Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2015-2877

Date: March 3, 2017

Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities

Severity Score

Related Resources (12)

https://security-tracker.debian.org/tracker/CVE-2015-2877
https://nvd.nist.gov/vuln/detail/CVE-2015-2877
http://www.antoniobarresi.com/files/cain_advisory.txt
https://www.kb.cert.org/vuls/id/BGAR-A2CNKG
https://www.kb.cert.org/vuls/id/BLUU-9ZAHZH
http://www.securityfocus.com/bid/76256
http://www.kb.cert.org/vuls/id/935424
https://access.redhat.com/security/cve/CVE-2015-2877
https://people.canonical.com/~ubuntu-security/cve/CVE-2015-2877
https://bugzilla.redhat.com/show_bug.cgi?id=1252096
https://www.usenix.org/system/files/conference/woot15/woot15-paper-barresi.pdf
https://www.mend.io/vulnerability-database/CVE-2015-2877

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

CVSS v3

Base Score:
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): LOW
Additional information:

Do you need more information?

Contact Us