From quentin.casasnovas at oracle.com Fri Jul 22 17:36:21 2022 From: quentin.casasnovas at oracle.com (Oracle Ksplice) Date: Fri, 22 Jul 2022 17:36:21 +0000 Subject: [Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DLA-3065-1) Message-ID: <3hc1er1n5e-1@phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com> Synopsis: DLA-3065-1 can now be patched using Ksplice CVEs: CVE-2018-1108 CVE-2021-39713 CVE-2021-4149 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1353 CVE-2022-1516 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-2153 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-23960 CVE-2022-24958 CVE-2022-26490 CVE-2022-26966 CVE-2022-27223 CVE-2022-28356 CVE-2022-28390 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981 Systems running Debian 9.0 Stretch can now use Ksplice to patch against the latest Debian kernel update, DLA-3065-1. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Debian 9.0 Stretch install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2022-1729: Privilege escalation in Performance Events due to improper locking. Improper locking in the Performance Events implementation when opening and associating a performance event to a task/CPU could result in a race condition. A local, unprivileged user could use this flaw for privilege escalation. Orabug: 34172709 * CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem. An incorrect initialization of Security Association data structures by the PF_KEYv2 socket subsystem could leak previous values stored in that kernel memory. A local, unprivileged user can use this to gain access to kernel memory and cause a denial-of-service or leak kernel information. Orabug: 34135346 * CVE-2022-24958: Use-after-free in USB Gadget file system. A bad error handling in configuration writing of the USB Gadget file system could lead to a use-after-free. A local attacker could use this flaw to cause a denial-of-service or execute arbitrary code. * Note: Oracle has determined that CVE-2022-1516 is not applicable. A flaw in the X.25 network protocol when handling link layer events could result in NULL pointer dereference. Oracle has determined that the code in question is not compiled and the kernel is thus not affected. * CVE-2022-26966: Information leak by the USB2NET SR9700 device driver. The driver for SR9700 based USB ethernet devices does not correctly sanitize packets allowing badly formatted packets to potentially leak information to user space. * CVE-2021-4149: Denial-of-service in BTRFS file system. An improper locking flaw in BTRFS file system during error handling could lead to a deadlock condition. A local user could use this flaw to cause a denial-of-service. * Note: Oracle has determined that CVE-2022-26490 is not applicable. A missing error check in connectivity event handling of the ST21NFCA NFC driver could result in a buffer overflow. Oracle has determined that the kernel is not vulnerable as the code in question is not compiled. * CVE-2022-1011: Use-after-free in FUSE file system. A logic flaw in FUSE file system when writing to the file system device could result in a use-after-free. A local user could use this flaw to cause a denial-of-service or code execution. * Note: Oracle has determined that CVE-2022-27223 is not applicable. The kernel is not affected by CVE-2022-27223 since the code under consideration is not compiled. * CVE-2022-28356: Denial-of-service in 802.2 LLC type 2 driver. A reference counting flaw in socket binding of the 802.2 LLC type 2 driver could happen in some error conditions. A local user could use this flaw to cause a denial-of-service. * Note: Oracle will not provide an improved zero-downtime update for CVE-2018-1108. The current implementation of the fix for CVE-2018-1108 is flawed and can cause errors at boot-time. Debian has released an updated version of the fix that does not contain this issue. When rebooting, Oracle recommends installing the latest Debian Stretch kernel. * CVE-2022-1016: Information leak in the netfilter subsystem. A flaw in the netfilter subsystem result in a use-after-free. This may allow a local unprivileged user to cause an information leak, resulting in loss of system confidentiality. * CVE-2022-28390: Code execution in EMS CPC-USB/ARM7 CAN/USB interface. A double-free flaw in data transmission path of EMS CPC-USB/ARM7 CAN/USB interface could result in memory leaks and data corruption. A local user could use this flaw for a denial-of-service or code execution. * CVE-2022-1198: Use-after-free in Serial port 6PACK driver. A logic flaw in the Serial port 6PACK driver when closing the device could lead to a use-after-free. A local user could use this flaw for denial-of-service or code execution. * CVE-2022-32250: Code execution in Netfilter due to use-after-free. A flaw in nftables API of the Netfilter subsystem when removing stateful expressions could result in a use-after-free. A local user could use this flaw to cause a denial-of-service or execute arbitrary code. * CVE-2022-30594: Privilege escalation in Process Trace. Lack of validation of the ptrace flags when seizing a process through ptrace could be used to disable a seccomp jail. A local, unprivileged user could use this flaw to evade a seccomp jail and elevate their privileges. * Note: Oracle has determined that CVE-2022-23960 is not applicable. The kernel is not affected by CVE-2022-23960 since the code under consideration is not compiled. * CVE-2021-39713: Use-after-free in network scheduling subsystem. A flaw in the network scheduling subsystem could allow for a reproducible use-after-free. A malicious user might exploit this to cause a denial-of-service or escalate their privileges. * CVE-2022-0494: Information disclosure in block layer subsystem. A flaw in ioctls of the block layer subsystem could result in improper memory initialization. A local user could use this flaw for information disclosure. * CVE-2022-0812: Information leak in NFS RDMA transport. The RDMA transport method for NFS RPCs fails to properly calculate the size of its headers. This could result in uninitialized kernel data being inadvertently transmitted over the network. * CVE-2022-0854: Information disclosure in DMA subsystem. A flaw in the DMA subsystem when creating a mapping for a buffer could result in a memory leak. A local user could use this flaw for information disclosure. * Note: Oracle will not provide a zero-downtime update for CVE-2022-32296 or CVE-2022-1012. CVE-2022-32296 and CVE-2022-1012 describe a flaw in the kernel's port selection algorithm caused by using a 32-bit hashtable. This flaw might be exploited to cause a denial-of-service or gain information about the system's port mapping. Oracle has determined that a rebootless patch for these issues would not be safe and recommends rebooting. * CVE-2022-1199: Null-pointer dereference in AX.25 Ham Radio driver. A NULL-pointer dereference exists in the AX.25 Ham Radio device driver when multiple devices attempt to establish connections. A malicious local user might exploit this to cause a denial-of-service or escalate their privileges. * Note: Oracle has determined that CVE-2022-1734 is not applicable. A use-after-free in the Marvell NFC device driver could cause a kernel crash when disconnecting the device. Oracle has determined that this kernel is not affected as the code in question is not compiled. * CVE-2022-1974: Race condition when disconnecting NFC device causes DoS. Unregistering an NFC device is racey due to improper logic checking whether device shutdown is in progress. A malicious local user might exploit this to cause a denial-of-service. * CVE-2022-1975: Denial-of-service in NFC firmware update. Incorrect allocation flags when downloading new NFC firmware to a device might result in the kernel sleeping in an atomic context, resulting in a potential deadlock or denial-of-service. * CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine. A logic flaw in Kernel-based Virtual Machine in some cases when KVM initializes a vCPU without creating APIC could result in NULL pointer dereference. A local user could use this flaw for a denial-of-service. * Note: Oracle will not provide a zero-downtime update for XSA-396, CVE-2022-23040, CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, CVE-2022-23041, and CVE-2022-23042. Oracle has determined that patching XSA-396 (CVE-2022-23040, CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, CVE-2022-23041, and CVE-2022-23042) would not be safe and recommends a reboot if Xen PV frontend devices are used with an untrusted PV backend. Hosts without any Xen frontend driver loaded are not affected by this issue. According to our audits, our customers are not affected by this issue. * CVE-2022-33981: Denial-of-service in Floppy Disk support. A logic flaw in ioctls of Floppy Disk support could result in use-after-free. A local use could use this flaw for a denial-of-service. * CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166: Information leak using processor MMIO stale data. A side-channel information leak on some generations of Intel processors could allow the leaking of internal microarchitectural buffers when MMIO is in used. Updated microcode is required for this vulnerability to be mitigated. The status of the mitigation can be found using the following command: $ cat /sys/devices/system/cpu/vulnerabilities/mmio_stale_data And the mitigation can be disabled with following command: $ echo 0 > /sys/kernel/debug/x86/mmio_stale_data_clear SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.