CVE-2014-3519 — MEDIUM (6.5)

Vulnerability Description

The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capability to bypass an intended container protection mechanism and access arbitrary files on a filesystem via vectors related to use of the file_handle structure.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openvz	Vzkernel	2.6.32

Related Weaknesses (CWE)

CWE-284

References

http://www.openwall.com/lists/oss-security/2014/06/24/16Mailing ListMitigationThird Party Advisory
http://www.securityfocus.com/bid/68171Third Party AdvisoryVDB Entry
https://help.virtuozzo.com/customer/en/portal/articles/2522783-parallels-cloud-sRelease NotesVendor Advisory
https://help.virtuozzo.com/customer/en/portal/articles/2563842-cu-2-6-32-042stabRelease NotesVendor Advisory
https://help.virtuozzo.com/customer/en/portal/articles/2563843-cu-2-6-32-042stabRelease NotesVendor Advisory
https://openvz.org/Download/kernel/rhel6/042stab090.5PatchRelease NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2014/06/24/16Mailing ListMitigationThird Party Advisory
http://www.securityfocus.com/bid/68171Third Party AdvisoryVDB Entry
https://help.virtuozzo.com/customer/en/portal/articles/2522783-parallels-cloud-sRelease NotesVendor Advisory
https://help.virtuozzo.com/customer/en/portal/articles/2563842-cu-2-6-32-042stabRelease NotesVendor Advisory
https://help.virtuozzo.com/customer/en/portal/articles/2563843-cu-2-6-32-042stabRelease NotesVendor Advisory
https://openvz.org/Download/kernel/rhel6/042stab090.5PatchRelease NotesVendor Advisory

FAQ

What is CVE-2014-3519?

CVE-2014-3519 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH capa...

How severe is CVE-2014-3519?

CVE-2014-3519 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3519?

Check the references section above for vendor advisories and patch information. Affected products include: Openvz Vzkernel.