Vulnerability Description
vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c, or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openvz | Vzkernel | 2.6.32 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2013/07/04/9
- http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2
- http://www.debian.org/security/2013/dsa-2766
- https://bugs.gentoo.org/show_bug.cgi?id=475762
- https://security-tracker.debian.org/tracker/CVE-2013-2239
- http://openwall.com/lists/oss-security/2013/07/04/9
- http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2
- http://www.debian.org/security/2013/dsa-2766
- https://bugs.gentoo.org/show_bug.cgi?id=475762
- https://security-tracker.debian.org/tracker/CVE-2013-2239
FAQ
What is CVE-2013-2239?
CVE-2013-2239 is a vulnerability with a CVSS score of 4.7 (MEDIUM). vzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel s...
How severe is CVE-2013-2239?
CVE-2013-2239 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2239?
Check the references section above for vendor advisories and patch information. Affected products include: Openvz Vzkernel.