[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DLA-2843-1)

Oracle Ksplice quentin.casasnovas at oracle.com
Tue Jan 4 22:07:15 UTC 2022 

Synopsis: DLA-2843-1 can now be patched using Ksplice
CVEs: CVE-2016-7097 CVE-2020-16119 CVE-2020-29374 CVE-2020-3702 CVE-2021-0920 CVE-2021-20317 CVE-2021-20321 CVE-2021-20322 CVE-2021-22543 CVE-2021-3491 CVE-2021-3573 CVE-2021-3612 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3679 CVE-2021-37159 CVE-2021-3732 CVE-2021-3753 CVE-2021-37576 CVE-2021-3760 CVE-2021-38160 CVE-2021-38198 CVE-2021-38199 CVE-2021-38204 CVE-2021-38205 CVE-2021-40490 CVE-2021-41864 CVE-2021-42008 CVE-2021-42739 CVE-2021-43389

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, DLA-2843-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Note: Oracle has determined that CVE-2021-37576 is not applicable.

Oracle has determined that CVE-2021-37576 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
files.


* CVE-2021-38199: Denial-of-service in NFS due to incorrect connection-setup ordering.

Incorrect connection-setup ordering flaw in Network File System could
allow NFS server operator to cause a denial of service by arranging
for the server to be unreachable during trunking detection.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-3573.

Improper handling of HCI device detach events in the bluetooth subsystem
could leading to a use-after-free. A privileged local user could use
this flaw to cause a denial-of-service or possibly execute arbitrary
code.

CVE-2021-3573 affects bluetooth subsystem only and would require
CAP_NET_ADMIN privileges for exploiting the issue.

Oracle has determined that patching CVE-2021-3573 on a running system
would not be safe and therefore recommends affected hosts to reboot
into the newest Oracle UEKR6 kernel to mitigate the vulnerabilities.


* Note: Oracle has determined that CVE-2021-38205 is not applicable.

The kernel is not affected by CVE-2021-38205 since the code under
consideration is not compiled.


* CVE-2020-3702: Information disclosure in Atheros Wireless Card drivers.

A race condition flaw in layer 2 Wi-Fi encryption of Atheros Wireless
Card drivers could result in improper encryption. A specifically
handcrafted traffic could be created by a remote attacker and cause
information disclosure.


* CVE-2021-40490: Race condition in ext4 subsystem.

A logic error in the ext4 subsystem may lead to a race condition. This
may allow a local attacker to undermine system integrity and possibly
execute arbitrary code.


* CVE-2021-42008: Out-of-bounds access in Serial port 6PACK driver.

A missing validation check flaw in data decoding of the Serial port
6PACK driver could lead to out-of-bounds writing. A local privileged
user could use this flaw to cause a denial-of-service or execute
arbitrary code.


* CVE-2021-22543: Privilege escalation in KVM due to RO page check bypass.

The reference counts of VM_IO|VM_PFNMAP pages can be manipulated to
cause a deliberate use-after-free. This can be manipulated to cause
writes to arbitrary memory pages, allowing a malicious user with the
ability to create virtual machines to escalate their privileges.


* CVE-2021-3612: Privilege escalation in joystick subsystem due to out-of-bounds write access.

Improper data validation in ioctls of joystick devices subsystem could
lead to out-of-bounds memory write access. A local user could use this
flaw to cause a denial-of-service or escalate their privileges.


* CVE-2021-3655: Information disclosure in the SCTP Network subsystem.

Missing input validations in the SCTP networking subsystem may lead to
reading of uninitialized data. This may allow an attacker on the local
area network to cause an information disclosure.


* CVE-2021-3753: information disclosure in virtual terminal device.

A race condition flaw in its ioctl handling of the virtual terminal
device implementation could lead to out-of-bounds reads. A local user
could use this flaw for information disclosure.


* Note: Oracle has determined that CVE-2020-29374 is not applicable.

CVE-2020-29374 is a flaw when performing a copy-on-write of a memory
page. Oracle has determined that CVE-2020-29374 is not applicable as
the code in question is not compiled.


* Note: Oracle has determined that CVE-2021-38204 is not applicable.

The kernel is not affected by CVE-2021-38204 since the code under
consideration is not compiled.


* CVE-2021-3679: Denial-of-service in kernel tracing subsystem.

A logic error when constructing certain calls to the kernel tracing
subsystem may lead to a deadloop.  This may allow a privileged local
user to cause a denial-of-service.


* Cache invalidation error in OCFS2 subsytem when reading ACLs.

A logic error whilst invalidating cached directory acls in the OCFS2
subsytem may end up reading stale acl data.  This may lead to incorrect
permissions being used.


* CVE-2020-16119: Use-after-free when reusing a DCCP socket.

A logic error in pointer handling when reusing a DCCP socket could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service or escalate privileges.


* CVE-2021-3491: Denial-of-service due to limit enforcement issues in IO uring.

A local user could leverage inadequate enforcement of buffer size limits in
some IO uring code paths to cause a denial-of-service or potentially execute
arbitrary code.


* CVE-2021-3656, CVE-2021-3653: Privilege escalation in the AMD SVM L2 guests handling.

Multiple security bypasses potentially allow L2 guests to read/write host
physical memory.  An untrusted L1 guest running on certain AMD CPUs could
use these flaws to run with full ring zero privileges.


* CVE-2021-38160: Buffer overflow in virtual console.

A logic error in virtual console subsystem may lead to a buffer
overflow. This may allow an untrusted device to corrupt data.


* CVE-2021-3732: Information disclosure in OverlayFS when mounting a filesystem.

A logic flaw in mounting functionality of OverlayFS subsystem could
allow an unprivileged local user with permissions to mount a filesystem
to access hidden files that should not be accessible in the original mount.
An unprivileged local attacker could use this flaw for information
disclosure.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-20317.

CVE-2021-20317 is a flaw in the timerqueue system that could allow a
malicious privileged user to cause a denial-of-service and has been
assigned a 4.4 CVSS score. Oracle has determined that creating a
rebootless update for this issue would not be safe and recommends
rebooting to avoid the update.


* CVE-2021-37159: Code execution in Option USB High Speed Mobile device driver.

Improper error handling during device initialization in Option USB High
Speed Mobile device driver could lead to a use-after-free and a double
free. A local user could use this flaw to cause a denial-of-service or
possibly execute arbitrary code.


* CVE-2021-38198: Denial-of-service when using shadow paging with KVM guests.

A missing check when using shadow paging with KVM guests could lead to a
page fault. A local attacker could use this flaw to cause a denial-of-
service.


* CVE-2021-0920: Privilege escalation in BSD Unix domain sockets.

Lack of synchonization in BSD Unix domain sockets module could result
in a use after free error. A local user could use this flaw to cause
denial-of-service or priviledges escalation.


* CVE-2016-7097: Permissions bypass using setxattr syscall on GFS2.

A logic error when inheriting access control list from a parent
directory after setting extended attribute on the GFS2 filesystem
could lead to a permission bypass. A local attacker could use this
flaw to access sensitive information.


* CVE-2021-20321: Race condition in OverlayFS.

A possible race condition exists in overlayfs that may be triggered
when a user renames a file.  A local user could use this flaw to cause
a denial-of-service.


* CVE-2021-41864: Out-of-bounds memory write in BPF subsystem.

A logic error whilst calculating the size of stackmaps in bpf programs
may lead to an out-of-bounds memory write. This may allow a local user
to cause a denial-of-service or possibly leak privileged information.


* Note: Oracle has determined that CVE-2021-3760 is not applicable.

Oracle has determined that CVE-2021-3760 is not applicable as the
code in question is not compiled.


* CVE-2021-43389: Out-of-bounds access in ISDN CAPI due to a race condition.

A race condition in Kernel CAPI Interface of the ISDN CAPI
implementation could result in an out-of-bounds access. A privileged
local user could use this flaw to cause a denial-of-service or execute
arbitrary code.


* CVE-2021-20322: Information leak in IPv4 ICMP exception cache.

The IPv4 ICMP exception cache uses a hash table that is vulnerable to
brute force attacks. A malicious remote user might exploit this to learn
which UDP ports are in use on the system, potentially opening other
attack vectors.


* CVE-2021-42739: Buffer overflow in FireDTV firewire DVB receiver driver.

The FireDTV firewire DVB receiver driver contains a buffer overflow when
processing a Program Map Table entry. A malicious device might exploit
this to overwrite memory and cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-9.0-Updates mailing list