CVE-2014-0055

Name of the Vulnerable Software and Affected Versions SUSE Linux Enterprise kernel-pae-devel versions (affected versions not specified) SUSE Linux Enterprise kernel-xen-devel versions (affected versions not specified) SUSE Linux Enterprise gfs2-kmp-xen versions (affected versions not specified) SUSE Linux Enterprise kernel-ec2-devel versions (affected versions not specified) Red Hat Enterprise Linux (RHEL) 6 kernel package versions prior to 2.6.32-431.11.2

Description The issue involves multiple vulnerabilities in the Linux kernel package of SUSE Linux Enterprise and Red Hat Enterprise Linux, which can be exploited remotely to compromise the confidentiality, integrity, and availability of protected information. Specifically, the get rx bufs function in drivers/vhost/net.c does not properly handle vhost get vq desc errors, allowing guest OS users to cause a denial of service (host OS crash) via unspecified vectors.

Recommendations For SUSE Linux Enterprise kernel-pae-devel, kernel-xen-devel, gfs2-kmp-xen, and kernel-ec2-devel: At the moment, there is no information about a newer version that contains a fix for this vulnerability. For Red Hat Enterprise Linux (RHEL) 6 kernel package versions prior to 2.6.32-431.11.2: Update to version 2.6.32-431.11.2 or later to resolve the issue. As a temporary workaround, consider disabling the get rx bufs function in drivers/vhost/net.c to prevent exploitation until a patch is available.