CVE-2007-4567
published 2007-12-21CVE-2007-4567: The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which…
PriorityP343high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
14.34%
96.2th percentile
The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | < 2.6.32.4 | 2.6.32.4 |
| linux | linux_kernel | <= 2.6.21.7 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_redhat7.8HIGH
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4g83-m3vp-774r: The ipv6_hop_jumbo function in net/ipv6/exthdrs
ghsa_unreviewed·2022-05-02·CVSS 7.8
CVE-2010-0006 [HIGH] CWE-476 GHSA-4g83-m3vp-774r: The ipv6_hop_jumbo function in net/ipv6/exthdrs
The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567.
GHSA
GHSA-v5px-33wm-8jfx: The ipv6_hop_jumbo function in net/ipv6/exthdrs
ghsa_unreviewed·2022-05-01
CVE-2007-4567 [HIGH] CWE-20 GHSA-v5px-33wm-8jfx: The ipv6_hop_jumbo function in net/ipv6/exthdrs
The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.
Red Hat
kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
vendor_redhat·2009-01-14·CVSS 7.8
CVE-2010-0006 [HIGH] CWE-476 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567.
Statement: Not vulnerable. This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2008-02-04·CVSS 4.0
CVE-2006-6058 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
The minix filesystem did not properly validate certain filesystem
values. If a local attacker could trick the system into attempting
to mount a corrupted minix filesystem, the kernel could be made to
hang for long periods of time, resulting in a denial of service.
This was only vulnerable in Ubuntu 7.04 and 7.10. (CVE-2006-6058)
The signal handling on PowerPC systems using HTX allowed local users
to cause a denial of service via floating point corruption. This was
only vulnerable in Ubuntu 6.10 and 7.04. (CVE-2007-3107)
The Linux kernel did not properly validate the hop-by-hop IPv6
extended header. Remote attackers could send a crafted IPv6 packet
and cause a denial of service via kernel panic. This was only
vuln
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-12-19·CVSS 4.0
CVE-2006-6058 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
The minix filesystem did not properly validate certain filesystem values.
If a local attacker could trick the system into attempting to mount a
corrupted minix filesystem, the kernel could be made to hang for long
periods of time, resulting in a denial of service. (CVE-2006-6058)
Certain calculations in the hugetlb code were not correct. A local
attacker could exploit this to cause a kernel panic, leading to a denial
of service. (CVE-2007-4133)
Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6
extended header was not correctly validated. If a system was configured
for IPv6, a remote attacker could send a specially crafted IPv6 packet
and cause the kernel to panic, leading to a denial of servic
Red Hat
kernel: ipv6_hop_jumbo remote system crash
vendor_redhat·2007-09-07·CVSS 7.8
CVE-2007-4567 [HIGH] CWE-228 kernel: ipv6_hop_jumbo remote system crash
kernel: ipv6_hop_jumbo remote system crash
The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.22 does not properly validate the hop-by-hop IPv6 extended header, which allows remote attackers to cause a denial of service (NULL pointer dereference and kernel panic) via a crafted IPv6 packet.
Statement: This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4 and Red Hat Enterprise MRG. Shipped kernels do not include upstream commit a11d206d that introduced the problem.
This upstream commit was backported in Red Hat Enterprise Linux 5 via RHBA-2008:0314. It was reported and addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0019.
No detection rules found.
Bugzilla
CVE-2010-0006 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
bugzilla·2010-01-14·CVSS 7.8
CVE-2010-0006 [HIGH] CVE-2010-0006 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
CVE-2010-0006 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
Description of problem:
http://marc.info/?l=linux-netdev&m=126343325807340&w=2
This fixes CERT-FI FICORA #341748
Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd.
Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.")
However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function.
Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() doe
Bugzilla
CVE-2007-4567 kernel: ipv6_hop_jumbo remote system crash
bugzilla·2009-12-18·CVSS 7.8
CVE-2007-4567 [HIGH] CVE-2007-4567 kernel: ipv6_hop_jumbo remote system crash
CVE-2007-4567 kernel: ipv6_hop_jumbo remote system crash
Originally discovered by Victor Julien that there is a way to crash the Linux kernel by sending a single IPv6 packet at it.
1) The CVE-2007-4567 issue was reported to Red Hat in September 2007. Red Hat Enterprise Linux 5 was found not to be affected.
2) On December 18, 2009, a customer reported to us that Red Hat Enterprise Linux 5 was vulnerable to CVE-2007-4567.
3) Investigations showed that the issue was introduced in the RHBA-2008-0314 update on May 21, 2008 via a backport of a collection of patches for DoD IPv6 conformance.
4) Updates released on January 7, 2010 for Red Hat Enterprise Linux 5, resolving CVE-2007-4567.
Note that the Linux kernels as shipped with Red Hat Enterprise Linux 3, 4, and Red Hat Enterprise MRG are
Bugzilla
CVE-2007-5731 Absolute path traversal vulnerability in Apache Jakarta Slide 2.1
bugzilla·2007-10-31·CVSS 3.5
CVE-2007-5731 [LOW] CVE-2007-5731 Absolute path traversal vulnerability in Apache Jakarta Slide 2.1
CVE-2007-5731 Absolute path traversal vulnerability in Apache Jakarta Slide 2.1
Absolute path traversal vulnerability in Apache Jakarta Slide 2.1 and earlier
allows remote authenticated users to read arbitrary files via a WebDAV write
request that specifies an entity with a SYSTEM tag, a related issue to
CVE-2007-5461.
http://www.milw0rm.com/exploits/4567
Discussion:
we are not affected (webdav server issue, jboss uses client only)
Bugzilla
CVE-2007-4567 ipv6_hop_jumbo remote system crash
bugzilla·2007-09-05·CVSS 7.8
CVE-2007-4567 [HIGH] CVE-2007-4567 ipv6_hop_jumbo remote system crash
CVE-2007-4567 ipv6_hop_jumbo remote system crash
From Victor Julien:
There exists a way to crash the Linux kernel by sending a single IPv6 packet at it.
Discussion:
Created attachment 187121
Linus thinks this patch fixed it upstream (not verified)
---
Note, no RHEL tree is affected to this. This bug has been introduced with the
patch [IPV6]: Per-interface statistics support. which was accepted in 2.6.20
therefore the vulnerable code was never included in any of our releases.
http://bugzilla.kernel.org/show_bug.cgi?id=8450http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e76b2b2567b83448c2ee85a896433b96150c92e6http://secunia.com/advisories/25505http://secunia.com/advisories/28170http://secunia.com/advisories/28706http://secunia.com/advisories/38015http://www.redhat.com/support/errata/RHSA-2010-0019.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0053.htmlhttp://www.securityfocus.com/bid/26943http://www.ubuntu.com/usn/usn-574-1https://bugzilla.redhat.com/show_bug.cgi?id=548641https://exchange.xforce.ibmcloud.com/vulnerabilities/39171https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11083https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7474https://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttps://usn.ubuntu.com/558-1/http://bugzilla.kernel.org/show_bug.cgi?id=8450http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=e76b2b2567b83448c2ee85a896433b96150c92e6http://secunia.com/advisories/25505http://secunia.com/advisories/28170http://secunia.com/advisories/28706http://secunia.com/advisories/38015http://www.redhat.com/support/errata/RHSA-2010-0019.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0053.htmlhttp://www.securityfocus.com/bid/26943http://www.ubuntu.com/usn/usn-574-1https://bugzilla.redhat.com/show_bug.cgi?id=548641https://exchange.xforce.ibmcloud.com/vulnerabilities/39171https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11083https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7474https://rhn.redhat.com/errata/RHSA-2010-0095.htmlhttps://usn.ubuntu.com/558-1/
2007-12-21
Published