CVE-2009-3612 — LOW (2.1) — White Hats Nepal

Q: How severe is CVE-2009-3612?

CVE-2009-3612 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-3612?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Opensuse Opensuse, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server, Suse Linux Enterprise Software Development Kit.

Vulnerability Description

The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.

CVSS Score

2.1

LOW

AV:L/AC:L/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	<= 2.4.37.6
Opensuse	Opensuse	11.0
Suse	Linux Enterprise Desktop	10
Suse	Linux Enterprise Server	10
Suse	Linux Enterprise Software Development Kit	10
Canonical	Ubuntu Linux	6.06
Fedoraproject	Fedora	10

Related Weaknesses (CWE)

CWE-200

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=
http://lists.opensuse.org/opensuse-security-announce/2009-12/msg00002.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2009-12/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.htmlMailing ListThird Party Advisory
http://lists.vmware.com/pipermail/security-announce/2010/000082.htmlThird Party Advisory
http://patchwork.ozlabs.org/patch/35412/PatchThird Party Advisory
http://secunia.com/advisories/37086Third Party Advisory
http://secunia.com/advisories/37909Third Party Advisory
http://secunia.com/advisories/38794Third Party Advisory
http://secunia.com/advisories/38834Third Party Advisory
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.32-rc5Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2009:329Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/10/14/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/10/14/2Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2009/10/15/1Mailing ListThird Party Advisory

FAQ

What is CVE-2009-3612?

CVE-2009-3612 is a vulnerability with a CVSS score of 2.1 (LOW). The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure memb...

How severe is CVE-2009-3612?

CVE-2009-3612 has been rated LOW with a CVSS base score of 2.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-3612?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Opensuse Opensuse, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server, Suse Linux Enterprise Software Development Kit.