Upstream information

CVE-2017-6507 at MITRE

Description

An issue was discovered in AppArmor before 2.12. Incorrect handling of unknown AppArmor profiles in AppArmor init scripts, upstart jobs, and/or systemd unit files allows an attacker to possibly have increased attack surfaces of processes that were intended to be confined by AppArmor. This is due to the common logic to handle 'restart' operations removing AppArmor profiles that aren't found in the typical filesystem locations, such as /etc/apparmor.d/. Userspace projects that manage their own AppArmor profiles in atypical directories, such as what's done by LXD and Docker, are affected by this flaw in the AppArmor init script logic.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.3 4.3
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N AV:L/AC:L/Au:S/C:P/I:P/A:P
Access Vector Network Local
Access Complexity Medium Low
Authentication None Single
Confidentiality Impact None Partial
Integrity Impact Partial Partial
Availability Impact None Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 5.9
Vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Access Vector Network
Access Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact High
Availability Impact None
SUSE Bugzilla entry: 1029696 [RESOLVED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
Openstack Cloud Magnum Orchestration 7
  • apparmor >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
Patchnames:
SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-669
SUSE Linux Enterprise Desktop 12 SP1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2017-669
SUSE Linux Enterprise Desktop 12 SP2
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP2-2017-669
SUSE Linux Enterprise Desktop 12 SP3
  • apparmor-docs >= 2.8.2-49.21
  • apparmor-parser >= 2.8.2-49.21
  • apparmor-profiles >= 2.8.2-49.21
  • apparmor-utils >= 2.8.2-49.21
  • libapparmor1 >= 2.8.2-49.21
  • libapparmor1-32bit >= 2.8.2-49.21
  • pam_apparmor >= 2.8.2-49.21
  • pam_apparmor-32bit >= 2.8.2-49.21
  • perl-apparmor >= 2.8.2-49.21
Patchnames:
SUSE Linux Enterprise Desktop 12 SP3 GA apparmor-docs
SUSE Linux Enterprise Module for Containers 12
  • sles12-docker-image >= 1.1.4-20171002
  • sles12sp1-docker-image >= 1.0.7-20171002
  • sles12sp2-docker-image >= 1.0.2-20171006
Patchnames:
SUSE-SLE-Module-Containers-12-2017-1672
SUSE-SLE-Module-Containers-12-2017-1673
SUSE-SLE-Module-Containers-12-2017-1674
SUSE Linux Enterprise Server 12 SP1
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SERVER-12-SP1-2017-669
SUSE Linux Enterprise Server 12 SP2
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • libapparmor1-32bit >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • pam_apparmor-32bit >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SERVER-12-SP2-2017-669
SUSE Linux Enterprise Server 12 SP3
  • apache2-mod_apparmor >= 2.8.2-49.21
  • apparmor-docs >= 2.8.2-49.21
  • apparmor-parser >= 2.8.2-49.21
  • apparmor-profiles >= 2.8.2-49.21
  • apparmor-utils >= 2.8.2-49.21
  • libapparmor1 >= 2.8.2-49.21
  • libapparmor1-32bit >= 2.8.2-49.21
  • pam_apparmor >= 2.8.2-49.21
  • pam_apparmor-32bit >= 2.8.2-49.21
  • perl-apparmor >= 2.8.2-49.21
Patchnames:
SUSE Linux Enterprise Server 12 SP3 GA apache2-mod_apparmor
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • apache2-mod_apparmor >= 2.8.2-54.1
  • apparmor >= 2.8.2-54.1
  • apparmor-docs >= 2.8.2-54.1
  • apparmor-parser >= 2.8.2-54.1
  • apparmor-profiles >= 2.8.2-54.1
  • apparmor-utils >= 2.8.2-54.1
  • libapparmor1 >= 2.8.2-54.1
  • pam_apparmor >= 2.8.2-54.1
  • perl-apparmor >= 2.8.2-54.1
Patchnames:
SUSE-SLE-RPI-12-SP2-2017-669
SUSE Linux Enterprise Software Development Kit 12 SP1
  • apparmor >= 2.8.2-54.1
  • libapparmor-devel >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2017-669
SUSE Linux Enterprise Software Development Kit 12 SP2
  • apparmor >= 2.8.2-54.1
  • libapparmor-devel >= 2.8.2-54.1
Patchnames:
SUSE-SLE-SDK-12-SP2-2017-669
SUSE Linux Enterprise Software Development Kit 12 SP3
  • libapparmor-devel >= 2.8.2-49.21
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP3 GA libapparmor-devel
openSUSE Leap 42.1
  • apache2-mod_apparmor >= 2.10.2-12.1
  • apache2-mod_apparmor-debuginfo >= 2.10.2-12.1
  • apparmor >= 2.10.2-12.1
  • apparmor-abstractions >= 2.10.2-12.1
  • apparmor-debugsource >= 2.10.2-12.1
  • apparmor-docs >= 2.10.2-12.1
  • apparmor-parser >= 2.10.2-12.1
  • apparmor-parser-debuginfo >= 2.10.2-12.1
  • apparmor-parser-lang >= 2.10.2-12.1
  • apparmor-profiles >= 2.10.2-12.1
  • apparmor-utils >= 2.10.2-12.1
  • apparmor-utils-lang >= 2.10.2-12.1
  • libapparmor-devel >= 2.10.2-12.1
  • libapparmor1 >= 2.10.2-12.1
  • libapparmor1-32bit >= 2.10.2-12.1
  • libapparmor1-debuginfo >= 2.10.2-12.1
  • libapparmor1-debuginfo-32bit >= 2.10.2-12.1
  • pam_apparmor >= 2.10.2-12.1
  • pam_apparmor-32bit >= 2.10.2-12.1
  • pam_apparmor-debuginfo >= 2.10.2-12.1
  • pam_apparmor-debuginfo-32bit >= 2.10.2-12.1
  • perl-apparmor >= 2.10.2-12.1
  • perl-apparmor-debuginfo >= 2.10.2-12.1
  • python3-apparmor >= 2.10.2-12.1
  • python3-apparmor-debuginfo >= 2.10.2-12.1
  • ruby-apparmor >= 2.10.2-12.1
  • ruby-apparmor-debuginfo >= 2.10.2-12.1
Patchnames:
openSUSE-2017-452
openSUSE Leap 42.2
  • apache2-mod_apparmor >= 2.10.2-12.3.1
  • apache2-mod_apparmor-debuginfo >= 2.10.2-12.3.1
  • apparmor >= 2.10.2-12.3.1
  • apparmor-abstractions >= 2.10.2-12.3.1
  • apparmor-debugsource >= 2.10.2-12.3.1
  • apparmor-docs >= 2.10.2-12.3.1
  • apparmor-parser >= 2.10.2-12.3.1
  • apparmor-parser-debuginfo >= 2.10.2-12.3.1
  • apparmor-parser-lang >= 2.10.2-12.3.1
  • apparmor-profiles >= 2.10.2-12.3.1
  • apparmor-utils >= 2.10.2-12.3.1
  • apparmor-utils-lang >= 2.10.2-12.3.1
  • libapparmor-devel >= 2.10.2-12.3.1
  • libapparmor1 >= 2.10.2-12.3.1
  • libapparmor1-32bit >= 2.10.2-12.3.1
  • libapparmor1-debuginfo >= 2.10.2-12.3.1
  • libapparmor1-debuginfo-32bit >= 2.10.2-12.3.1
  • pam_apparmor >= 2.10.2-12.3.1
  • pam_apparmor-32bit >= 2.10.2-12.3.1
  • pam_apparmor-debuginfo >= 2.10.2-12.3.1
  • pam_apparmor-debuginfo-32bit >= 2.10.2-12.3.1
  • perl-apparmor >= 2.10.2-12.3.1
  • perl-apparmor-debuginfo >= 2.10.2-12.3.1
  • python3-apparmor >= 2.10.2-12.3.1
  • python3-apparmor-debuginfo >= 2.10.2-12.3.1
  • ruby-apparmor >= 2.10.2-12.3.1
  • ruby-apparmor-debuginfo >= 2.10.2-12.3.1
Patchnames:
openSUSE-2017-452
openSUSE Leap 42.3
  • apparmor-abstractions >= 2.10.2-14.19
  • apparmor-docs >= 2.10.2-14.19
  • apparmor-parser >= 2.10.2-14.19
  • apparmor-profiles >= 2.10.2-14.19
  • apparmor-utils >= 2.10.2-14.19
  • libapparmor-devel >= 2.10.2-14.19
  • libapparmor1 >= 2.10.2-14.19
  • libapparmor1-32bit >= 2.10.2-14.19
  • pam_apparmor >= 2.10.2-14.19
  • pam_apparmor-32bit >= 2.10.2-14.19
  • perl-apparmor >= 2.10.2-14.19
  • python3-apparmor >= 2.10.2-14.19
Patchnames:
openSUSE Leap 42.3 GA apparmor-abstractions


Status of this issue by product and package

Product(s) Source package State
OpenStack Cloud Magnum Orchestration 7.0 apparmor Released
SUSE Linux Enterprise Desktop 12 SP1 apparmor Released
SUSE Linux Enterprise Desktop 12 SP2 apparmor Released
SUSE Linux Enterprise SDK 11 SP4 apparmor Not affected
SUSE Linux Enterprise SDK 12 SP1 apparmor Released
SUSE Linux Enterprise SDK 12 SP2 apparmor Released
SUSE Linux Enterprise Server 11 SP3 LTSS apparmor Not affected
SUSE Linux Enterprise Server 11 SP4 apparmor Not affected
SUSE Linux Enterprise Server 12 GA LTSS apparmor Affected
SUSE Linux Enterprise Server 12 SP1 apparmor Released
SUSE Linux Enterprise Server 12 SP2 apparmor Released
SUSE Linux Enterprise Server 12 SP2 for Raspberry PI apparmor Released