A flaw was found in the nft_flush_table function in the Linux kernel netfilter tables implementation. The kernel would panic if it was commanded to flush rules referencing chains that had already been deleted. A local attacker with the CAP_NET_ADMIN capability could use this to panic (denial of service) a system if they were able to flush an effected chain. Docker images with "root" permissions are not granted this capability by default. Systems with privileged containers (started with docker run -privileged .. ) will be able to expose the system to this condition allowing the defect to be exploited. Upstream commit fixing the problem: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=a2f18db0c68fec96631c10cad9384c196e9008ac CVE request: http://seclists.org/oss-sec/2015/q1/501
Statement: This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and 6 (as they did not include support for netfilter tables API). This issue affects the versions of the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and MRG 2. Future kernel updates for the respective releases may address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1139 https://rhn.redhat.com/errata/RHSA-2015-1139.html
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:1138 https://rhn.redhat.com/errata/RHSA-2015-1138.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1137 https://rhn.redhat.com/errata/RHSA-2015-1137.html