CVE-2014-4027 — LOW (2.3) — White Hats Nepal

Q: How severe is CVE-2014-4027?

CVE-2014-4027 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-4027?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Redhat Enterprise Linux, Canonical Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise High Availability Extension.

Vulnerability Description

The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator.

CVSS Score

2.3

LOW

AV:A/AC:M/Au:S/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	< 3.14
Redhat	Enterprise Linux	6.0
Canonical	Ubuntu Linux	12.04
Suse	Linux Enterprise Desktop	11
Suse	Linux Enterprise High Availability Extension	11
Suse	Linux Enterprise Real Time Extension	11
Suse	Linux Enterprise Server	11
F5	Big-Ip Access Policy Manager	>= 11.1.0, <= 11.6.0
F5	Big-Ip Advanced Firewall Manager	>= 11.3.0, <= 11.6.0
F5	Big-Ip Analytics	>= 11.1.0, <= 11.6.0
F5	Big-Ip Application Acceleration Manager	>= 11.4.0, <= 11.6.0
F5	Big-Ip Application Security Manager	>= 11.1.0, <= 11.6.0
F5	Big-Ip Domain Name System	12.0.0
F5	Big-Ip Edge Gateway	>= 11.1.0, <= 11.3.0
F5	Big-Ip Global Traffic Manager	>= 11.1.0, <= 11.6.0
F5	Big-Ip Link Controller	>= 11.1.0, <= 11.6.0
F5	Big-Ip Local Traffic Manager	>= 11.1.0, <= 11.6.0
F5	Big-Ip Policy Enforcement Manager	>= 11.3.0, <= 11.6.0
F5	Big-Ip Protocol Security Module	>= 11.1.0, <= 11.4.1
F5	Big-Ip Wan Optimization Manager	>= 11.1.0, <= 11.3.0

Related Weaknesses (CWE)

CWE-200

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.htmlMailing ListThird Party Advisory
http://permalink.gmane.org/gmane.linux.scsi.target.devel/6618Broken Link
http://secunia.com/advisories/59134Broken Link
http://secunia.com/advisories/59777Broken Link
http://secunia.com/advisories/60564Broken Link
http://secunia.com/advisories/61310Broken Link
http://www.openwall.com/lists/oss-security/2014/06/11/1Mailing ListPatchThird Party Advisory
http://www.ubuntu.com/usn/USN-2334-1Third Party Advisory
http://www.ubuntu.com/usn/USN-2335-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1108744Issue TrackingPatchThird Party Advisory
https://github.com/torvalds/linux/commit/4442dc8a92b8f9ad8ee9e7f8438f4c04c03a22dPatchThird Party Advisory
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15685.htmlThird Party Advisory
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=

FAQ

What is CVE-2014-4027?

CVE-2014-4027 is a vulnerability with a CVSS score of 2.3 (LOW). The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitiv...

How severe is CVE-2014-4027?

CVE-2014-4027 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-4027?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Redhat Enterprise Linux, Canonical Ubuntu Linux, Suse Linux Enterprise Desktop, Suse Linux Enterprise High Availability Extension.