3.3

CVE-2015-2877

Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack.  NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.32 <= 4.20.15
RedhatEnterprise Linux Version4.0
RedhatEnterprise Linux Version5.0
RedhatEnterprise Linux Version6.0
RedhatEnterprise Linux Version7.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.11% 0.267
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 2.1 3.9 2.9
AV:L/AC:L/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://www.antoniobarresi.com/files/cain_advisory.txt
Third Party Advisory
Technical Description
http://www.kb.cert.org/vuls/id/935424
Third Party Advisory
US Government Resource
http://www.securityfocus.com/bid/76256
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1252096
Third Party Advisory
Issue Tracking
https://www.kb.cert.org/vuls/id/BGAR-A2CNKG
Third Party Advisory
US Government Resource
https://www.kb.cert.org/vuls/id/BLUU-9ZAHZH
Third Party Advisory
US Government Resource