New Ksplice updates for RHCK 8 (ELSA-2023-2951)
Synopsis: ELSA-2023-2951 can now be patched using Ksplice
CVEs: CVE-2021-26341 CVE-2021-33655 CVE-2021-33656 CVE-2022-1462 CVE-2022-1679 CVE-2022-1789 CVE-2022-20141 CVE-2022-2196 CVE-2022-25265 CVE-2022-2663 CVE-2022-3028 CVE-2022-30594 CVE-2022-3239 CVE-2022-3522 CVE-2022-3524 CVE-2022-3564 CVE-2022-3566 CVE-2022-3567 CVE-2022-3619 CVE-2022-3623 CVE-2022-3625 CVE-2022-3628 CVE-2022-3707 CVE-2022-39188 CVE-2022-39189 CVE-2022-41218 CVE-2022-4129 CVE-2022-41674 CVE-2022-42703 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43750 CVE-2022-47929 CVE-2023-0394 CVE-2023-0461 CVE-2023-1195 CVE-2023-1582 CVE-2023-23454
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-2951.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2023-2951.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running RHCK 8 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-30594: Privilege escalation in Process Trace.
Lack of validation of the ptrace flags when seizing a process through
ptrace could be used to disable a seccomp jail. A local, unprivileged
user could use this flaw to evade a seccomp jail and elevate their
privileges.
* CVE-2022-1679: Use-after-free in Atheros ath9k wireless device driver.
Improper handling of some error conditions in Atheros ath9k wireless
device driver could lead to a use-after-free. A local user could use
this flaw to cause a denial of service or execute arbitrary code.
* CVE-2022-3028: Out-of-bounds memory access in IP framework XFRM subsystem.
A race condition can occur when multiple calls to the same function
in the IP framework can lead to a race condition, and subsequent
out-of-bounds memory accesses. A local attacker could exploit this flaw
to leak kernel memory, or make arbitrary writes to kernel memory.
* Improved fix for CVE-2022-2663: Firewall bypass in IRC connection tracking.
An issue in nf_conntrack_irc in unencrypted IRC protocol message
handling could result in messages being incorrectly matched by the
firewall. A remote user could use this flaw to bypass local firewall
rules.
* CVE-2022-3239: Use-after-free when probing Empia 28xx based TV cards.
Lack of intialization of a reference counter before using leads to a
use-after-free. A local user with the ability to plug such cards on the
host physical machine could use this flaw to potentially escalate their
privileges.
* CVE-2021-33655: Privilege escalation when setting font or screen size.
A missing check when setting screen size or font could lead to an
out-of-bounds memory access. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.
* CVE-2021-33656: Out-of-bounds write access in Virtual Terminal.
A flaw in ioctls of Virtual Terminal could result in out-of-bounds write
access when setting font with malicious data by some ioctl commands.
A local user could use this flaw for a denial-of-service or code
execution.
* CVE-2022-3628: Code execution in Broadcom FullMAC USB WiFi driver.
A missing sanity check when setting up the Broadcom FullMAC USB WiFi
driver could result in out-of-bounds access. A physically proximate
user could use this flaw to craft a malicious USB device and cause
a denial-of-service or execute arbitrary code.
* CVE-2022-1789: Denial-of-service in Kernel-based Virtual Machine.
A flaw in handling guest TLB mapping invalidation requests of
Kernel-based Virtual Machine could result in a NULL pointer dereference.
A local use could use this flaw for a denial-of-service.
* CVE-2022-41218: Use-after-free in dvb-core device release path.
Improper locking during device release operations can lead to a
use-after-free error in the dvb-core driver. This bug could be
exploited by a malicious local attack to cause a denial-of-service or to
escalate privileges.
* CVE-2022-4129: Denial-of-service in Layer 2 Tunneling Protocol (L2TP).
Incorrect locking in the Layer 2 Tunneling Protocol (L2TP) can lead to a race
condition and NULL pointer dereference. A local user could use this to crash the
system leading to denial-of-service.
* CVE-2023-0394: NULL dereference during IPv6 raw frame processing.
An arithmetic error when processing certain IPv6 header information can
lead to a NULL pointer dereference. A malicious local user could
exploit this flaw to cause a denial-of-service.
* CVE-2022-3564: Use-after-free in Bluetooth L2CAP.
A race condition in Bluetooth L2CAP when a socket buffer is queued and
dequeued by two flows running in parallel can lead to a use-after-free.
A remote attacker could use this flaw for a denial-of-service or
for privilege escalation.
* CVE-2022-41674: Privilege escalation in cfg80211 subsystem.
An incorrect input validation in cfg80211 subsystem can lead to a
buffer overflow error. A local attacker able to inject WLAN frames
could use this flaw to escalate privileges.
* CVE-2022-42720: Privilege escalation in cfg80211 subsystem.
Improper reference counting in cfg80211 subsystem can lead to a use
after free error. A local attacker able to inject WLAN frames
could use this flaw to escalate privileges.
* CVE-2022-42721: Denial of service in cfg80211 subsystem.
A missing check in cfg80211 subsystem can lead to internal data
structures corruption of the kernel. A local attacker able to inject
WLAN frames could use this flaw to cause denial of service.
* CVE-2022-42722: Denial of service in beacon protection for P2P-device.
A missing check in mac80211 subsystem can lead to a null pointer
dereference error. A local attacker able to inject WLAN frames could
use this flaw to cause denial of service.
* CVE-2022-3619: Denial-of-Service in Bluetooth L2CAP.
Improperly released resources in Bluetooth L2CAP when handling
fragmented frames could result in a memory leak. A remote user could
use this flaw to exhaust the kernel memory and cause a
denial-of-service.
* CVE-2022-43750: Use-after-free in USB monitor.
Incorrect permission flags set on userspace memory mappings in usbmon
could lead to a use-after-free. A local attacker could use this flaw for
a denial-of-service or escalate privileges.
* CVE-2023-23454: Denial-of-service in CBQ packet scheduling.
When dropping a packet in Class-Based Queueing (CBQ) packet scheduling
algorithm, invalid data may be read. A local user can use this to cause
denial-of-service.
* CVE-2022-47929: NULL dereference in traffic control subsystem.
Specially crafted network traffic can cause a NULL pointer dereference
in the network traffic control subsystem. This flaw could be exploited
by a malicious local user to cause a denial-of-service.
* CVE-2022-2196: Information leak in Kernel-based Virtual Machine.
A flaw in KVM due to a missing flush of indirect branch predictors
at VM-exit time may result in a leak of information.
A nested guest VM (L2) may use this flaw to perform Spectre v2 attacks
on L1 guest VMs.
* CVE-2023-0461: Use-after-free in Upper Level Protocol (ULP) subsystem.
Improper handling of sockets entering the LISTEN state can lead to
use-after-free. A local attacker could use this to cause denial-of-service or
execute arbitrary code.
* CVE-2022-3566, CVE-2022-3567: Denial-of-service in IPv6 networking.
A race condition in IPv6 networking when converting an IPv6 socket into
IPv4 could lead to a data corruption. A local user could use this flaw
for a denial-of-service.
* CVE-2022-20141: Privilege escalation in inet sockets.
A locking error when opening/closing inet sockets could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges or cause a denial-of-service.
* CVE-2022-39188: Denial-of-service in MMU-based Paged Memory Management Support.
A flaw in MMU-based Paged Memory Management Support when unmapping
a memory region could result in a system crash. A local user could use
this flaw for denial-of-service.
* CVE-2022-1462: Denial-of-service in the tty subsystem.
A logic error when using some of the ioctls of the tty subsystem could
lead to a race condition. A local attacker could use this flaw to cause
a denial-of-service or leak unauthorized memory.
* CVE-2022-42703: Code execution in MMU-based Paged Memory Management Support.
A flaw in memory allocations tracking for anonymous VMA mappings in
MMU-based Paged Memory Management Support could lead to data structure
reuse. A local user could use this flaw to cause a denial-of-service or
execute arbitrary code.
* Note: Oracle will not provide a zero downtime update for CVE-2021-26341.
On the 8th of March 2022, Vrije Universiteit (VU) Amsterdam
researchers, AMD, Ampere, ARM and Intel jointly reported new security
vulnerabilities based on Branch Target Injection (BTI) (commonly
called Spectre v2 variants).
The reporters recommend disabling unprivileged BPF to mitigate this
vulnerability as well as using generic retpoline even when eIBRS is
available on the platform or on special AMD/Hygon CPUs.
Unprivileged BPF can already be disabled at runtime by setting the
kernel.unprivileged_bpf_disabled sysctl.
If your CPU is affected and is not already using retpoline as the
Spectre V2 mitigation, a reboot into the newest kernel will be
required in order to get the full retpoline mitigations in place.
* CVE-2022-3524: Memory-leak in IPv6 networking.
A race condition in IPv6 networking when converting an IPv6 socket into
IPv4 could lead to a memory-leak. A local user could use this flaw to
exhaust the system's memory and cause denial-of-service.
* CVE-2022-3625: Denial-of-service in the Netlink device interface implementation.
A missing check when setting or getting Netlink device parameters could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service or possibly execute arbitrary code.
* CVE-2022-3707: Double-free in Intel GVT-g graphics driver.
Incorrect error handling in the Intel GVT-g graphics driver can lead to a
double free. This can allow a local user to cause denial-of-service.
* CVE-2023-1195: Denial-of-service when using CIFS driver.
A missing pointer clearing when closing a CIFS session could use to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.
* CVE-2023-1582: Denial-of-service in the memory management subsystem.
A logic error when a user reads /proc/$PID/smaps while doing other
actions could lead to a use-after-free. A local privileged attacker
could use this flaw to cause a denial-of-service.
* CVE-2022-3522: Race condition when using hugetlb.
A logic error when using hugetlb could lead to a race condition. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2022-25265: Permission by pass when executing an ELF object.
A logic error when the kernel runs certain binary files with the
exec-all attribute could let an attacker execute code in a non
executable region of the file.
* Note: Oracle has determined that CVE-2022-3623 is not applicable.
CVE-2022-3623 is a flaw in HugeTLB file system which could lead to a
race condition when looking up a hugetlb page in some situations.
Oracle has determined that this vulnerability only affects Aarch64
architecture and x86_64 is not vulnerable.
* CVE-2022-39189: Privilege escalation in Kernel-based Virtual Machine.
A flaw in KVM instruction emulation could allow unprivileged guest
userspace access to guest kernel memory through stale TLB translations.
An unprivileged guest user could use this flaw to cause a
denial-of-service or gain arbitrary code execution in a guest VM.
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
New Ksplice updates for RHCK 8 are available.