[Ksplice-cloudlinux6-updates] New Ksplice updates for CloudLinux 6 (2.6.32-954.3.5.lve1.4.58.el6)

Wed Nov 7 10:22:08 PST 2018

Synopsis: 2.6.32-954.3.5.lve1.4.58.el6 can now be patched using Ksplice
CVEs: CVE-2010-5313 CVE-2012-6701 CVE-2013-2015 CVE-2014-7842 CVE-2014-8134 CVE-2015-5156 CVE-2015-7509 CVE-2015-8215 CVE-2015-8539 CVE-2015-8830 CVE-2016-10088 CVE-2016-10142 CVE-2016-1583 CVE-2016-2069 CVE-2016-2384 CVE-2016-3961 CVE-2016-4470 CVE-2016-5696 CVE-2016-5829 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-7910 CVE-2016-7911 CVE-2016-8399 CVE-2016-8650 CVE-2016-9555 CVE-2016-9576 CVE-2017-0861 CVE-2017-1000111 CVE-2017-1000112 CVE-2017-1000251 CVE-2017-1000410 CVE-2017-10661 CVE-2017-11176 CVE-2017-12190 CVE-2017-12192 CVE-2017-13166 CVE-2017-14106 CVE-2017-14489 CVE-2017-15265 CVE-2017-16939 CVE-2017-17450 CVE-2017-17807 CVE-2017-18017 CVE-2017-18203 CVE-2017-6214 CVE-2017-7308 CVE-2017-7542 CVE-2017-7616 CVE-2017-7645 CVE-2017-7889 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077 CVE-2018-1000004 CVE-2018-10901 CVE-2018-1120 CVE-2018-1130 CVE-2018-14634 CVE-2018-3620 CVE-2018-3639 CVE-2018-3646 CVE-2018-3665 CVE-2018-5332 CVE-2018-5333!
  CVE-2018-5803 CVE-2018-6927 CVE-2018-7566 CVE-2018-8897

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-954.3.5.lve1.4.58.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running CloudLinux 6
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Reduce usage of reserved percpu memory.

The kernel reserves a limited area of percpu memory for loadable modules
containing static percpu data and exhausting this can limit the ability
to load modules.

* CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 26403974

* CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.

* CVE-2017-11176: Use-after-free in message queue notify syscall.

A race condition when closing a message queue file descriptor could cause
the memory for the associated socket to be freed twice, corrupting memory
or causing a denial-of-service.

Orabug: 26643546

* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.

* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.

* CVE-2014-8134: Information leak in 32-bit KVM guests.

A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack.  A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.

* CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.

* CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.

A flaw was found in the ext4 file system when handling non-journal file
systems with an orphan list. An attacker with physical access to the system
could use this flaw to crash the system or potentially escalate their
privileges on the system.

* CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.

Lack of validating the MTU in the IPv6 stack when it is reset could allow a
remote attacker to change the MTU through rogue router advertisement
packets.  A remote attacker could use this flaw to disrupt the system's
networking leading to high packet loss and denial-of-service.

* CVE-2015-5156: Denial-of-service in Virtio network device.

Incorrect handling of fragmented socket buffers could result in a buffer
overflow when performing receive offload under specific conditions.  A
local, unprivileged user could use this flaw to crash the system.

* CVE-2016-5696: Session hijacking in TCP connections.

A logic error in the core TCP subsystem can allow attackers to easily
guess secret information and inject arbitrary packets into a TCP stream.

* CVE-2016-4470: Denial-of-service in the keyring subsystem.

Failure to check that a key was properly added to a keyring before removing
it could lead to a kernel crash.  A local, unprivileged user could use this
flaw to cause a denial-of-service.

* CVE-2016-5829: Memory corruption in unknown USB HID devices.

The USB HID driver does not validate USB data when an unknown HID device
is encountered which can allow a malicious USB device to trigger kernel
memory corruption and gain execution.

* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.

* CVE-2016-7910: Privilege escalation in /proc/partitions.

Incorrect cleanup when finishing reading /proc/partitions could result
in a use-after-free condition.  A local, unprivileged user could use
this flaw to crash the system, or potentially, escalate privileges.

* CVE-2016-7911: Privilege escalation in ioprio_get().

A race condition in retrieving the task IO context in the ioprio_get()
system call could allow a local, unprivileged user to trigger a
use-after-free and cause a denial-of-service, or potentially, escalate
privileges.

* CVE-2015-8539: Privilege escalation in the keys subsystem when instantiating a key.

A lack of properly initializing a key payload data when the key was
negatively instantiated could lead to memory corruption.  A local user with
the ability to add keys in the keys subsystem could use this flaw to
cause a denial-of-service or escalate privileges.

* Denial-of-service when copying iovec from user space.

A missing check when copying iovec from user space could lead to an out
of bound access. A local user could use this flaw to cause a
denial-of-service.

* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.

* CVE-2016-10088, CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.

* CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

A missing bound-check in one of the state functions caused memory use
beyond what has been allocated. This could lead to memory corruption and
other undefined behaviors.

* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.

* CVE-2016-7042: Stack corruption when reading keys from proc filesystem.

An on-stack buffer is not big enough to hold the data being written to it
when reading keys from the proc filesystem, potentially leading to a kernel
panic when the stack protector is in use.  A local, unprivileged user could
use this flaw to cause a denial-of-service.

* CVE-2016-6480: Denial-of-service in Adaptec AACRAID driver.

A race condition in fetching parameters from userspace could result in
accessing beyond the bounds of a buffer.  A local user with privileges
to access the device could use this flaw to crash the system.

* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.

* CVE-2016-10142: Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.

Orabug: 25765786

* CVE-2016-7097: Privilege escalation when setting xattr.

A missing clear of SGID bit during a setxattr call could allow a local
user to gain group privileges.

* CVE-2017-7308: Memory corruption in AF_PACKET socket options.

Multiple integer overflows in the AF_PACKET setsockopt implementation can
trigger kernel memory corruption. A local user could use this flaw to elevate
privileges.

* Denial-of-service in NFS shares during container starting.

A use-after-free could result in a kernel crash when starting a
container using an NFS share on a host that has insufficient resources.

* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.

* CVE-2017-9076: Denial-of-service in DCCPv6 sockets.

A use-after-free in the DCCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9077: Denial-of-service in TCPv6 sockets.

A use-after-free in the TCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9075: Denial-of-service in SCTPv6 sockets.

A use-after-free in the SCTPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-8890: Denial-of-service in TCP and DCCP socket manipulation.

A failure to correctly initialise a structure can result in a double
free, leading to undefined behaviour. A local unprivileged attacker
could use this flaw to cause a denial-of-service or other unspecified
behaviour.

* CVE-2017-14106: Denial-of-service when TCP window scaling is not enabled.

A division-by-zero error occurs when selecting the window size for TCP
over IPv4, resulting in denial-of-service.

* CVE-2017-1000111: Privilege escalation when setting options on AF_PACKET socket.

A missing locking when setting options on AF_PACKET socket could lead to
an out-of-bounds access. A local attacker with CAP_NET_RAW capability,
or on a system with unprivileged namespace enabled, could use this flaw
to cause a denial-of-service or execute arbitrary code.

* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.

* CVE-2017-1000251: Stack overflow in Bluetooth L2CAP config buffer.

Incorrectly parsing a Bluetooth L2CAP configuration buffer could allow
it to overwrite data on the stack, potentially allowing a remote
attacker to execute arbitrary code in the kernel.

* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.

* CVE-2017-12192: Denial-of-service in the keys subsystem when reading negatively instantiated key.

A missing check when reading a negatively instantiated key could lead to
a kernel crash. A local user with the ability to read keys in the keys
subsystem could use this flaw to cause a denial-of-service or escalate
privileges.

* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.

* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.

* CVE-2017-1000112: Privilege escalation using the UDP Fragmentation Offload (UFO) code.

Multiple missing checks on headers length when using UDP Fragmentation
Offload (UFO) protocol while sending packets could lead to out-of-bounds
accesses.  A local attacker with CAP_NET_RAW capability, or on a system
with unprivileged namespace enabled, could use this flaw to cause a
denial-of-service or execute arbitrary code.

* Denial-of-service when setting options for RDS over Infiniband socket.

A missing check when setting RDS_GET_MR option for RDS over Infiniband
socket could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2017-18017: Use-after-free when using TCPMSS Netfilter.

A missing check in the netfilter TCP MSS code could lead to a
use-after-free condition.  A remote attacker could exploit this
to cause a denial of service.

* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2017-17807: Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.

* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.

Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.

* CVE-2018-1130: Denial-of-service in DCCP message send.

A logic error in the dccp code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic.  An attacker could
use this to cause a denial-of-service.

* CVE-2017-17450: Permission bypass with Passive OS Fingerprinting match module.

A missing permission check when using Passive OS Fingerprinting match
module allows an unprivileged user to modify the global OS fingerprint
list without the proper permissions.

* CVE-2018-6927: Integer overflow when re queuing a futex.

A missing check when calling futex system call with "requeue" option could
lead to an integer overflow. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2018-8897: Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.

* CVE-2017-13166: Privilege escalation when using V4L2 ioctls.

Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.

* Support in-place patching for ia32entry code.

* Ksplice VMX patching support.

* CVE-2018-3639: Speculative Store Bypass information leak.

A hardware sidechannel with speculative stores could allow a malicious,
unprivileged user to leak the contents of privileged memory.

This update enables the speculative store bypass mitigation by default
when supported microcode is loaded and can be manually enabled/disabled
by writing 1/0 to /proc/sys/vm/ksplice_ssbd_control.  The
/proc/sys/vm/ksplice_ssbd_status file reports the current mitigation
status.

* CVE-2012-6701, CVE-2015-8830: Denial of service in AIO.

Due to a missing length check, a userspace process could potentially
pass a very large IO control block to the kernel. A malicious user
could use this to cause denial of service.

* CVE-2016-8650: NULL pointer dereference in the key management subsystem.

A missing check in the Multiprecision maths library used to implement
RSA digital signature verification could lead to a NULL pointer
dereference. A local user could use this flaw to cause a denial-of-service.

* CVE-2017-7616: Information leak when setting memory policy.

A missing check when setting memory policy through set_mempolicy()
syscall could lead to a stack data leak. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.

* CVE-2017-7889: Permissions bypass via /dev/mem file.

The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.

* CVE-2017-12190: Denial-of-service in block I/O page merging.

A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.

* CVE-2017-18203: Denial-of-service during device mapper destruction.

A race condition between creation and destruction of device mapper
objects can result in an assertion failure, leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.

* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.

A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.

* CVE-2018-3665: Information leak in floating point registers.

An information leak from floating point registers when lazy FPU context
switching was performed could allow a malicious local user to gain
access to sensitive information across process boundaries.

* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.

A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.

* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.

* CVE-2018-10901: Privilege escalation in KVM GDT handling.

Missing save and restore of the host GDT could allow a local,
unprivileged user on the guest to crash the system or potentially
escalate privileges through a crafted GDT descriptor.

* CVE-2018-14634: Privilege escalation in ELF executables.

An integer overflow in the argument setup for a new ELF executable could
result in attacker controlled corruption of the user stack when
executing a SUID binary.  A local, unprivileged user could use this flaw
to gain superuser privileges.

* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported.  Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator.  This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use.  Where untrusted guests are in
use it is recommended to disable SMT.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT.  Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
  - "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
  no noticeable performance impact
  - "cond": flush only in high risk transfers, mitigates CVE-2018-3620
  with the minimum number of flushes
  - "always": flush on every VM entry, fully mitigates CVE-2018-3620
  with the most overhead.
Default: "always"

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.