[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DLA-3065-1)

Oracle Ksplice quentin.casasnovas at oracle.com
Fri Jul 22 17:36:21 UTC 2022 

Synopsis: DLA-3065-1 can now be patched using Ksplice
CVEs: CVE-2018-1108 CVE-2021-39713 CVE-2021-4149 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854 CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1353 CVE-2022-1516 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21166 CVE-2022-2153 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-23960 CVE-2022-24958 CVE-2022-26490 CVE-2022-26966 CVE-2022-27223 CVE-2022-28356 CVE-2022-28390 CVE-2022-30594 CVE-2022-32250 CVE-2022-32296 CVE-2022-33981

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, DLA-3065-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-1729: Privilege escalation in Performance Events due to improper locking.

Improper locking in the Performance Events implementation when opening
and associating a performance event to a task/CPU could result in a race
condition. A local, unprivileged user could use this flaw for privilege
escalation.

Orabug: 34172709


* CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem.

An incorrect initialization of Security Association data structures by the
PF_KEYv2 socket subsystem could leak previous values stored in that kernel
memory. A local, unprivileged user can use this to gain access to kernel memory
and cause a denial-of-service or leak kernel information.

Orabug: 34135346


* CVE-2022-24958: Use-after-free in USB Gadget file system.

A bad error handling in configuration writing of the USB Gadget file
system could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service or execute arbitrary code.


* Note: Oracle has determined that CVE-2022-1516 is not applicable.

A flaw in the X.25 network protocol when handling link layer events
could result in NULL pointer dereference. Oracle has determined that the
code in question is not compiled and the kernel is thus not affected.


* CVE-2022-26966: Information leak by the USB2NET SR9700 device driver.

The driver for SR9700 based USB ethernet devices does not correctly sanitize
packets allowing badly formatted packets to potentially leak information to
user space.


* CVE-2021-4149: Denial-of-service in BTRFS file system.

An improper locking flaw in BTRFS file system during error handling
could lead to a deadlock condition. A local user could use this flaw
to cause a denial-of-service.


* Note: Oracle has determined that CVE-2022-26490 is not applicable.

A missing error check in connectivity event handling of the ST21NFCA
NFC driver could result in a buffer overflow. Oracle has determined that
the kernel is not vulnerable as the code in question is not compiled.


* CVE-2022-1011: Use-after-free in FUSE file system.

A logic flaw in FUSE file system when writing to the file system device
could result in a use-after-free. A local user could use this flaw to
cause a denial-of-service or code execution.


* Note: Oracle has determined that CVE-2022-27223 is not applicable.

The kernel is not affected by CVE-2022-27223 since the code under
consideration is not compiled.


* CVE-2022-28356: Denial-of-service in 802.2 LLC type 2 driver.

A reference counting flaw in socket binding of the 802.2 LLC type 2
driver could happen in some error conditions. A local user could use
this flaw to cause a denial-of-service.


* Note: Oracle will not provide an improved zero-downtime update for CVE-2018-1108.

The current implementation of the fix for CVE-2018-1108 is flawed and
can cause errors at boot-time. Debian has released an updated version of
the fix that does not contain this issue. When rebooting, Oracle
recommends installing the latest Debian Stretch kernel.


* CVE-2022-1016: Information leak in the netfilter subsystem.

A flaw in the netfilter subsystem result in a use-after-free. This may
allow a local unprivileged user to cause an information leak,
resulting in loss of system confidentiality.


* CVE-2022-28390: Code execution in EMS CPC-USB/ARM7 CAN/USB interface.

A double-free flaw in data transmission path of EMS CPC-USB/ARM7 CAN/USB
interface could result in memory leaks and data corruption. A local user
could use this flaw for a denial-of-service or code execution.


* CVE-2022-1198: Use-after-free in Serial port 6PACK driver.

A logic flaw in the Serial port 6PACK driver when closing the device
could lead to a use-after-free. A local user could use this flaw for
denial-of-service or code execution.


* CVE-2022-32250: Code execution in Netfilter due to use-after-free.

A flaw in nftables API of the Netfilter subsystem when removing stateful
expressions could result in a use-after-free. A local user could use
this flaw to cause a denial-of-service or execute arbitrary code.


* CVE-2022-30594: Privilege escalation in Process Trace.

Lack of validation of the ptrace flags when seizing a process through
ptrace could be used to disable a seccomp jail. A local, unprivileged
user could use this flaw to evade a seccomp jail and elevate their
privileges.


* Note: Oracle has determined that CVE-2022-23960 is not applicable.

The kernel is not affected by CVE-2022-23960 since the code under
consideration is not compiled.


* CVE-2021-39713: Use-after-free in network scheduling subsystem.

A flaw in the network scheduling subsystem could allow for a
reproducible use-after-free. A malicious user might exploit this to
cause a denial-of-service or escalate their privileges.


* CVE-2022-0494: Information disclosure in block layer subsystem.

A flaw in ioctls of the block layer subsystem could result in improper
memory initialization. A local user could use this flaw for information
disclosure.


* CVE-2022-0812: Information leak in NFS RDMA transport.

The RDMA transport method for NFS RPCs fails to properly calculate the
size of its headers. This could result in uninitialized kernel data
being inadvertently transmitted over the network.


* CVE-2022-0854: Information disclosure in DMA subsystem.

A flaw in the DMA subsystem when creating a mapping for a buffer could
result in a memory leak. A local user could use this flaw for
information disclosure.


* Note: Oracle will not provide a zero-downtime update for CVE-2022-32296 or CVE-2022-1012.

CVE-2022-32296 and CVE-2022-1012 describe a flaw in the kernel's port
selection algorithm caused by using a 32-bit hashtable. This flaw might
be exploited to cause a denial-of-service or gain information about the
system's port mapping. Oracle has determined that a rebootless patch for
these issues would not be safe and recommends rebooting.


* CVE-2022-1199: Null-pointer dereference in AX.25 Ham Radio driver.

A NULL-pointer dereference exists in the AX.25 Ham Radio device driver
when multiple devices attempt to establish connections. A malicious
local user might exploit this to cause a denial-of-service or escalate
their privileges.


* Note: Oracle has determined that CVE-2022-1734 is not applicable.

A use-after-free in the Marvell NFC device driver could cause a kernel
crash when disconnecting the device. Oracle has determined that this
kernel is not affected as the code in question is not compiled.


* CVE-2022-1974: Race condition when disconnecting NFC device causes DoS.

Unregistering an NFC device is racey due to improper logic checking
whether device shutdown is in progress. A malicious local user might
exploit this to cause a denial-of-service.


* CVE-2022-1975: Denial-of-service in NFC firmware update.

Incorrect allocation flags when downloading new NFC firmware to a device
might result in the kernel sleeping in an atomic context, resulting in a
potential deadlock or denial-of-service.


* CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine.

A logic flaw in Kernel-based Virtual Machine in some cases when KVM
initializes a vCPU without creating APIC could result in NULL pointer
dereference. A local user could use this flaw for a denial-of-service.


* Note: Oracle will not provide a zero-downtime update for XSA-396, CVE-2022-23040, CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, CVE-2022-23041, and CVE-2022-23042.

Oracle has determined that patching XSA-396 (CVE-2022-23040,
CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23041, and CVE-2022-23042) would not be safe and recommends
a reboot if Xen PV frontend devices are used with an untrusted PV
backend.

Hosts without any Xen frontend driver loaded are not affected by this
issue.

According to our audits, our customers are not affected by this
issue.


* CVE-2022-33981: Denial-of-service in Floppy Disk support.

A logic flaw in ioctls of Floppy Disk support could result in
use-after-free. A local use could use this flaw for a denial-of-service.


* CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166: Information leak using processor MMIO stale data.

A side-channel information leak on some generations of Intel
processors could allow the leaking of internal microarchitectural
buffers when MMIO is in used.

Updated microcode is required for this vulnerability to be mitigated.

The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/mmio_stale_data

And the mitigation can be disabled with following command:
$ echo 0 > /sys/kernel/debug/x86/mmio_stale_data_clear

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-9.0-Updates mailing list