El-errata: New Ksplice updates for Oracle Enhanced RHCK 7 (ELBA-2020-1016-1)
Synopsis: ELBA-2020-1016-1 can now be patched using Ksplice CVEs:
CVE-2015-9289 CVE-2017-17807 CVE-2018-19985 CVE-2018-20169 CVE-2018-7191
CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-11190 CVE-2019-11884
CVE-2019-12382 CVE-2019-13233 CVE-2019-14283 CVE-2019-15916 CVE-2019-16746
CVE-2019-3901 CVE-2019-9503
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2020-1016-1.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2020-1016-1.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2015-9289: Privilege escalation in DVB frontend.
Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in a kernel crash or potentially
escalate privileges.
Orabug: 30254282
* CVE-2017-17807: Permissions bypass when requesting key on default keyring.
When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.
* CVE-2018-7191: Denial-of-service in network tunnel TUNSETIFF ioctl().
Missing error checking when setting a network tunnel device interface
could result in a NULL pointer dereference when passed a malformed
interface name. A local user with privileges to create TUN devices
could use this flaw to crash the system.
* CVE-2018-19985, CVE-2018-20169: Missing bound check when reading extra USB descriptors.
A failure to properly check the minimum and maximum size of an extra USB
descriptor in the USB sub-system could lead to reading or writing past
memory bounds. An attacker with the ability to send specially crafted
extra descriptors from a USB device could use this flaw to escalate
privileges or cause a denial-of-service.
* CVE-2019-3901: Privilege escalation when opening performance events.
A race condition between perf_event_open and execve can allow an
unprivileged user to trace a privileged process, potentially allowing an
unprivileged user to escalate privileges.
* CVE-2019-9503: Denial-of-service when receiving firmware event frames over a Broadcom WLAN USB dongle.
A failure to validate firmware event frames received over a Broadcom
WLAN USB dongle could let a remote attacker cause a denial-of-service.
* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.
A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations. This could be exploited to cause a denial of
service attack.
* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().
Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.
* CVE-2019-12382: Denial-of-service in DRM firmware loading.
Incorrect error handling could result in a NULL pointer dereference and
crash when loading firmware under low memory conditions.
* CVE-2019-13233: Use-after-free when accessing LDT entry.
A locking error while accessing LDT entry could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.
Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.
* CVE-2019-15916: Denial-of-service in network device registration.
A missing free of resources when registering a kobject for a net device
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
* Note: Oracle will not be providing a zero downtime update for CVE-2019-10638.
CVE-2019-10638 is a flaw in the IP ID generation code that could allow a
remote user to track remote Linux devices.
* Note: Oracle will not be providing a zero downtime update for CVE-2019-10639.
CVE-2019-10639 could allow a remote user to derive the value of the IP ID
field and thus partially defeating kernel address space layout randomizaton.
* CVE-2019-11190: Information leak using a setuid program and accessing process stats.
A late setup of credentials when running a setuid program could let an
attacker dump /proc//stat and get more information about running
kernel.
* CVE-2019-16746: Potential buffer overflow when processing IEEE80211 beacon head.
A failure to validate the beacon frame header along with other beacon
frame attributes can lead to malformed data eventually being processed.
This can potentially be exploited by a remote attacker to cause a buffer
overflow, which can be leveraged to perform other types of attacks.
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
New Ksplice updates has been released for Oracle Enhanced RHCK 7.