[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DLA-2940-1)

[Oracle Ksplice]

Synopsis: DLA-2940-1 can now be patched using Ksplice
CVEs: CVE-2020-29374 CVE-2021-0920 CVE-2021-26341 CVE-2021-26401 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714 CVE-2021-28715 CVE-2021-29264 CVE-2021-33033 CVE-2021-3640 CVE-2021-3752 CVE-2021-39685 CVE-2021-39686 CVE-2021-39698 CVE-2021-39714 CVE-2021-4002 CVE-2021-4083 CVE-2021-4155 CVE-2021-4202 CVE-2021-43976 CVE-2021-45095 CVE-2022-0001 CVE-2022-0002 CVE-2022-0435 CVE-2022-0487 CVE-2022-0492 CVE-2022-0617 CVE-2022-0847 CVE-2022-24448 CVE-2022-25258 CVE-2022-25375

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, DLA-2940-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-3640: Privilege escalation in Bluetooth Classic due to use-after-free.

A race condition flaw in ioctls of Bluetooth Classic could lead to
use-after-free. A privileged local user could use this flaw to cause
a denial-of-service or escalate their privileges on the system.


* CVE-2021-4002: Information disclosure in HugeTLB due to a missing TLB flush.

A missing TLB flush in the HugeTLB implementation could allow a local attacker
to leak or alter data from other processes that use huge pages.


* Note: Oracle has determined that CVE-2020-29374 is not applicable.

CVE-2020-29374 is a flaw when performing a copy-on-write of a memory
page. Oracle has determined that CVE-2020-29374 is not applicable as
the code in question is not compiled.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-28714 (XSA-392) and CVE-2021-28715.

CVE-2021-28714 (XSA-392) and CVE-2021-28715 are both scored CVSSv3 6.5
and are present in the Xen backend driver. Both CVEs allow guest to hog
large amounts of kernel memory to potentially cause a denial-of-service.

Hosts without the Xen backend driver loaded are not affected by this
issue.

Oracle has determined that patching CVE-2021-28714 (XSA-392) and
CVE-2021-28715 on a running system would not be safe and recommends
a reboot if the Xen backend driver is used.


* CVE-2022-0492: Privilege escalation in Control Groups feature.

A missing capabilities check flaw in the Control Groups feature when
setting release_agent in the initial user namespace could result in
bypassing namespace isolation. A local user could use this flaw to
escalate privilege.


* CVE-2021-0920, CVE-2021-4083: Privilege escalation in BSD Unix domain sockets.

Lack of synchronization in BSD Unix domain sockets module could result
in a use after free error. A local user could use this flaw to cause a
denial-of-service or privilege escalation.


* Note: Oracle has determined that CVE-2021-33033 is not applicable.

Oracle has determined that the vulnerability does not affect a running
system for this distribution.

A flaw in CIPSO and CALIPSO reference counting scheme of NetLabel packet
labeling framework could lead to a use-after-free. A local use could this
flaw for a code execution or a denial-of-service.


* CVE-2021-4155: Data leak in XFS filesystem.

The XFS filesystem does not correctly initialize certain data blocks. This
could allow data leaks to unprivileged users.


* CVE-2021-3752: Use-after-free in the Bluetooth subsystem.

A use-after-free exists in the Bluetooth subsystem in the way a user connects
and disconnects from a socket.  A local unprivileged user could use this flaw
to cause a denial-of-service or potentially escalate privileges.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 and XSA-391.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 and XSA-391 are scored
CVSSv3 6.2 and are present in the Xen hypervisor subsystem. The CVEs
allow guest to call some interrupts with high frequency to potentially
cause a denial-of-service.

Hosts that don't use the Xen hypervisor subsystem are not affected by
this issue.

Oracle has determined that patching CVE-2021-28711, CVE-2021-28712,
CVE-2021-28713 and XSA-391 on a running system would not be safe and
recommends a reboot if the Xen hypervisor subsystem is used.


* Note: Oracle has determined that CVE-2021-29264 is not applicable.

Oracle has determined that CVE-2021-29264 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
files.


* CVE-2022-0617: NULL-pointer dereference when processing UDF metadata.

When converting a UDF filesystem control block to its expanded form, an
invalid block could result in a NULL callback being invoked, resulting
in a system crash. A malicious user or filesystem image might exploit
this to cause a denial-of-service.


* CVE-2022-24448: Information leak when NFSv4 directory lookup fails.

If an open is performed with O_DIRECTORY on a regular file mounted over
NFSv4, the returned file descriptor will be uninitialized, potentially
leaking sensitive kernel information.


* CVE-2022-25258: Missing validation of descriptors in USB gadget subsystem.

The USB Gadget subsystem fails to correctly validate os descriptors
passed to it. Malicious data passed to the system might exploit this to
cause a NULL-pointer dereference and denial-of-service.


* CVE-2022-25375: Information leak in RNDIS message for USB Gadget driver.

The USB Gadget subsystem fails to validate the size of a received
RNDIS_MSG_SET command, potentially allowing for a buffer overrun. A
malicious user might exploit this to leak sensitive information from the
kernel.


* CVE-2022-0847: Privilege escalation in new pipe_buffer implementation.

Uninitialized fields of control structures in the kernel pipe
implementation might allow for writing to read-only pages in the page
cache. A malicious user might be able to exploit this to escalate their
privileges.


* CVE-2021-45095: Denial-of-service in Phone Network protocol due to memory leaks.

A reference counting flaw in the Phone Network protocol functionality
when handling an error condition could lead to memory leaks. A local
user could use this flaw to cause a denial-of-service.


* CVE-2022-0435: Denial-of-service in Transparent Inter-Process Communication protocol.

A buffer overflow flaw in The Transparent Inter-Process Communication
protocol could lead to crash in systems that have a TIPC bearer
configured. A remote attacker could use this flaw to cause a denial of
service.


* Note: Oracle has determined that CVE-2022-0487 is not applicable.

Oracle has determined that CVE-2022-0487 is not applicable to this
architecture/distribution. Applying the patch results in no changes to
the generated object files.


* CVE-2021-39685: Buffer overrun in USB gadget control request handler.

Failed validation on the size of endpoint 0 buffers in the USB gadget
subsystem could potentially allow a malicious device to corrupt memory.
A user might exploit this to crash the system or escalate their
privileges.


* Note: Oracle has determined that CVE-2021-39686 is not applicable.

Oracle has determined that CVE-2021-39686 is not applicable to this
architecture/distribution. Applying the patch results in no changes to
the generated object files.


* CVE-2021-39698: Use-after-free in file polling interface.

The file polling implementation contains a potential use-after-free when
associated tasks are not correctly woke up. A malicious user might
exploit this to cause a denial-of-service or privilege escalation.


* Note: Oracle has determined that CVE-2021-39714 is not applicable.

Oracle has determined that CVE-2021-39714 is not applicable to this
architecture/distribution. Applying the patch results in no changes to
the generated object files.


* Note: Oracle has determined that CVE-2021-4202 is not applicable.

Oracle has determined that CVE-2021-4202 is not applicable to this
architecture/distribution. Applying the patch results in no changes to
the generated object files.


* CVE-2021-43976: Malicious Marvell mwifiex USB device causes DoS.

Incorrect handling of packet buffers received from a Marvell mwifiex USB
device could result in a kernel assertion failure. A malicious device
might exploit this to crash the kernel.


* Note: Oracle will not provide a zero downtime update for CVE-2022-0001, CVE-2022-0002, CVE-2021-26401 and CVE-2021-26341.

On the 8th of March 2022, Vrije Universiteit (VU) Amsterdam
researchers, AMD, Ampere, ARM and Intel jointly reported new security
vulnerabilities based on Branch Target Injection (BTI) (commonly
called Spectre v2 variants).

The reporters recommend disabling unprivileged BPF to mitigate this
vulnerability as well as using generic retpoline even when eIBRS is
available on the platform or on special AMD/Hygon CPUs.

Unprivileged BPF can already be disabled at runtime by setting the
kernel.unprivileged_bpf_disabled sysctl.

If your CPU is affected and is not already using retpoline as the
Spectre V2 mitigation, a reboot into the newest kernel will be
required in order to get the full retpoline mitigations in place.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.