A buffer overflow flaw was found in the way grub2 checked the password entered by the user during bootup. A local attacker could use this flaw to circumvent the password check and, potentially, execute arbitrary code on the system.
Created attachment 1100986 [details] Upstream fix Here's the fix.
Created grub2 tracking bugs for this issue: Affects: fedora-all [bug 1290417]
This flaw has been presented at the CCN-CERT conference by the UPV security team: https://twitter.com/lostinsecurity/status/674925944524640257
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2623 https://rhn.redhat.com/errata/RHSA-2015-2623.html
Detailed write-up from the original reporters. External References: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
Upstream commit: http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2
Hello, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE-2015-8370. The CVE page https://access.redhat.com/security/cve/cve-2015-8370 does not list RHEL 8 at all but RHEL 8 ships grub2 2.02 (specifically in RHEL 8.6 it is 2.02-123.el8). I assume we still carry the patch in RHEL 8 so the vulnerability is mitigated there but shouldn't the CVE page mention RHEL 8 as well? Thank you, Jan
In reply to comment #12: > I assume we still carry the patch in RHEL 8 so the vulnerability is > mitigated there but shouldn't the CVE page mention RHEL 8 as well? I've added an entry for rhel-8, but note that this CVE is from 2015, that is before rhel-8 even existed. we can't anticipate future releases; the general rule is to not release major versions with known CVEs, any future major version should include the fix regardless of being mentioned on CVE pages or not.