El-errata: New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5676)
Synopsis: ELSA-2020-5676 can now be patched using Ksplice
CVEs: CVE-2018-19854 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-19527 CVE-2019-19532 CVE-2019-19768 CVE-2019-19965 CVE-2019-20096 CVE-2020-11494 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5676.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5676.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Out-of-bounds access when classifying network packets with traffic control index.
A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.
Orabug: 31181100
* NULL dereference while writing Hyper-V SINT14 MSR.
It is possible for KVM's IOAPIC scan logic to be triggered
inappropriately when attempting to write to Hyper-V's SINT14 MSR.
If an IOAPIC has not been initialized, this can lead to a NULL
dereference, and subsequent kernel panic. This could be used
to cause a denial-of-service.
Orabug: 31004914
* CVE-2020-9383: Information leak in floppy disk driver.
A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.
Orabug: 31067513
* NULL pointer dereference when initializing Differentiated Services marker driver.
A missing check when initializing Differentiated Services marker driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
Orabug: 30453287
* CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.
Incorrect string copying in the NETLINK_CRYPTO report could result in
leaking the contents of kernel stack memory to an unprivileged local
user.
Orabug: 31081816
* CVE-2019-19965: Denial-of-service in SCSI device removal.
A race condition when probing SCSI devices could result in a NULL
pointer dereference and kernel crash. A local user with privileges to
add or remove SCSI devices could use this flaw to crash the system.
Orabug: 30770911
* Invalid memory access when sending an excessively large packet using Segmentation Offloads.
A missing check when sending an excessively large packet using
Segmentation Offloads could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.
Orabug: 31161828
* Livelock in loop device block resize operation.
A failure to handle a block size change on an existing loopback device can
result in a livelock. A local user with the ability to configure a loopback
device could use this flaw to cause a denial-of-service.
Orabug: 31161462
* CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver.
Logic errors when parsing access point settings in Marvell WiFi-Ex
driver could lead to buffer overflows. A local attacker could use this
flaw to cause a denial-of-service.
Orabug: 31104480
* CVE-2019-20096: Memory leak while changing DCCP socket SP feature values.
Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory. This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.
Orabug: 30755059
* Improved fix for CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.
The fix for CVE-2020-2732 might result in a failure for some guest
systems to correctly boot.
Orabug: 31118690
* Race condition in ipoib during high request load causes denial-of-service.
A race condition in ipoib request queue handling could result in
requests never being processed, effectively causing a denial of ipoib
service.
Orabug: 31118993
* CVE-2020-11494: Information leak in serial line CAN device communication.
When communicating with a CAN device over serial, a buffer structure is
transmitted without proper sanitization, potentially exposing stack
memory over the network.
Orabug: 31136752
* Use-after-free when removing generic block device.
A race condition when accessing a block device that is in the process of
being removed could result in the device structure being accessed after
freed. This could result in memory corruption or a denial-of-service.
Orabug: 31161462
* Memory corruption when reading EFI sysfs entries.
If multiple threads read an EFI sysfs variable with a size greater than
1024 bytes, one thread's buffer variable might be overwritten by the
other, resulting in memory corruption or a kernel crash.
Orabug: 30990726
* CVE-2020-8648: Use-after-free in virtual terminal selection buffer.
Invalid locking around the kernel virtual terminal selection buffer
handling could result in memory corruption if a race occurred between
reading and writing the buffer.
Orabug: 30923296
* Various Spectre-V1 information leaks in KVM.
Various array accesses in KVM lack protection against Spectre variant
1 type attacks. An attacker could exploit this bug to read privileged
kernel memory.
Orabug: 31191092
* CVE-2019-19527: Denial-of-service in USB HID device open.
A race condition when opening a USB HID device could result in a
use-after-free and kernel crash.
Orabug: 31206359
* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.
A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
Orabug: 31143946
* CVE-2019-19532: Denial-of-service when initializing HID devices.
A failure to properly check a device-controlled parameter in the USB
HID (bluetooth) subsystem lead to reading or writing past memory
bounds. An attacker can exploit this bug with a specially crafted USB
device to escalate privileges or cause a denial-of-service.
Orabug: 30622561
* Divide-by-zero when CPU capacity changes causes denial-of-service.
Incorrect comparisons between 32 and 64-bit integers when CPU capacity
changes could result in a denial-of-service on systems with extremely
large numbers of CPU cores.
Orabug: 31124463
* CVE-2019-19768: Use-after-free when reporting an IO trace.
Lack of correct synchronization between releasing a structure used to store
a trace and filling that structure coud lead to a use-after-free. A local
user with the ability to enable tracing on the block IO sub-system could
use this flaw to cause a denial-of-service or potentially escalate
privileges.
Orabug: 31123575
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
New Ksplice updates for UEKR5 4.14.35 on Oracle Linux 7 are available.