El-errata: New Ksplice updates for RHCK 9 (ELSA-2022-8267)
Synopsis: ELSA-2022-8267 can now be patched using Ksplice
CVEs: CVE-2020-36310 CVE-2020-36516 CVE-2021-33061 CVE-2021-3640 CVE-2021-39685 CVE-2021-4034 CVE-2021-4135 CVE-2021-45402 CVE-2022-0168 CVE-2022-0617 CVE-2022-0854 CVE-2022-1016 CVE-2022-1048 CVE-2022-1158 CVE-2022-1184 CVE-2022-1263 CVE-2022-1280 CVE-2022-1353 CVE-2022-1679 CVE-2022-1852 CVE-2022-1998 CVE-2022-20132 CVE-2022-20368 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-2153 CVE-2022-23816 CVE-2022-23825 CVE-2022-24448 CVE-2022-24958 CVE-2022-2503 CVE-2022-25258 CVE-2022-25375 CVE-2022-2586 CVE-2022-26373 CVE-2022-2639 CVE-2022-2663 CVE-2022-27223 CVE-2022-27950 CVE-2022-28390 CVE-2022-28893 CVE-2022-29581 CVE-2022-29900 CVE-2022-29901 CVE-2022-3107 CVE-2022-3239 CVE-2022-3526 CVE-2022-3577 CVE-2022-36946 CVE-2022-39190
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-8267.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-8267.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running RHCK 9 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-1016: Information leak in the netfilter subsystem.
A flaw in the netfilter subsystem result in a use-after-free. This may
allow a local unprivileged user to cause an information leak,
resulting in loss of system confidentiality.
* CVE-2022-0617: NULL-pointer dereference when processing UDF metadata.
When converting a UDF filesystem control block to its expanded form, an
invalid block could result in a NULL callback being invoked, resulting
in a system crash. A malicious user or filesystem image might exploit
this to cause a denial-of-service.
* CVE-2022-28390: Code execution in EMS CPC-USB/ARM7 CAN/USB interface.
A double-free flaw in data transmission path of EMS CPC-USB/ARM7 CAN/USB
interface could result in memory leaks and data corruption. A local user
could use this flaw for a denial-of-service or code execution.
* CVE-2022-0854: Information disclosure in DMA subsystem.
A flaw in the DMA subsystem when creating a mapping for a buffer could
result in a memory leak. A local user could use this flaw for
information disclosure.
* CVE-2022-36946: Denial-of-service in netfilter packet handling.
A missing check in netfilter packet handling could lead to an assert.
A remote attacker could use this flaw to cause a denial-of-service.
* CVE-2022-2586: Use-after-free in Netfilter subsystem.
A logic flaw in the Netfilter subsystem when removing NFT table could
result in use-after-free. A local user could use this flaw to cause
a denial-of-service or code execution.
* CVE-2020-36516: Man-in-the-Middle Attack in TCP/IP Protocol.
A flaw in TCP/IP Protocol implementation could allow an off-path TCP
hijacking attack that could be used to terminate victim TCP connections
or inject forged data into victim TCP connections by manipulating
the mixed IPID assignment method. A remote user could use this flaw
to perform a Man-in-the-Middle Attack.
* CVE-2022-1679: Use-after-free in Atheros ath9k wireless device driver.
Improper handling of some error conditions in Atheros ath9k wireless
device driver could lead to a use-after-free. A local user could use
this flaw to cause a denial of service or execute arbitrary code.
* CVE-2022-1998: Use-after-free in file system notify functionality.
A use after free in the Linux kernel fanotify functionality was found.
A local user could use this flaw to cause denial of service or escalate
their privileges on the system.
* CVE-2022-29581: Privilege escalation in Traffic Control subsystem.
Improper reference counting flaw in the universal 32-bit pieces based
comparison scheme for packet classification of Traffic Control subsystem
could lead to a use-after-free. A local user could use this flaw for
privilege escalation.
* CVE-2022-20368: Out-of-bounds access in the Packet network subsystem.
A logic flaw in the Packet network protocol implementation may allow an
out-of-bounds access of kernel memory. A remote attacker could use this
information to get access to privileged kernel data.
* Note: Oracle has determined that CVE-2022-24958 is not applicable.
A bad error handling in configuration writing of the USB Gadget file
system could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service or execute arbitrary code.
The kernel is not affected by CVE-2022-24958 since the code under
consideration is not compiled.
* Note: Oracle has determined that CVE-2021-39685 is not applicable.
A failure to restrict the size of control requests for certain gadget
types in the USB Peripheral Controller could lead to an out of bounds
memory access. A local user could use this flaw to cause a denial of
service or escalate their privileges.
The kernel is not affected by CVE-2021-39685 since the code under
consideration is not compiled.
* CVE-2022-24448: Information leak when NFSv4 directory lookup fails.
If an open is performed with O_DIRECTORY on a regular file mounted over
NFSv4, the returned file descriptor will be uninitialized, potentially
leaking sensitive kernel information.
* CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem.
An incorrect initialization of Security Association data structures by the
PF_KEYv2 socket subsystem could leak previous values stored in that kernel
memory. A local, unprivileged user can use this to gain access to kernel memory
and cause a denial-of-service or leak kernel information.
* Denial-of-service in SELinux due to a race condition.
A locking flaw in SELinux when computing object context SELinux IDs
could lead to a race condition and a file system mount failure. A local
user could use this flaw for a denial-of-service.
* CVE-2022-0168: Denial-of-service in Common Internet File System.
A logic flaw in Common Internet File System (CIFS) in the QUERY_INFO
ioctl leads to incorrect error handling. This allows a local,
privileged user to cause denial-of-service.
* Note: Oracle has determined that CVE-2022-25375 is not applicable.
The USB Gadget subsystem fails to validate the size of a received
RNDIS_MSG_SET command, potentially allowing for a buffer overrun. A
malicious user might exploit this to leak sensitive information from the
kernel.
The kernel is not affected by CVE-2022-25375 since the code under
consideration is not compiled.
* CVE-2022-1184: Use-after-free when handling corrupted hash tree in ext4.
A logic error when handling corrupted hash tree directory in ext4
filesystems could lead to a use-after-free. A local attacker could use
this flaw and a malicious ext4 image to cause a denial-of-service.
* Note: Oracle will not provide a zero-downtime update for CVE-2021-33061 (INTEL-SA-00571).
CVE-2021-33061 (INTEL-SA-00571) is scored CVSSv3 5.5 (medium severity)
and is due to improper isolation of shared resources in network on chip
for the Intel(R) 82599 Ethernet Controllers and Adapters. This
vulnerability could allow an authenticated user to potentially enable
denial of service via local access. A patch for this vulnerability
exist in the linux kernel's ixgbe driver.
Hosts without Intel(R) 82599 Ethernet adapter are not affected by this
issue.
Oracle has determined that patching CVE-2021-33061 (INTEL-SA-00571) on a
running system would not be safe and recommends a reboot if using an
Intel(R) Ethernet adapter.
* CVE-2022-28893: Use-after-free in SunRPC subsystem.
A logic flaw in the SUNRPC subsystem when setting up a new connection
could lead to a use-after-free due to improper socket state handling.
A local user could use this flaw to cause a denial-of-service or execute
arbitrary code.
* Note: Oracle has determined that CVE-2022-3239 is not applicable.
Lack of initialization of a reference counter before using leads to a
use-after-free. A local user with the ability to plug such cards on the
host physical machine could use this flaw to potentially escalate their
privileges.
The kernel is not affected by CVE-2022-3239 since the code under
consideration is not compiled.
* Note: Oracle has determined that CVE-2022-27223 is not applicable.
The kernel is not affected by CVE-2022-27223 since the code under
consideration is not compiled.
* Use-after-free in User-space I/O driver support for HID subsystem.
A flaw in the User-space I/O driver support for HID subsystem could
happen when destroying HID device and result in use-after-free. A local
user could use this flaw for a denial-of-service or code execution.
* CVE-2021-4034: Prevent empty argument list when executing processes.
Incorrect input validation in the pkexec program (part of Polkit) allows
any local user to become root.
* CVE-2022-2639: Out-of-bounds access in Open vSwitch Ethernet switch driver.
A logic flaw in the Open vSwitch driver code can lead to an out-of-bound
write. This can potentially be used to cause denial-of-service or
privilege escalation.
* Note: Oracle has determined that CVE-2022-25258 is not applicable.
The USB Gadget subsystem fails to correctly validate os descriptors
passed to it. Malicious data passed to the system might exploit this to
cause a NULL-pointer dereference and denial-of-service.
The kernel is not affected by CVE-2022-25258 since the code under
consideration is not compiled.
* CVE-2021-3640: Privilege escalation in Bluetooth Classic due to use-after-free.
A race condition flaw in ioctls of Bluetooth Classic could lead to
use-after-free. A privileged local user could use this flaw to cause
a denial-of-service or escalate their privileges on the system.
* Note: Oracle has determined that CVE-2021-4135 is not applicable.
Information disclosure in Simulated Networking Device. Improper memory
initialization in the eBPF for the Simulated Networking Device Driver
in certain situations could allow unauthorized access to sensitive
information. A local user could use this flaw for information
disclosure.
The kernel is not affected by CVE-2021-4135 since the module under
consideration is not installed.
* CVE-2022-1048: Code execution in Advanced Linux Sound Architecture framework.
A race condition due to a missing locking in the Advanced Linux Sound
Architecture framework could result in a use-after-free. A local user
could use this flaw to cause a denial-of-service or execute arbitrary
code.
* CVE-2022-2503: Filesystem integrity check bypass in dm-verity.
A flaw in dm-verity allows users to switch out dm-verity target with
equivalent dm-linear targets and bypass filesystem integrity
verification. A privileged user could use this to load untrusted kernel
modules and firmware.
* Note: Oracle will not be providing a zero downtime update for CVE-2022-23816, CVE-2022-23825, CVE-2022-29900 and CVE-2022-29901.
CVE-2022-23816, CVE-2022-23825, CVE-2022-29900 and CVE-2022-29901 are
flaws in the speculative execution of various processors. This can be
used by an unprivileged attacker to achieve arbitrary speculative code
execution under certain microarchitecture-dependent conditions.
* CVE-2021-45402: Information leak in eBPF subsystem.
Improper bounds checking in eBPF verifier in the Linux kernel can lead
to a memory leak. A local attacker could use this to expose sensitive
information or potentially crash the system.
* CVE-2022-2663: Firewall bypass in IRC connection tracking
An issue in nf_conntrack_irc in unencrypted IRC protocol message
handling could result in messages being incorrectly matched by the
firewall. A remote user could use this flaw to bypass local firewall
rules.
* CVE-2022-39190: Denial-of-service in netfilter.
A missing sanity-check in netfilter does not properly prevent binding
to an already bound chain. A local attacker could use this to cause a
denial-of-service.
* CVE-2022-1280: Information disclosure in Direct Rendering Manager.
A race condition flaw in ioctls of Direct Rendering Manager due improper
synchronization could result in a use-after-free. A local user could use
this flaw for a denial-of-service or information disclosure.
* Note: Oracle will not provide a zero-downtime update for CVE-2022-27950.
A flaw in initialization of the Human Interface Devices could result in
memory leaks. A local user could use this flaw to cause a denial of
service.
This CVE has CVSS v3 Base Score 5.5. The vulnerability has only
availability impact would require a physical proximity to cause
a denial-of-service by plugging and unplugging the USB device.
* Note: Oracle will not provide a zero-downtime update for CVE-2022-3577.
A logic flaw in BigBen Interactive Kids' gamepad support driver may lead
to out-of-bound write. A local attacker with a malicious device could
use this flaw for code execution.
The kernel is not affected by CVE-2022-3577 since the code under
consideration is not compiled.
* CVE-2022-20132: Denial-of-service in Human Interface Devices.
A flaw in initialization of the Human Interface Devices could result in
memory leaks. A local user could use this flaw to cause a denial of
service.
* CVE-2022-3526: Denial-of-service in MAC-VLAN support driver.
Vulnerability in macvlan Linux driver can lead to a memory leak.
A remote attacker could use this flaw to cause a denial of service.
* CVE-2022-3107: Denial-of-service in Microsoft Hyper-V virtual network driver.
A missing check in Microsoft Hyper-V virtual network driver could
result in a null pointer dereference. A local attacker could use
this flaw to cause denial-of-service.
* Data corruption in user-space I/O driver support for HID subsystem.
Potential data races in user-space I/O driver support for HID subsystem
can lead to corruption of internal kernel state. A local attacker could
use this flaw to potentially cause denial of service or as a part of
another attack.
* Data corruption in buffer support of Industrial I/O driver.
Manipulations with IIO_BUFFER_GET_FD_IOCTL in Industrial I/O driver
potentially can result in a corrupted kernel state. A local attacker
can use this flaw as a part of a more complicated attack.
* Logic flaw in random number generator driver.
Logic inconsistence in random number generator driver during handling
of read operation from /dev/urandom can suppress an entropy generation.
A local attacker can use this flaw to make applications requesting
a cryptographically secure random bytes from kernel stuck and misbehave.
* Denial-of-service in QLogic QED 25/40/100Gb Ethernet NIC.
A missing check in QLogic QED 25/40/100Gb Ethernet NIC module may lead
to null pointer dereference. An attacker could use it to cause denial
of service.
* CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine.
A logic flaw in Kernel-based Virtual Machine in some cases when KVM
initializes a vCPU without creating APIC could result in NULL pointer
dereference. A local user could use this flaw for a denial-of-service.
* CVE-2022-1263: Denial-of-service in Kernel-based Virtual Machine.
A race condition in KVM when tearing down a vCPU could result in a NULL
pointer dereference. A local attacker could use this flaw to cause a
system crash.
* CVE-2022-1852: Denial-of-service in Kernel-based Virtual Machine.
A logic flaw in decoding instructions for emulation of Kernel-based
Virtual Machine could result in staling of emulation context. A local
user could use this flaw for denial-of-service.
* CVE-2022-1158: Use-after-free in the KVM subsystem.
A flaw in the KVM subsystem may allow a guest virtual machine to
trigger a use-after-free exception. This may lead to denial-of-service
and possible loss of system confidentiality.
* CVE-2022-26373: Information leak abusing x86 CPU return predictor.
A hardware flaw on Intel processors with Enhanced Indirect Branch
Restricted Speculation (eIBRS) when handling RET instructions after a VM
exit could lead to an information leak. A local attacker could use this
flaw to gain access to sensitive information.
* CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166: Information leak using processor MMIO stale data.
A side-channel information leak on some generations of Intel
processors could allow the leaking of internal microarchitectural
buffers when MMIO is in used.
Updated microcode is required for this vulnerability to be mitigated.
* Improved update to CVE-2020-36310: Denial-of-service in KVM support due to a nested page fault.
A flaw in KVM support subsystem in cases when an address does not
have a memslot associated with it could create a nested page fault
and lead to an infinite loop condition as a result. A local user
could use this flaw for a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
_______________________________________________
New Ksplice updates for RHCK 9 has been released.