CVE-2016-1585
Published: 22 April 2019
In all versions of AppArmor mount rules are accidentally widened when compiled.
From the Ubuntu Security Team
It was discovered that the AppArmor policy compiler incorrectly generated looser restrictions than expected for rules allowing mount operations. A local attacker could possibly use this to bypass AppArmor restrictions in applications where some mount operations were permitted.
Notes
Author | Note |
---|---|
sbeattie |
apparmor policies that do not grant the ability to perform any mount permissions are not affected. |
alexmurray |
Original fix introduced a regression, requiring the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/1048 as well |
sbeattie |
additional regression fix in https://gitlab.com/apparmor/apparmor/-/merge_requests/1054 |
Priority
Status
Package | Release | Status |
---|---|---|
apparmor
Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Not vulnerable
(4.0.0~alpha2-0ubuntu5)
|
|
noble |
Not vulnerable
(4.0.0~alpha2-0ubuntu5)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Needs triage
|
|
upstream |
Released
(3.1.4)
|
|
xenial |
Needs triage
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches:
upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/333 upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/1023 upstream: https://gitlab.com/apparmor/apparmor/-/merge_requests/1029 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |