[Ksplice][EL7-Updates] New Ksplice updates for OL 7, RHEL 7, CentOS 7, and Scientific Linux 7 (RHSA-2017:1842)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Aug 10 01:19:45 PDT 2017 

Synopsis: RHSA-2017:1842 can now be patched using Ksplice CVEs:
CVE-2014-7970 CVE-2014-7975 CVE-2015-8970 CVE-2016-10088 CVE-2016-10200
CVE-2016-3713 CVE-2016-6213 CVE-2016-7042 CVE-2016-7097 CVE-2016-8645
CVE-2016-9576 CVE-2016-9588 CVE-2016-9604 CVE-2016-9685 CVE-2016-9806
CVE-2017-2596 CVE-2017-2647 CVE-2017-2671 CVE-2017-5970 CVE-2017-6001
CVE-2017-6951 CVE-2017-7187 CVE-2017-7616 CVE-2017-7889 CVE-2017-8797
CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
CVE-2017-9242

Systems running RHCK on Oracle Linux 7, Red Hat Enterprise Linux 7,
CentOS 7, and Scientific Linux 7 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2017:1842.

NOTICE

Ksplice will not be providing zero-downtime updates for CVE-2015-8839,
CVE-2015-8970 and CVE-2016-10147. Customers requiring fixes for these
issues should reboot into 3.10.0-693.el7 or later. CVE-2016-10147 may be
mitigated by blacklisting the "mcryptd" kernel module from loading.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 7, RHEL 7,
CentOS 7, and Scientific Linux 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-7970: Memory corruption when using pivot_root.

A flaw in the pivot_root syscall leads to a corruption of the mount tree
when calling with a directory outside a chroot. A local user could use this
flaw to cause a memory corruption and likely a denial-of-service.


* CVE-2015-8970: Denial-of-service when accepting userspace cryptographic sockets.

A logic error in the kernel cryptographic subsystem can allow a
unprivileged user to trigger a denial of service by calling accept(2) on
PF_ALG socket before setting a cryptographic key.


* CVE-2016-10200: Denial-of-service when creating L2TP sockets using concurrent thread.

A missing check when creating L2TP socket could lead to a use-after-free
if a concurrent thread modify socket's flag while creating it. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2016-3713: Privilege escalation in KVM MTRR emulation.

Incorrect validation of emulated MTRR MSRs can allow a guest VM to read
and write memory in the KVM host. This may allow a privileged guest to
gain code execution in the KVM host.


* CVE-2016-7042: Stack corruption when reading keys from proc filesystem.

An on-stack buffer is not big enough to hold the data being written to it
when reading keys from the proc filesystem, potentially leading to a kernel
panic when the stack protector is in use.  A local, unprivileged user could
use this flaw to cause a denial-of-service.


* CVE-2016-8645: Denial of service when receiving TCP packet.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker can trigger this by
sending specially crafted packets and cause denial of service.


* CVE-2016-10088, CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.


* CVE-2016-9588: Denial-of-service in Intel nested VMX exception handling.

Failure to handle exceptions thrown by an L2 guest could result in
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.


* CVE-2016-9604: Permission bypass when creating key using keyring subsystem.

A missing check when an user create a key beginning with '.' could lead
to a permission bypass. A local attacker could use this flaw to access
sensitive information.


* CVE-2016-9685: Memory leak in XFS filesystem operations.

Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the
Linux kernel before 4.5.1 allow local users to cause a denial of service
(memory consumption) via crafted XFS filesystem operations.


* CVE-2016-7097: Permission bypass in Overlay filesystem when setting POSIX ACLs.

A logic error when setting POSIX ACLs in the Overlay filesystem causes
the set-group-ID to not be cleared.  A local, unprivileged user could
use this flaw to escalate privileges.


* CVE-2016-6213: Denial-of-service when bind mounting filesystems.

A missing limit could cause an overflow of the mount table. A user with
mount permissions could cause a denial-of-service by bind mounting many
filesystems and overflowing the mount table.


* CVE-2016-9806: Use after free in netlink dump interface.

Incorrect locking in the generic netlink interface can cause a use after
free and kernel panic when attempting to dump multiple interfaces
concurrently.


* CVE-2017-2596: Memory leak in KVM VMXON emulated instruction.

When processing a VMXON instruction for a guest machine, the reference
count of the emulated VMXON memory region could be over-incremented,
resulting in a leak of the region and eventual denial-of-service


* CVE-2017-2647: Denial-of-service when invoking request_key() syscall.

A missing check in request_key() syscall could lead to a NULL pointer
dereference. A local unprivileged user could use this flaw to cause a
denial-of-service.


* CVE-2017-2671: Use-after-free in ping implementation.

A race condition in the kernel ping implementation can result in a
use-after-free. A local attacker with access to ping sockets could use
this flaw to cause a kernel crash or escalate privileges.


* CVE-2017-5970: Denial-of-service in ipv4 options field handling.

Incorrect behaviour when ipv4 options are used can result in a kernel
crash.  A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-6951: Denial-of-service from userspace via dead security keys.

Dead security keys were improperly assigned a type with name "dead",
which allowed them to be accessed by users with the
key_get_type_from_user() syscall, causing a kernel panic and
denial-of-service.


* CVE-2017-7187: Denial-of-service in SCSI driver ioctl handler.

The ioctl handler function in SCSI driver allows local users to cause a
denial of service (stack-based buffer overflow) or possibly have
unspecified other impact via a large command size in an SG_NEXT_CMD_LEN
ioctl call, leading to out-of-bounds write access in the sg_write
function.


* CVE-2017-7616: Information leak when setting memory policy.

A missing check when setting memory policy through set_mempolicy()
syscall could lead to a stack data leak. A local attacker could use this
flaw to leak information about running kernel and facilitate an attack.


* CVE-2017-7889: Permissions bypass via /dev/mem file.

The mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM
protection mechanism, which allows local users to read or write to
kernel memory locations via an application that opens the /dev/mem file.


* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.


* CVE-2017-8890, CVE-2017-9076, CVE-2017-9077: Incorrectly copying list headers on socket clone causes denial-of-service.

When cloning sockets, several list headers are incorrectly copied to the
child sockets, which then leads to double-frees when both sockets are
closed, causing a kernel panic and denial-of-service.


* CVE-2017-9075: Denial-of-service in SCTP IPv6 socket inheritance.

A failure to correctly initialize an SCTP socket during an accept() call
can later result in a double-free. A local, unprivileged attacker could
use this flaw to cause memory corruption or a kernel crash, resulting in
a denial-of-service.


* CVE-2017-9242: Out-of-bounds access in IPv6 packet transmission.

A logic error when aggregating IPv6 packets for transmission can result
in an out-of-bounds memory access. A local unprivileged attacker could
use this flaw to cause a denial-of-service.


* CVE-2014-7975: Denial-of-service in do_umount.

A missing capability check in do_umount allows unprivileged local users to
remount the root file system read-only, causing a denial-of-service (loss
of writability).


* CVE-2017-8797: Remote denial-of-service when handling layout requests in NFSd.

Use of potentially uninitialized values as callback pointer when handling a
layout request in the NFSv4 Daemon with pNFS support could lead to a
denial-of-service or remote kernel execution.  A remote NFS client could
use specifally crafted requests to cause a kernel denial-of-service or
escalate privileges.


* CVE-2017-6001: Use-after-free in the perf subsystem on concurrent perf_event_open.

Incorrect locking in the perf subsystem could lead to a use-after-free on
concurrent perf_event_open().  A local unprivileged user could use this
flaw to potentially elevate privileges depending on the perf_event paranoid
setting.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-EL7-updates mailing list