Oracle Linux 6277 Published by

The following updates has been released for Oracle Linux:

New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018-2384)
New Ksplice updates for RHCK 7 (RHSA-2018:2384)
New Ksplice updates for RHCK 7 (RHSA-2018:2748)



New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018-2384)

Synopsis: ELSA-2018-2384 can now be patched using Ksplice
CVEs: CVE-2017-13215 CVE-2018-10675 CVE-2018-14634 CVE-2018-3620 CVE-2018-3646 CVE-2018-5390 CVE-2018-7566

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-2384.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION


* CVE-2017-13215: Privilege escalation in skcipher.

Improper data synchronization when communicating with the kernel
skcipher subsystem might allow a malicious user to escalate privileges
with specially crafted input.


* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.


* CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting.

A reference count error in the get_mempolicy ioctl implementation can
result in a use-after-free. A local user could use this flaw to
escalate privileges.


* CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.

A malicious remote user can send large numbers of out-of-order TCP
packets, causing the local server to waste time processing its local
data structures and resulting in an effective denial-of-service.


* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported. Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator. This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use. Where untrusted guests are in
use it is recommended to disable SMT.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT. Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
- "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
no noticeable performance impact
- "cond": flush only in high risk transfers, mitigates CVE-2018-3620
with the minimum number of flushes
- "always": flush on every VM entry, fully mitigates CVE-2018-3620
with the most overhead.
Default: "always"


NOTE

The recently released ELSA-2018:2384, contains a fix for CVE-2018-5390
(Segment Smack) that Oracle will not be patching via Ksplice. Users that
require the additional patching of this vulnerability are recommended to
reboot into 3.10.0-862.11.6 or later.


SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.


New Ksplice updates for RHCK 7 (RHSA-2018:2384)

Synopsis: RHSA-2018:2384 can now be patched using Ksplice
CVEs: CVE-2017-13215 CVE-2018-10675 CVE-2018-14634 CVE-2018-3620 CVE-2018-3646 CVE-2018-5390 CVE-2018-7566

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, RHSA-2018:2384.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-13215: Privilege escalation in skcipher.

Improper data synchronization when communicating with the kernel
skcipher subsystem might allow a malicious user to escalate privileges
with specially crafted input.


* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.


* CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting.

A reference count error in the get_mempolicy ioctl implementation can
result in a use-after-free. A local user could use this flaw to
escalate privileges.


* CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.

A malicious remote user can send large numbers of out-of-order TCP
packets, causing the local server to waste time processing its local
data structures and resulting in an effective denial-of-service.


* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported. Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator. This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use. Where untrusted guests are in
use it is recommended to disable SMT.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT. Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
- "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
no noticeable performance impact
- "cond": flush only in high risk transfers, mitigates CVE-2018-3620
with the minimum number of flushes
- "always": flush on every VM entry, fully mitigates CVE-2018-3620
with the most overhead.
Default: "always"


NOTE

The recently released RHSA-2018:2384, contains a fix for CVE-2018-5390
(Segment Smack) that Oracle will not be patching via Ksplice. Users that
require the additional patching of this vulnerability are recommended to
reboot into 3.10.0-862.11.6 or later.


SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.


New Ksplice updates for RHCK 7 (RHSA-2018:2748)

Synopsis: RHSA-2018:2748 can now be patched using Ksplice
CVEs: CVE-2018-14634

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, RHSA-2018:2748.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-14634: Privilege escalation in ELF executables.

An integer overflow in the argument setup for a new ELF executable could
result in attacker controlled corruption of the user stack when
executing a SUID binary. A local, unprivileged user could use this flaw
to gain superuser privileges.


* Microcode update failure with SMT disabled.

Runtime disable of SMT would disable late microcode updates, preventing
load of new microcode which may include security fixes.

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.