CVE-2017-6507

Name of the Vulnerable Software and Affected Versions AppArmor versions prior to 2.12

Description An issue in AppArmor allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files. The common logic to handle 'restart' operations removes AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories are affected by this flaw.

Recommendations For versions prior to 2.12, update to version 2.12 or later to resolve the issue. As a temporary workaround, consider modifying the AppArmor init script logic to correctly handle unknown AppArmor profiles in atypical directories. Restrict access to the affected processes to minimize the risk of exploitation until the issue is resolved.