[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3777-1)

[Oracle Ksplice]

Synopsis: USN-3777-1 can now be patched using Ksplice
CVEs: CVE-2017-5753 CVE-2018-10853 CVE-2018-14633 CVE-2018-15572 CVE-2018-15594 CVE-2018-17182 CVE-2018-6554 CVE-2018-6555

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3777-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* KPTI enablement for Ksplice.




* Kernel information leak in the TCP subsystem.

An integer overflow when copying received TCP data to userspace could
lead to disclosure of sensitive kernel memory to userspace. This could
lead to privilege escalation.


* Denial-of-service when mapping large files into memory.

When mapping large files and block devices into memory, buggy drivers
could overflow size limit on 32-bit systems. This may be exploited by
malicious unprivileged local user to cause a denial-of-service.


* Denial-of-service when disconnecting DCCP.

Early cleanup on DCCP could lead to use-after-free if a half-connection
times out after disconnect. An unprivileged local user could exploit
this to cause a denial-of-service.


* Privilege escalation when executing user command in DIVAS driver.

A race-condition when invoking user command on an adapter in the Eicon
DIVA Server card driver could allow a malicious user to inject
inconsistent data into the kernel. This could lead to privilege
escalation and a denial-of-service.


* Denial-of-service when validating TCP packet.

Failure to take the size of packet header into account during validation
leads to a use-after-free in the TCP networking subsystem.  A local
attacker with CAP_NET_RAW capability could use this flaw to trigger a
buffer overflow resulting in a system crash or a privilege escalation.


* Denial-of-service in the Mellanox multicast subsystem.

Failure to obtain interrupt-safe lock when looking up queue-pair in the
Mellanox mlx4 multicast subsystem could lead to deadlock in the kernel.
An attacker could exploit this to create a denial-of-service.


* Denial-of-service when creating route in the netlink subsystem.

Missing validation of netlink message from userspace could lead to
undefined behavior in the kernel. This could lead to a
denial-of-service.


* Denial-of-service when adding IPsec key extension.

Failure to validate data from userspace when adding key extension in the
IPSec subsystem leads to a memory allocation error. An attacker may exploit
this to cause a denial-of-service.


* CVE-2018-10853: Privilege escalation in guest VM when executing privileged instructions.

A missing check on privilege when executing instructions from guest
userspace could lead to a privilege escalation to guest kernel. A local
attacker could use this flaw to cause a denial-of-service.


* Improved fix for CVE-2017-5753: Bounds-check bypass in USB virtual host controller driver.

A missing use of the indirect call protection macro in the USB virtual
host controller driver could lead to speculative execution. A local
attacker could use this flaw to leak information about the running
system.


* Denial-of-service when reading from GPIO device.

A NULL pointer dereference when reading from a GPIO device leads to a
kernel crash. This could be exploited by a malicious local user to cause
a denial-of-service.


* Information disclosure in AIX partition parsing.

A lack of correct string termination can result in uninitialised memory
being disclosed from the kernel. A local user with the ability to mount
a disk image could use this flaw to facilitate a further attack.


* Resource leak in VMWare DRM driver.

A failure to correctly handle errors in the vmwgfx driver can result in
leaking of opened channels.


* NULL pointer dereference in IPv6 multicast routing hash table.

A failure to correctly handle errors when initializing a hash table for
IPv6 multicast routing can result in a NULL pointer dereference.


* Use-after-free in Kernel Connection Multiplexor destruction.

A reference count manipulation error can result in an early free of a
KCM socket, leading to a user-after-free. A local user could use this
flaw to escalate privileges.


* Uninitialised memory access during network metric collection.

A validation failure when gathering network metrics can result in the
access of uninitialised memory, leading to undefined behavior.


* Denial-of-service in SCTP retransmission timeout.

A validation failure when configuring the retransmission timer for an
SCTP socket can result in the SCTP stack entering an infinite loop. A
local user could use this flaw to cause a denial-of-service.


* Out-of-bounds memory access in IPv6 lightweight tunnel encapsulation.

A logic error when adding a Segment Routing Header to an existing IPv6
packet can result in an out-of-bounds memory access. A local user could
use this flaw to cause a kernel crash or other undefined behavior.


* Memory leak in Transmit Packet Steering sysfs interface.

A logic error when failing to enable Transmit Packet Steering can result
in a memory leak.


* Denial-of-service in eXpress Data Path redirection.

A locking error when using XDP via a tun result in a NULL pointer
dereference leading to a kernel crash. A local user with access to an
XDP tun device could use this flaw to cause a denial-of-service.


* Memory leak in VirtIO Segmentation Offload.

A reference count error in the VirtIO driver when using segmentation
offload combined with eXpress Data Path can result in a memory leak.


* NULL pointer dereference in Mellanox Switch VLAN creation.

The Mellanox Switch driver incorrectly allows the creation of a VLAN
with an ID of 1, which is unsupported and leads to a NULL pointer
dereference.


* NULL pointer dereference when dumping object in IPv6 nftables.

A logic error when dumping an IPv6 nftables object can result in a NULL
pointer dereference.


* Undefined behavior in KVM CR3 emulation.

A validation failure when the host or guest sets the CR3 register can
result in a reserved bit being incorrectly set. This could lead to
undefined behavior.


* CVE-2018-6554: Denial-of-service in IRDA socket binding.

Repeated calls to bind() on an IRDA socket could cause a memory leak
resulting in a denial of service by a local, unprivileged user.


* CVE-2018-6555: Privilege escalation in IRDA setsockopt().

Missing liveness checks could result in a use-after-free when performing
setsockopt() on an IRDA socket.  A local, unprivileged user could use
this flaw to corrupt kernel memory and potentially escalate privileges.


* CVE-2018-14633: Information leak in iSCSI CHAP authentication.

A stack overflow in the iSCSI CHAP authentication MD5 computation could
result in an out of bounds access and denial of service or potentially
leaking sensitive data by an unauthenticated remote user.


* CVE-2018-17182: Privilege escalation in VMA cache flushing.

A failure to correctly invalidate the VMA cache when an integer overflow
occurs can result in a use-after-free. An unprivileged local user could
use this flaw to escalate privileges.


* Stack overflow in Elan I2C/SMBus touchpad driver.

Incorrectly sized stack structures in the Elan I2C/SMBus touchpad driver
could potentially allow overwriting stack values when initializing or
calibrating the device.


* Undefined behavior in VirtIO network eXpress Data Path implementation.

A reference count manipulation error in the VirtIO network driver when
linearising packets for the eXpress Data Path can result in buffers
being incorrectly dropped.


* Undefined behavior in flower network classifier modification.

A logic error in the flower network classifier can result in incorrectly
freeing a handle to the classifier, leading to undefined behavior.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-15594

CVE-2018-15594 is a Spectre v2 leak in paravirt kernels.  This impacts
Xen and KVM VM guest kernels where retpoline is used as the Spectre v2
mitigation.  Enabling IBRS for Spectre v2 mitigation or upgrading to a
newer kernel mitigates CVE-2018-15594.


* CVE-2018-15572: Information leak in context switches (SpectreRSB).

Missing RSB fills on some CPU families during context switch could allow
leaking of information between processes with a Spectre v2 attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.