OpenVZ Forum


Home » General » Support » CVE-2016-7910 CVE-2016-7911 (Does these vulnerabilities affects simfs?)
CVE-2016-7910 CVE-2016-7911 [message #52660] Thu, 24 November 2016 09:07 Go to next message
wyckaoo is currently offline  wyckaoo
Messages: 4
Registered: November 2016
Junior Member
hi, CVE-2016-7910 and CVE-2016-7911 vulnerabilities are related to block devices.
As simsfs is layer between node block device and container. Does it theoretically allow to escape containers that are using simfs?
Re: CVE-2016-7910 CVE-2016-7911 [message #52661 is a reply to message #52660] Thu, 24 November 2016 09:58 Go to previous message
vaverin is currently offline  vaverin
Messages: 708
Registered: September 2005
Senior Member
CVE-2016-7910 and CVE-2016-7911 are fixed because they are marked as critical in Google security bulletin.
We do not understand how it's possible to use it for "execute arbitrary code within the context of the kernel."

Yes, theoretically it can allow an escape container,
and yes, I think simfs-based containers can be affected too.
However I doubt that someone outside Google understand how to exploit it in real life.
I even not sure that Google knows it, probably it is just an theoretical possibility.

However we think it can be used to crash host from inside container,
and it was enough for us to close this issue.

There are no according bugs in Red Hat bugzilla.
There are bugs in Novell bugzilla, but its severity is quite low, they also do not see how it can be use for the "gain privileges".

Thank you,
Vasily Averin
Previous Topic: SSL issue on https://www.openvz.org
Next Topic: CUDA support inside containers
Goto Forum:
  


Current Time: Tue Mar 19 11:56:52 GMT 2024

Total time taken to generate the page: 0.02444 seconds