CVE-2009-3228 — LOW (2.1) — White Hats Nepal

Q: How severe is CVE-2009-3228?

CVE-2009-3228 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-3228?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus, Redhat Enterprise Linux Server.

Vulnerability Description

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.

CVSS Score

2.1

LOW

AV:L/AC:L/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 2.4.0, < 2.4.37.6
Canonical	Ubuntu Linux	6.06
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Eus	5.4
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Workstation	5.0

Related Weaknesses (CWE)

CWE-909

References

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git%3Ba=commit%3
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=
http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlThird Party Advisory
http://patchwork.ozlabs.org/patch/32830/PatchThird Party Advisory
http://secunia.com/advisories/37084Third Party Advisory
http://secunia.com/advisories/38794Third Party Advisory
http://secunia.com/advisories/38834Third Party Advisory
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.6Broken Link
http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.31/ChangeLog-2.6.31-rc9Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2010:198Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/03/1Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/05/2Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/06/2Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/07/2Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/17/1Mailing ListPatchThird Party Advisory

FAQ

What is CVE-2009-3228?

CVE-2009-3228 is a vulnerability with a CVSS score of 2.1 (LOW). The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2...

How severe is CVE-2009-3228?

CVE-2009-3228 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-3228?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Canonical Ubuntu Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus, Redhat Enterprise Linux Server.