Brandon Philips

**Name of the Vulnerable Software and Affected Versions** Kubernetes Azure cloud provider versions 1.6.0 through 1.6.5 **Description** The issue concerns the default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider. These permissions are set to "container", which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal. **Recommendations** For versions 1.6.0 through 1.6.5, consider restricting access to the exposed URI to prevent unauthorized access until a fix is available. As a temporary workaround, limit privileged access to the Kubernetes cluster and authenticated access to the Azure portal to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.24 **Description** The issue is caused by a buffer overflow in the videobuf-vmalloc.c driver, specifically in the videobuf mapping data structures. This can be exploited by a local attacker to cause incorrect numerical values and a videobuf leak. The exploitation is possible due to the lack of initialization of videobuf mapping data structures. **Recommendations** For Linux kernel versions prior to 2.6.24, update to version 2.6.24 or later to resolve the issue. As a temporary workaround, consider restricting access to the videobuf-vmalloc.c driver to minimize the risk of exploitation.