Upstream information

CVE-2011-2189 at MITRE

Description

net/core/net_namespace.c in the Linux kernel 2.6.32 and earlier does not properly handle a high rate of creation and cleanup of network namespaces, which makes it easier for remote attackers to cause a denial of service (memory consumption) via requests to a daemon that requires a separate namespace per connection, as demonstrated by vsftpd.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.8
Vector AV:N/AC:L/Au:N/C:N/I:N/A:C
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete

Note from the SUSE Security Team

This issue does not affect SUSE Linux Enterprise versions before 11, as they did not have network namespace support in the kernel. SUSE Linux Enterprise 11 SP1 has network namespace in the kernel, but no network namespace support in its vsftpd. So SUSE Linux Enterprise 11 SP1 is not affected by this particular problem. SUSE Linux Enterprise 11 SP2 and later have network namespace memory reclaim enhanced in the kernel and are also not affected by this issue.

SUSE Bugzilla entry: 698449 [RESOLVED / UPSTREAM]

No SUSE Security Announcements cross referenced.