[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3523-1)

Jamie Iles jamie.iles at oracle.com
Fri Jan 12 04:59:21 PST 2018 

Synopsis: USN-3523-1 can now be patched using Ksplice
CVEs: CVE-2017-16995 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864

IMPORTANT

The Oracle Ksplice development team has determined that mitigations for 
the Intel processor design flaws leading to vulnerabilities 
CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715 cannot be applied using 
zero-downtime (Ksplice) patching. Oracle therefore recommends that 
customers install the required updates from their systems and hardware 
vendors as they become available and reboot these machines upon applying 
these patches.

Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3523-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-16995: Privilege escalation in BPF 32-bit loads.

Incorrect sign extension of 32-bit loads could allow a local,
unprivileged user to execute arbitrary code and escalate privileges.


* CVE-2017-17862: Denial-of-service in BPF verifier.

Failure to verify unreachable code could result in a denial-of-service
when performing JIT compilation of a BPF program.  A local, unprivileged
user could use this flaw to crash the system.


* CVE-2017-17863: Privilege escalation in BPF verification.

Incorrect modeling of pointer arithmetic with the stack pointer could
result in an out-of-bounds access.  A local, unprivileged user could use
this flaw to execute code.


* CVE-2017-17864: Information leak in BPF conditional verification.

Invalid equality checks when comparing values when verifying a BPF
program could allow a local, unprivileged user to leak the contents of
kernel memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-17.10-updates mailing list