[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (USN-3523-1)
Jamie Iles
jamie.iles at oracle.com
Fri Jan 12 04:59:21 PST 2018
Synopsis: USN-3523-1 can now be patched using Ksplice
CVEs: CVE-2017-16995 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864
IMPORTANT
The Oracle Ksplice development team has determined that mitigations for
the Intel processor design flaws leading to vulnerabilities
CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715 cannot be applied using
zero-downtime (Ksplice) patching. Oracle therefore recommends that
customers install the required updates from their systems and hardware
vendors as they become available and reboot these machines upon applying
these patches.
Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3523-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2017-16995: Privilege escalation in BPF 32-bit loads.
Incorrect sign extension of 32-bit loads could allow a local,
unprivileged user to execute arbitrary code and escalate privileges.
* CVE-2017-17862: Denial-of-service in BPF verifier.
Failure to verify unreachable code could result in a denial-of-service
when performing JIT compilation of a BPF program. A local, unprivileged
user could use this flaw to crash the system.
* CVE-2017-17863: Privilege escalation in BPF verification.
Incorrect modeling of pointer arithmetic with the stack pointer could
result in an out-of-bounds access. A local, unprivileged user could use
this flaw to execute code.
* CVE-2017-17864: Information leak in BPF conditional verification.
Invalid equality checks when comparing values when verifying a BPF
program could allow a local, unprivileged user to leak the contents of
kernel memory.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-17.10-updates
mailing list