[Ksplice][EL6-Updates] New Ksplice updates for OL 6, RHEL 6, CentOS 6, and Scientific Linux 6 (RHSA-2018:2390)

Thu Sep 27 02:15:06 PDT 2018

Synopsis: RHSA-2018:2390 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-15265 CVE-2018-1000004 CVE-2018-10901 CVE-2018-3620 CVE-2018-3646 CVE-2018-7566

Systems running RHCK on Oracle Linux 6, Red Hat Enterprise Linux 6,
CentOS 6, and Scientific Linux 6 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2018:2390.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 6, RHEL 6,
CentOS 6, and Scientific Linux 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

RHSA-2018:2390 contains a fix for CVE-2018-5390 (Segment Smack) that Ksplice
will not patch.  Users that require the additional patching of this
vulnerability are recommended to reboot into rhel-2.6.32-754.3.5.el6 or later.

RHSA-2018:2390 contains a fix for CVE-2018-3620, CVE-2018-3646 for 32 bits PAE
version that Ksplice will not patch. Users that require the additional patching
of this vulnerability are recommended to reboot into rhel-2.6.32-754.3.5.el6 or
later.

DESCRIPTION

* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.

A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.

* CVE-2017-15265: Use-after-free in ALSA seq port creation.

Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.

* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.

* CVE-2018-10901: Privilege escalation in KVM GDT handling.

Missing save and restore of the host GDT could allow a local,
unprivileged user on the guest to crash the system or potentially
escalate privileges through a crafted GDT descriptor.

* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported.  Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator.  This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use.  Where untrusted guests are in
use it is recommended to disable SMT.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT.  Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
  - "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
  no noticeable performance impact
  - "cond": flush only in high risk transfers, mitigates CVE-2018-3620
  with the minimum number of flushes
  - "always": flush on every VM entry, fully mitigates CVE-2018-3620
  with the most overhead.
Default: "always"

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.