Share:|

Details of a critical vulnerability in the dhcp clients shipped on RHEL, and CentOS, 6.x and 7.x have been released and designated CVE-2018-1111. This affects all currently supported versions of the Discovery appliance. We have decided to bring the release of the May OSU forward to accommodate and will release ASAP. We strongly recommend that customers update, particularly in environments that use DHCP.

 

CVE details:

https://access.redhat.com/security/cve/cve-2018-1111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111

https://nvd.nist.gov/vuln/detail/CVE-2018-1111

 

Red Hat security errata:

7.x: https://access.redhat.com/errata/RHSA-2018:1453

6.x: https://access.redhat.com/errata/RHSA-2018:1454

 

The vulnerability allows a malicious DHCP server to manipulate a NetworkManager integration script (shipped with the dhcp clients) to run arbitrary commands as root when the interface in question has DHCP enabled and is managed by NetworkManager.

 

The 6.x May OSU contains updates for the kernel (CVE-2018-8897), the dhcp client update and a timezone update.

The 7.x May OSU is substantial, and moves the base OS from CentOS 7.4 to 7.5 – and includes the kernel and dhcp client updates listed above.

 

Update: 22nd May 2018
The OSU should now be available on EPD. For those interested, updates for CVE-2018-3639 (Spectre/Meltdown variant) are *not* included in this update. We will shortly release the May monthly OSU which will contain those fixes.