks Configuration Management (ZCM) versions 11.2 prior to 11.2.4, update to version 11.2.4 or later. As a temporary workaround for the Linux kernel issue, consider restricting access to the block/blk-core.c file until a patch is available. For the ZENworks Configuration Management (ZCM) issue, restrict access to the zenworks/jsp/index.jsp file to minimize the risk of exploitation.