Upstream information

CVE-2017-6507 at MITRE

Description

An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.

SUSE information

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.30 4.26
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N AV:L/AC:L/Au:S/C:P/I:P/A:P
Access Vector Network Local
Access Complexity Medium Low
Authentication None Single
Confidentiality Impact None Partial
Integrity Impact Partial Partial
Availability Impact None Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 5.9
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Access Vector Network
Access Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact High
Availability Impact None

This issue is currently rated as having moderate severity.

SUSE Bugzilla entry: 1029696 [RESOLVED / ]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
Openstack Cloud Magnum Orchestration 7
  • apparmor >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
Patchnames:
SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-669
SUSE Linux Enterprise Desktop 12 SP1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2017-669
SUSE Linux Enterprise Desktop 12 SP2
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP2-2017-669
SUSE Linux Enterprise Server 12 SP1
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SERVER-12-SP1-2017-669
SUSE Linux Enterprise Server 12 SP2
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SERVER-12-SP2-2017-669
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-RPI-12-SP2-2017-669
SUSE Linux Enterprise Software Development Kit 12 SP1
  • apparmor >= 2.8.2-54.1
  • libapparmor-devel >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2017-669
SUSE Linux Enterprise Software Development Kit 12 SP2
  • apparmor >= 2.8.2-54.1
  • libapparmor-devel >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SDK-12-SP2-2017-669
openSUSE Leap 42.1
  • apache2-mod_apparmor >= 2.10.2-12.1
  • apache2-mod_apparmor-debuginfo >= 2.10.2-12.1
  • apparmor >= 2.10.2-12.1
  • apparmor-abstractions >= 2.10.2-12.1
  • apparmor-debugsource >= 2.10.2-12.1
  • apparmor-docs >= 2.10.2-12.1
  • apparmor-parser >= 2.10.2-12.1
  • apparmor-parser-debuginfo >= 2.10.2-12.1
  • apparmor-parser-lang >= 2.10.2-12.1
  • apparmor-profiles >= 2.10.2-12.1
  • apparmor-utils >= 2.10.2-12.1
  • apparmor-utils-lang >= 2.10.2-12.1
  • libapparmor-devel >= 2.10.2-12.1
  • libapparmor1 >= 2.10.2-12.1
  • libapparmor1-32bit >= 2.10.2-12.1
  • libapparmor1-debuginfo >= 2.10.2-12.1
  • libapparmor1-debuginfo-32bit >= 2.10.2-12.1
  • pam_apparmor >= 2.10.2-12.1
  • pam_apparmor-32bit >= 2.10.2-12.1
  • pam_apparmor-debuginfo >= 2.10.2-12.1
  • pam_apparmor-debuginfo-32bit >= 2.10.2-12.1
  • perl-apparmor >= 2.10.2-12.1
  • perl-apparmor-debuginfo >= 2.10.2-12.1
  • python3-apparmor >= 2.10.2-12.1
  • python3-apparmor-debuginfo >= 2.10.2-12.1
  • ruby-apparmor >= 2.10.2-12.1
  • ruby-apparmor-debuginfo >= 2.10.2-12.1
Patchnames:
openSUSE-2017-452
openSUSE Leap 42.2
  • apache2-mod_apparmor >= 2.10.2-12.3.1
  • apache2-mod_apparmor-debuginfo >= 2.10.2-12.3.1
  • apparmor >= 2.10.2-12.3.1
  • apparmor-abstractions >= 2.10.2-12.3.1
  • apparmor-debugsource >= 2.10.2-12.3.1
  • apparmor-docs >= 2.10.2-12.3.1
  • apparmor-parser >= 2.10.2-12.3.1
  • apparmor-parser-debuginfo >= 2.10.2-12.3.1
  • apparmor-parser-lang >= 2.10.2-12.3.1
  • apparmor-profiles >= 2.10.2-12.3.1
  • apparmor-utils >= 2.10.2-12.3.1
  • apparmor-utils-lang >= 2.10.2-12.3.1
  • libapparmor-devel >= 2.10.2-12.3.1
  • libapparmor1 >= 2.10.2-12.3.1
  • libapparmor1-32bit >= 2.10.2-12.3.1
  • libapparmor1-debuginfo >= 2.10.2-12.3.1
  • libapparmor1-debuginfo-32bit >= 2.10.2-12.3.1
  • pam_apparmor >= 2.10.2-12.3.1
  • pam_apparmor-32bit >= 2.10.2-12.3.1
  • pam_apparmor-debuginfo >= 2.10.2-12.3.1
  • pam_apparmor-debuginfo-32bit >= 2.10.2-12.3.1
  • perl-apparmor >= 2.10.2-12.3.1
  • perl-apparmor-debuginfo >= 2.10.2-12.3.1
  • python3-apparmor >= 2.10.2-12.3.1
  • python3-apparmor-debuginfo >= 2.10.2-12.3.1
  • ruby-apparmor >= 2.10.2-12.3.1
  • ruby-apparmor-debuginfo >= 2.10.2-12.3.1
Patchnames:
openSUSE-2017-452


List of planned updates

The following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.
Product(s) Source package
  • SUSE Linux Enterprise Server 12 GA
  • SUSE Linux Enterprise Server for SAP 12 GA
apparmor