[Ksplice][EL8-Updates] New Ksplice updates for OL 8 and RHEL 8 (ELSA-2023-7549)

Oracle Ksplice quentin.casasnovas at oracle.com
Mon Jan 8 13:07:42 UTC 2024 

Synopsis: ELSA-2023-7549 can now be patched using Ksplice
CVEs: CVE-2022-45884 CVE-2022-45886 CVE-2022-45919 CVE-2023-1192 CVE-2023-2163 CVE-2023-3812 CVE-2023-5178

Systems running RHCK on Oracle Linux 8 and Red Hat Enterprise Linux 8
can now use Ksplice to patch against the latest Red Hat kernel update,
ELSA-2023-7549.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2023-7549.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 8 and RHEL 8
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-45886: Use-after-free in DVB Core driver.

A race condition in the network component of the DVB Core driver can
lead to a use-after-free when a device is disconnected. A local user
can exploit this flaw to cause a denial-of-service or potentially
escalate their privileges.


* CVE-2022-45919: Use-after-free in DVB EN50221 driver.

A race condition in the network compoenent of the DVB EN50221 driver can
lead to a use-after-free when the device is disconnected. A local user
might exploit this flaw to cause a denial-of-service or potentially
escalate their privileges.


* CVE-2023-2163: Out-of-bounds memory access in BPF program verifier.

A flaw in the BPF verifier may allow a BPF program path to be
prematurely marked as safe, potentially leading to an out-of-bounds
read or write access. An attacker could use this flaw for
denial-of-service or arbitrary code execution.


* CVE-2023-3812: Privilege escalation in TUN/TAP device driver.

A missing check on user input in TUN/TAP device driver could lead to an
out-of-bounds access. A local attacker could use this flaw to escalate
privileges.


* CVE-2023-5178: Privilege escalation in NVMe over Fabrics TCP.

A logic error when using NVMe over Fabrics TCP could lead to a
use-after-free. A remote attacker could use this flaw to escalate
privileges.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-1192.

CVE-2023-1192 is a race condition which could leads to a use-after-free
in CIFS driver. A local attacker could use this flaw to cause a denial-
of-service. Oracle recommends rebooting affected machines.


* Note: Oracle will not provide a zero-downtime update for CVE-2022-45884.

A logic error when using Digital TV driver could lead to a
use-after-free or a memory leak. A local attacker could use this flaw to
cause a denial-of-service.

Oracle has determined that creating a zero-downtime update would not be
safe and recommends a reboot if such mitigation is required.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-EL8-updates mailing list