[Ksplice-cloudlinux6-updates] New Ksplice updates for CloudLinux 6 (2.6.32-896.16.1.lve1.4.49.el6)

Gregory Herrero gregory.herrero at oracle.com
Fri Jan 12 05:19:42 PST 2018 

Synopsis: 2.6.32-896.16.1.lve1.4.49.el6 can now be patched using Ksplice
CVEs: CVE-2010-5313 CVE-2013-2015 CVE-2014-7842 CVE-2014-8134 CVE-2015-5156 CVE-2015-7509 CVE-2015-8215 CVE-2015-8539 CVE-2016-10088 CVE-2016-10142 CVE-2016-1583 CVE-2016-2069 CVE-2016-2384 CVE-2016-3961 CVE-2016-4470 CVE-2016-5696 CVE-2016-5829 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-7910 CVE-2016-7911 CVE-2016-8399 CVE-2016-9555 CVE-2016-9576 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-1000251 CVE-2017-10661 CVE-2017-11176 CVE-2017-12192 CVE-2017-14106 CVE-2017-14489 CVE-2017-15265 CVE-2017-15274 CVE-2017-16939 CVE-2017-6214 CVE-2017-7308 CVE-2017-7472 CVE-2017-7542 CVE-2017-7645 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

IMPORTANT

The Oracle Ksplice development team has determined that mitigations for
the Intel processor design flaws leading to vulnerabilities
CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715 cannot be applied using
zero-downtime (Ksplice) patching. Oracle therefore recommends that
customers install the required updates from their systems and hardware
vendors as they become available and reboot these machines upon applying
these patches.

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-896.16.1.lve1.4.49.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running CloudLinux 6
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-11176: Use-after-free in message queue notify syscall.

A race condition when closing a message queue file descriptor could cause
the memory for the associated socket to be freed twice, corrupting memory
or causing a denial-of-service.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.


* CVE-2014-8134: Information leak in 32-bit KVM guests.

A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack.  A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.


* CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.


* CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.

A flaw was found in the ext4 file system when handling non-journal file
systems with an orphan list. An attacker with physical access to the system
could use this flaw to crash the system or potentially escalate their
privileges on the system.


* CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.

Lack of validating the MTU in the IPv6 stack when it is reset could allow a
remote attacker to change the MTU through rogue router advertisement
packets.  A remote attacker could use this flaw to disrupt the system's
networking leading to high packet loss and denial-of-service.


* CVE-2015-5156: Denial-of-service in Virtio network device.

Incorrect handling of fragmented socket buffers could result in a buffer
overflow when performing receive offload under specific conditions.  A
local, unprivileged user could use this flaw to crash the system.


* CVE-2016-5696: Session hijacking in TCP connections.

A logic error in the core TCP subsystem can allow attackers to easily
guess secret information and inject arbitrary packets into a TCP stream.


* CVE-2016-4470: Denial-of-service in the keyring subsystem.

Failure to check that a key was properly added to a keyring before removing
it could lead to a kernel crash.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* CVE-2016-5829: Memory corruption in unknown USB HID devices.

The USB HID driver does not validate USB data when an unknown HID device
is encountered which can allow a malicious USB device to trigger kernel
memory corruption and gain execution.


* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.


* CVE-2016-7910: Privilege escalation in /proc/partitions.

Incorrect cleanup when finishing reading /proc/partitions could result
in a use-after-free condition.  A local, unprivileged user could use
this flaw to crash the system, or potentially, escalate privileges.


* CVE-2016-7911: Privilege escalation in ioprio_get().

A race condition in retrieving the task IO context in the ioprio_get()
system call could allow a local, unprivileged user to trigger a
use-after-free and cause a denial-of-service, or potentially, escalate
privileges.


* CVE-2015-8539: Privilege escalation in the keys subsystem when instantiating a key.

A lack of properly initializing a key payload data when the key was
negatively instantiated could lead to memory corruption.  A local user with
the ability to add keys in the keys subsystem could use this flaw to
cause a denial-of-service or escalate privileges.


* Denial-of-service when copying iovec from user space.

A missing check when copying iovec from user space could lead to an out
of bound access. A local user could use this flaw to cause a
denial-of-service.


* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.


* CVE-2016-10088, CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.


* CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

A missing bound-check in one of the state functions caused memory use
beyond what has been allocated. This could lead to memory corruption and
other undefined behaviors.


* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.


* CVE-2016-7042: Stack corruption when reading keys from proc filesystem.

An on-stack buffer is not big enough to hold the data being written to it
when reading keys from the proc filesystem, potentially leading to a kernel
panic when the stack protector is in use.  A local, unprivileged user could
use this flaw to cause a denial-of-service.


* CVE-2016-6480: Denial-of-service in Adaptec AACRAID driver.

A race condition in fetching parameters from userspace could result in
accessing beyond the bounds of a buffer.  A local user with privileges
to access the device could use this flaw to crash the system.


* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.


* CVE-2016-10142: Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* CVE-2016-7097: Privilege escalation when setting xattr.

A missing clear of SGID bit during a setxattr call could allow a local
user to gain group privileges.


* CVE-2017-7472: Denial-of-service when setting default request-key keyring.

A logic error when a user set default request-key keyring multiple
times could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a kernel panic.


* CVE-2017-7308: Memory corruption in AF_PACKET socket options.

Multiple integer overflows in the AF_PACKET setsockopt implementation can
trigger kernel memory corruption. A local user could use this flaw to elevate
privileges.


* Denial-of-service in NFS shares during container starting.

A use-after-free could result in a kernel crash when starting a
container using an NFS share on a host that has insufficient resources.


* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* CVE-2017-9076: Denial-of-service in DCCPv6 sockets.

A use-after-free in the DCCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.


* CVE-2017-9077: Denial-of-service in TCPv6 sockets.

A use-after-free in the TCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.


* CVE-2017-9075: Denial-of-service in SCTPv6 sockets.

A use-after-free in the SCTPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.


* CVE-2017-8890: Denial-of-service in TCP and DCCP socket manipulation.

A failure to correctly initialise a structure can result in a double
free, leading to undefined behaviour. A local unprivileged attacker
could use this flaw to cause a denial-of-service or other unspecified
behaviour.


* CVE-2017-14106: Denial-of-service when TCP window scaling is not enabled.

A division-by-zero error occurs when selecting the window size for TCP
over IPv4, resulting in denial-of-service.


* CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.

A missing locking when setting options on AF_PACKET socket could lead to
an out-of-bounds access. A local attacker with CAP_NET_RAW capability,
or on a system with unprivileged namespace enabled, could use this flaw
to cause a denial-of-service or execute arbitrary code.


* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.


* CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.

Incorrectly parsing a Bluetooth L2CAP configuration buffer could allow
it to overwrite data on the stack, potentially allowing a remote
attacker to execute arbitrary code in the kernel.


* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.


* CVE-2017-12192: Denial-of-service in the keys subsystem when reading negatively instantiated key.

A missing check when reading a negatively instantiated key could lead to
a kernel crash. A local user with the ability to read keys in the keys
subsystem could use this flaw to cause a denial-of-service or escalate
privileges.


* CVE-2017-15274: Denial-of-service in kernel keyring add_key() syscall.

A NULL pointer dereference could allow a local, unprivileged user to
cause a denial of service by updating a key with a NULL payload an
non-zero length.


* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.


* CVE-2017-1000112: Privilege escalation using the UDP Fragmentation Offload (UFO) code.

Multiple missing checks on headers length when using UDP Fragmentation
Offload (UFO) protocol while sending packets could lead to out-of-bounds
accesses.  A local attacker with CAP_NET_RAW capability, or on a system
with unprivileged namespace enabled, could use this flaw to cause a
denial-of-service or execute arbitrary code.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-CloudLinux6-Updates mailing list