Share:|

Details of a critical vulnerability in the dhcp clients shipped on RHEL, and CentOS, 6.x and 7.x have been released and designated CVE-2018-1111. This affects all currently supported versions of the Discovery appliance. We have decided to bring the release of the May OSU forward to accommodate and will release ASAP. We strongly recommend that customers update, particularly in environments that use DHCP.

 

CVE details:

https://access.redhat.com/security/cve/cve-2018-1111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111

https://nvd.nist.gov/vuln/detail/CVE-2018-1111

 

Red Hat security errata:

7.x: https://access.redhat.com/errata/RHSA-2018:1453

6.x: https://access.redhat.com/errata/RHSA-2018:1454

 

The vulnerability allows a malicious DHCP server to manipulate a NetworkManager integration script (shipped with the dhcp clients) to run arbitrary commands as root when the interface in question has DHCP enabled and is managed by NetworkManager.

 

The 6.x May OSU contains updates for the kernel (CVE-2018-8897), the dhcp client update and a timezone update.

The 7.x May OSU is substantial, and moves the base OS from CentOS 7.4 to 7.5 – and includes the kernel and dhcp client updates listed above.

 

Update: 22nd May 2018
The OSU should now be available on EPD. For those interested, updates for CVE-2018-3639 (Spectre/Meltdown variant) are *not* included in this update. We will shortly release the May monthly OSU which will contain those fixes.

 

Update: 23rd May 2018

Please note, I refer to the May OSU in the blog post and then, in the update, say "we will shortly release the May monthly OSU". We chose to bring the May OSU forward but then the Spectre/Meltdown variants were announced and patches made available. There is another May OSU coming (e.g. 6.18.05.xx where xx is later than the 16th) that contains these fixes (and one or two other updates) but will be released at the "usual" time in tandem with the TKN.

 

Apologies for the confusion