Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 24751 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is UTM 9 affected by CVE-2016-10229?

Pheckphul

CVE-2016-10229 is a remotely executable Linux kernel vulnerability. I would like to know if UTM 9 is vulnerable (evidently some kernel configurations aren't as RHEL 7 isn't), and if so, when should we see an update remedying this?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Billybob

    While UTM is based on SLES, the kernel is custom I believe. i.e. Sophos builds and maintains their own kernel with it's own unique build features and tweaks. So, whether or not SLES is vulnerable isn't pertinent.

    I can obtain the kernel build options from /boot, however it isn't clear from that whether or not udp.c is patched to remove this vulnerability as it is definitely present in the kernel upstream from SUSE upon which 3.12.58 is based. So, just because the kernel version on UTM 9.441 states the kernel version is > 3.12.53, doesn't mean it is definitely free of this vulnerability. I would hope Sophos would put out info as to the status of UTM vs CVE-2016-10229, especially as a remote code execution vulnerability in the kernel is a big deal.

  • 0 in reply to Pheckphul

    You are absolutely correct that only sophos can confirm/deny if the vulnerability exists in their kernel. However I am not sure what you mean by vulnerability is definitely present in 3.12.58 when they patched it in 3.12.53 as 3.12.58 is only supported because of SLES, it seems highly unlikely that they will introduce the vulnerability back in the kernel. https://www.linux.com/news/linux-kernel-312-be-supported-until-2017-because-suse-linux-enterprise-12 

  • 0 in reply to Pheckphul

    I'd have to agree with Billybob, but why not open a ticket with Sophos Support and report their answer here?

    It's not so much that they build their own kernel.  According to what I've been told over the years, they strip a lot of stuff out of what they get from SUSE and run what's left through a lot of tests.  Then, when SUSE fixes something and issues a new release, the developers usually fix the version that they've vetted instead of jumping onto the new SUSE version.  It's not impossible that they offer a fix before SUSE does.  To get a feel for this, check out the Up2Date blog, e.g., UTM Up2Date 9.409 Released.

    Cheers - Bob

  • 0 in reply to Billybob

    SUSE may have patched their (SLES') version of 3.12.53, but the generic upstream version of 3.12.53 is vulnerable.

  • 0 in reply to BAlfson

    I don't have a support contract with Sophos, else I would have gone to Sophos with this. UTM is used on my home network.

  • 0 in reply to Pheckphul

    My experience with asking over the last ten years has resulted in no answers that would stimulate me to ask this question.  If anyone else with Sophos Support can open a ticket on this, please let us know the result.

    Cheers - Bob