El-errata: New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2020-5866)
Synopsis: ELSA-2020-5866 can now be patched using Ksplice
CVEs: CVE-2016-10905 CVE-2017-16528 CVE-2017-8924 CVE-2017-8925 CVE-2018-16884 CVE-2018-20856 CVE-2019-11487 CVE-2019-14898 CVE-2019-15218 CVE-2019-15505 CVE-2019-15927 CVE-2019-16746 CVE-2019-17075 CVE-2019-18885 CVE-2019-19052 CVE-2019-19073 CVE-2019-19074 CVE-2019-19768 CVE-2019-19965 CVE-2019-20054 CVE-2019-20096 CVE-2019-20812 CVE-2019-3846 CVE-2019-3874 CVE-2019-5108 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2020-10720 CVE-2020-10751 CVE-2020-10769 CVE-2020-14314 CVE-2020-14331 CVE-2020-1749 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5866.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5866.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2016-10905: Use-after-free in GFS2 file system.
A logic error when using resource group to keep track of block
allocation in GFS2 filesystem could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.
Orabug: 30254251
* CVE-2019-17075: Denial-of-service in Chelsio T4/T5 RDMA TPT entries.
Incorrect mapping of transfer buffers could result in performing DMA to
an incorrect physical address leading to memory corruption and use of
uninitialized values. An attacker could use this flaw to crash the
system.
Orabug: 31351783
* CVE-2020-10720: Use-after-free in generic receive offload fragmentation.
A use-after-free in the generic receive offload code could result in a
kernel crash when receiving a fragmented packet under specific
conditions.
Orabug: 31856195
* CVE-2019-20054: Denial-of-service in procfs sysctl removal.
A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when removing a sysctl table from procfs. A local,
privileged user could use this flaw to crash the system.
Orabug: 30732938
* CVE-2019-3846: Heap overflow when parsing BSS descriptor in Marvell WiFi-Ex driver.
A missing check on user input when parsing BSS descriptor in Marvell
WiFi-Ex driver could let a local attacker cause a heap overflow and a
denial-of-service.
Orabug: 31351916
* CVE-2019-14898: Denial-of-service when writing to file-max sysctl.
Lack of bounds check when writing a big number to the file-max sysctl could
cause a denial-of-service.
Orabug: 31350720
* CVE-2020-14331: Out-of-bounds writes in ioctls of Console display driver.
Out-of-bounds writes in ioctls of Console display driver could happen
when calling an ioctl VT_RESIZE in order to resize the console. This
flaw could allow a local user with access to the VGA console to crash
the system or potentially escalating their privileges on the system.
Orabug: 31705121
* CVE-2019-19052: Memory leak when opening USB Socket CAN device driver.
A missing free of resources when opening USB Socket CAN device driver
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
Orabug: 31351682
* CVE-2019-18885: Denial-of-service in BTRFS extent verification.
A logic error when verifying extents during mount of a BTRFS filesystem
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to mount a crafted BTRFS image could use
this flaw to cause a denial-of-service.
Orabug: 31351746
* CVE-2020-10769: Out-of-bounds memory access in authenticated encryption key parsing.
A logic error when reading unaligned keys for authenticated encryption can lead
to an integer underflow and result in a out-of-bounds memory access, leading to
a kernel crash. A local user could use this flaw to cause a denial-of-service.
Orabug: 31535529
* CVE-2017-8925: Memory leak when opening an Omninet serial driver.
An extra reference on the TTY was taken in the Omninet serial driver on
open, leading to a memory leak. A local, unprivileged user could use this
flaw to exhaust the memory on the system and cause a denial-of-service.
Orabug: 30484761
* CVE-2019-20812: Soft lockup in packet sockets with zero timeout.
Due to incorrect logic in packet socket, an attacker could request a zero
timeout, which would cause a soft lockup. A malicious local user could use
this to cause denial of service.
Orabug: 31439107
* CVE-2019-19073, CVE-2019-19074: Denial-of-service in the ath9k wireless driver.
A memory leak during driver initialization in the Atheros HTC-based
wireless subsystem could cause kernel memory exhaustion. An attacker
could exploit this flaw to cause a denial-of-service.
* CVE-2019-7221: Use-after-free in nested KVM preemption timer.
A failure to cancel a nested KVM timer before freeing it can result in a
use-after-free. A guest VM could use this flaw to crash the host.
Orabug: 29434898
* CVE-2019-7222: Information disclosure in KVM VMX emulation.
Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.
Orabug: 29434924
* CVE-2017-8924: Information leak in Digi Edgeport TI callback completion.
An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.
Orabug: 31352084
* CVE-2019-15505: Out-of-bounds access in Technisat DVB-S/S2 USB2.0 driver.
A logic error when receiving data over Technisat DVB-S/S2 USB2.0 driver
could lead to an out-of-bounds access. A remote attacker could use this
flaw to cause a denial-of-service.
Orabug: 31224554
* CVE-2020-25212: Out-of-bounds writes in RPC operations of Network File System.
Out-of-bounds writes in RPC operations of Network File System
could cause a system crash. This flaw could allow a local user
to crash the system and cause a denial-of-service or potentially
escalating their privileges on the system.
Orabug: 31872910
* CVE-2019-6974: Use-after-free in KVM device creation.
A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.
Orabug: 29434845
* CVE-2019-15218: Denial-of-service during initialiation in smsusb device.
A null-pointer dereference in the smsusb driver initialization path
leads to a general protection fault. A local user with physical access
could exploit this to cause a denial-of-service by plugging in a
maliciously crafted USB device.
Orabug: 31351875
* CVE-2017-16528: Use-after-free when unbinding a MIDI sequencer device.
A missing cancelling of a work queue when unbinding a MIDI sequencer
device could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.
Orabug: 31352045
* CVE-2019-5108: Denial-of-service of a wireless access point during roaming of a station.
A logic error in protocol implementation when a station connect to an
access point during roaming could let an attacker within the internal
network cause a denial-of-service of the access point.
Orabug: 31473652
* CVE-2019-15927: Out-of-bounds accesses in usb audio driver.
A missing check in usb audio driver could lead to out-of-bounds
accesses. A local attacker could use this flaw to cause a
denial-of-service.
Orabug: 31351837
* CVE-2019-20096: Memory leak while changing DCCP socket SP feature values.
Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory. This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.
Orabug: 30732821
* CVE-2018-20856: Use-after-free in block device core.
A failure to initialize part of a structure in the block device allocation
path can lead to a use-after-free of certain kernel structures, which can
result in a kernel panic. This could be used to cause a denial of service.
Orabug: 30120513
* CVE-2019-19965: Denial-of-service in SCSI device removal.
A race condition when probing SCSI devices could result in a NULL
pointer dereference and kernel crash. A local user with privileges to
add or remove SCSI devices could use this flaw to crash the system.
Orabug: 30770913
* MSI interrupts loss due to multiple flaws in LAPIC drivers.
Multiple flaws in Local Advanced Programmable Interrupt Controller
drivers could lead to Message Signaled Interrupts being lost. This
could result in the system to become unstable.
Orabug: 31477035
* CVE-2020-25284: Incomplete permission checking in RADOS block device driver.
A flaw in RADOS block device driver implementation could lead to
incomplete permission checking for access to RADOS block devices.
This could be leveraged by local attackers to map or unmap RBD block
devices.
Orabug: 31884169
* CVE-2020-25285: Denial-of-service in sysctls of Linux Memory Manager.
A race condition in sysctls of Linux Kernel Virtual Memory Manager
could lead to NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
Orabug: 31884239
* CVE-2020-14314: Denial-of-service in ext4 file system due to a broken indexing.
A memory out-of-bounds reads could happen in ext4 file system due to
a broken indexing. This flaw could allow a local user to crash the
system and cause a denial-of-service.
Orabug: 31895331
* CVE-2019-3874: Denial-of-service in the SCTP socket subsystem.
The SCTP socket buffer used by a userspace application is not accounted by
the cgroups subsystem. An attacker can use this flaw to exhaust kernel
memory and cause a denial-of-service.
Orabug: 31351960
* Note: Oracle will not be providing a zero downtime update for CVE-2018-16884.
Orabug: 31351995
* CVE-2020-10751: SELinux bypass in netlink message validation.
A failure to correctly process multiple netlink messages in the SELinux
implementation can result in incorrectly allowing messages to be sent. A
local user could use this flaw to bypass SELinux restrictions.
Orabug: 31439369
* CVE-2019-11487: Invalid memory access when overflowing pages refcount.
A reference count issue could let an attacker overflow pages reference
count and leads to invalid memory accesses. A local attacker could use
this flaw to cause a denial-of-service.
Orabug: 31351941
* CVE-2019-19768: Use-after-free when reporting an IO trace.
Lack of correct synchronization between releasing a structure used to store
a trace and filling that structure coud lead to a use-after-free. A local
user with the ability to enable tracing on the block IO sub-system could
use this flaw to cause a denial-of-service or potentially escalate
privileges.
Orabug: 31123576
* CVE-2019-16746: Buffer overflow when receiving beacon over wireless network.
A missing check a beacon header received over wireless network could
lead to a buffer overflow. A remote attacker could use this flaw to
cause a denial-of-service.
Orabug: 30556264
* CVE-2020-1749: Information disclosure in IPv6 IPSec tunneling.
A logic error in the IPv6 implementation of IPSec can lead to some
protocols being routed outside of the IPSec tunnel in an unencrypted
form. A network based attacker could use this flaw to read confidential
information.
Orabug: 31872821
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
New Ksplice updates for UEKR4 4.1.12 on Oracle Linux 6 and 7 has been released.