[Ksplice][EL8-Updates] New Ksplice updates for OL 8 and RHEL 8 (ELSA-2021-4356)

Oracle Ksplice quentin.casasnovas at oracle.com
Wed Dec 8 01:47:35 UTC 2021 

Synopsis: ELSA-2021-4356 can now be patched using Ksplice
CVEs: CVE-2020-0427 CVE-2020-24502 CVE-2020-24503 CVE-2020-24504 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26144 CVE-2020-26147 CVE-2020-27777 CVE-2020-29368 CVE-2020-29660 CVE-2020-35508 CVE-2020-36158 CVE-2020-36386 CVE-2021-0129 CVE-2021-20194 CVE-2021-20239 CVE-2021-23133 CVE-2021-28950 CVE-2021-28971 CVE-2021-29155 CVE-2021-29646 CVE-2021-29650 CVE-2021-31440 CVE-2021-31829 CVE-2021-31916 CVE-2021-33200 CVE-2021-3348 CVE-2021-3489 CVE-2021-3564 CVE-2021-3573 CVE-2021-3600 CVE-2021-3635 CVE-2021-3659 CVE-2021-3679 CVE-2021-3732

Systems running RHCK on Oracle Linux 8 and Red Hat Enterprise Linux 8
can now use Ksplice to patch against the latest Red Hat kernel update,
ELSA-2021-4356.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2021-4356.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 8 and RHEL 8
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-3732: Information disclosure in OverlayFS when mounting a filesystem.

A logic flaw in mounting functionality of OverlayFS subsystem could
allow an unprivileged local user with permissions to mount a filesystem
to access hidden files that should not be accessible in the original mount.
An unprivileged local attacker could use this flaw for information
disclosure.


* CVE-2020-26147: Multiple vulnerabilities at the receiving side of 802.11 Networking Stack.

A flaw in WEP, WPA, WPA2, and WPA3 implementations of Generic IEEE
802.11 Networking Stack could lead to a condition when the stack
reassembles fragments even though some of them were sent in plaintext.
A physically proximate attacker could use this flaw to inject packets.


* CVE-2020-26144, CVE-2020-24588, CVE-2020-26140: Mishandling of malformed A-MPDU frames in 802.11 Networking Stack.

Mishandling of malformed A-MPDU frames in 802.11 Wireless Networking
Stack could allow an attacker to inject network packets. A physically
proximate attacker could use this flaw to compromise the system
integrity.


* CVE-2020-26139: Remote denial-of-Wifi-service via malicious EAPOL frames.

When acting as an access point, the kernel WiFi driver might forward
EAPOL frames to other devices that have not successfully authenticated.
A malicious device might exploit this to cause a denial-of-service of
the WiFi connection towards legitimately connected clients.


* Note: Oracle will not provide a zero-downtime update for CVE-2020-24587 and CVE-2020-24586.

CVE-2020-24587 (CVSS v3 score of 2.6) and CVE-2020-24586 (CVSS v3 score of
3.5) might allow an attacker to inject L2 frames in a WiFi network using
WEP, WPA/CCMP or WPA/GCMP or to exfiltrate network data on certain
conditions.  Host machines that are not connected to a WiFi network are not
affected.

Oracle has determined that patching CVE-2020-24587 and CVE-2020-24586 would
not be safe and recommends affected hosts to reboot into the newest kernel
to mitigate the vulnerabilities.


* CVE-2021-3679: Denial-of-service in kernel tracing module.

A flaw in the kernel tracing module could lead to infinite loop when
trace ring buffer is used in a specific way. A privileged local user
could use this flaw to starve the resources and cause denial-of-service.


* CVE-2021-29155, CVE-2021-33200, CVE-2021-31829: Information disclosure in eBPF due to out of bounds pointer arithmetic.

Out of bounds pointer arithmetic flaw in the eBPF implementation could
allow an attacker to bypass the protection and execute speculatively
out-of-bounds loads from the kernel memory leading to extraction of
the kernel memory contents via a side-channel. A local, special user
privileged (CAP_SYS_ADMIN) BPF program could use this flaw for sensitive
information disclosure.


* CVE-2021-3659: Out-of-bounds access when closing LR-WPAN wireless connection.

When closing an IEEE 802.15.4 wireless connection, incorrect error
handling could result in an invalid pointer dereference. A malicious
user might exploit this flaw to crash the system.


* CVE-2021-3564: Denial-of-service in bluetooth subsystem.

An ordering issue whilst handling data flushes may lead to a
double-free. This could allow a local attacker to cause a
denial-of-service.

Orabug: 33369947


* CVE-2021-3573: Code execution in the bluetooth subsystem due to use-after-free.

Improper handling of HCI device detach events in the bluetooth subsystem
could leading to a use-after-free. A local user could use this flaw to
cause a denial of service or possibly execute arbitrary code.


* Note: Oracle will not provide a zero-downtime update for CVE-2020-24502, CVE-2020-24503 or CVE-2020-24504.

CVE-2020-24502, CVE-2020-24503 and CVE-2020-24504 are vulnerabilities
in the Intel ICE ethernet controller. Oracle has determined that
patching these vulnerabilities would not be safe and recommends
rebooting into the latest kernel.


* CVE-2020-29368: Write protection bypass in huge-page handler.

A race condition in the kernel huge page handing could result in a
kernel huge page being erroneously created with write permissions after
it was duplicated via copy-on-write. A malicious user might exploit this
to modify sensitive kernel data structures.


* Note: Oracle has determined that CVE-2020-0427 is not applicable.

Oracle has determined that CVE-2020-0427 is not applicable as concerned
files are not compiled on this distribution.


* Note: Oracle has determined that CVE-2020-27777 is not applicable.

The kernel is not affected by CVE-2020-27777 since the code under
consideration is not compiled.


* CVE-2020-36158: Buffer overflow when creating an ad-hoc network.

A logic error in the marvell wireless network driver, when creating an ad-hoc
wireless network could lead to a buffer overflow. A malicious local user with
sufficient privileges to create an ad-hoc wireless network could use this flaw
to cause a denial-of-service, or possible arbitrary code execution.

Orabug: 32349207


* CVE-2020-29660: Use-after-free in TTY subsystem due to locking inconsistency.

A locking inconsistency in TTY subsystem could lead to a use-after-free.
A local user could use this flaw to cause execution of arbitrary code or
a denial-of-service.


* CVE-2020-35508: Use-after-free when forking a process with CLONE_PARENT.

A race condition in the fork implementation when using the CLONE_PARENT
flag when the process parent is exiting could lead to a use-after-free.  An
unprivileged local user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* CVE-2020-36386: Out-of-bounds read in Bluetooth HCI event subsystem.

Insufficient packet validation in the Bluetooth Host Controller Interface
event packet handler can cause out-of-bounds reads with a potential for
denial-of-service or leaking of privileged data.

Orabug: 33013890


* CVE-2021-0129: Man-in-the-middle disclosure of bluetooth passkey.

The kernel bluetooth pairing process contains a flaw that might allow a
malicious nearby device to determine the passkey used to complete the
pairing, or potential pair itself instead.


* CVE-2021-3348: Use-after-free due to bad locking in Network block device.

A missing locking in Network block device could lead to use-after-free
when setting up a device. A local user could use this flaw to cause
a denial-of-service or to execute code.


* CVE-2021-3489: Denial-of-service in BPF due to lacking ring buffer validation.

A malicious BPF program could leverage flaws in the BPF ring buffer
implementation to cause a denial-of-service or potentially execute
arbitrary code.


* CVE-2021-3600: Arbitrary code execution in BPF div/mod operations.

BPF verifier did not properly track bounds information for 32-bit
registers when performing div and mod operations. A local user
could potentially use this flaw to execute arbitrary code.


* CVE-2021-20194: Privilege escalation in the BPF subsystem.

Missing error checks in the BPF subsystem could cause a buffer overflow.
A local user could use this flaw to escalate their privileges or cause
a denial-of-service.


* CVE-2021-23133: Multiple vulnerabilities due to a race condition in SCTP.

A flaw in socket functionality of Stream Control Transmission Protocol
could lead to a race condition. A local user with network service
privileges could use this flaw for privilege escalation, information
disclosure or denial-of-service.

Orabug: 32907967


* CVE-2021-28950: Denial-of-service in FUSE due to improper inodes handling.

A failure to properly handle bad inodes in the FUSE user space file
system implementation could lead to a CPU stall because a retry loop
continually finds the same bad inode. A local attacker could use this
flaw to cause a denial of service.


* CVE-2021-28971: Denial-of-service due to PEBS status mishandling in Intel processors Support.

PEBS status mishandling in PEBS records of Intel processors Support
might lead to a situation on some Haswell and earlier systems when
userspace applications could cause a system crash. A local user could
use this flaw to cause a denial-of-service.

Orabug: 32669468


* CVE-2021-29646: Code execution in TIPC protocol due to a buffer overflow.

An improper user input validation in tipc_nl_retrieve_key function of
the TIPC protocol could result in a buffer overflow. A local user could
use this flaw to cause a denial-of-service or possibly execute arbitrary
code.


* CVE-2021-29650: Denial-of-service in Netfilter due to incorrect memory barrier.

Lack of a full memory barrier upon the assignment of a new table value
in the Netfilter subsystem could result in a system crash. A local user
could use this flaw to cause a denial-of-service.

Orabug: 32709120


* CVE-2021-31440: Privileges escalation in eBPF due to out-of-bounds flaw.

An out-of-bounds condition could happen in Berkeley Packet Filter
due to improper validation of eBPF user-supplied programs. A local
attacker could use this flaw to execute arbitrary code.


* CVE-2021-3635: List corruption in netfilter tables causes DoS.

Incorrect validation of netfilter table creation and destruction could
cause corruption of the table lists. A local user with the
CAP_SYS_ADMIN permission might exploit this to crash the system or cause
data corruption.


* CVE-2021-31916: Information disclosure due to out-of-bounds writes in the Multi-device driver.

A flaw in ioctls of Multiple devices driver support could lead to
out-of-bounds memory writes. An attacker with special user
(CAP_SYS_ADMIN) privilege could use this flaw for denial-of-service
or information disclosure.

Orabug: 32860491


* CVE-2021-20239: Information leak via cgroup BPF filter.

BPF programs running on cgroups can contain addresses provided from
userspace. The BPF code erroneously returns a different error number if
the program attempts to access a valid kernel address. A malicious user
with the CAP_NET_ADMIN permission could exploit this to gain information
about the running kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-EL8-updates mailing list