[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-5339-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Thu Mar 24 14:41:37 UTC 2022
Synopsis: USN-5339-1 can now be patched using Ksplice
CVEs: CVE-2021-3506 CVE-2021-43976 CVE-2021-44733 CVE-2021-45095 CVE-2022-0435 CVE-2022-0492 CVE-2022-0847
Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5339-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-0492: Privilege escalation in Control Groups feature.
A missing capabilities check flaw in the Control Groups feature when
setting release_agent in the initial user namespace could result in
bypassing namespace isolation. A local user could use this flaw to
escalate privilege.
* Note: Oracle will not be providing an update for CVE-2021-44733.
A race condition flaw could happen in a Trusted Execution Environment
(TEE) during an attempt to free a shared memory object leading to
a use-after-free.
According to our audits most customers are not affected by this
vulnerability because they are not using the TEE kernel module.
* CVE-2022-0847: Privilege escalation in pipe buffers.
A flaw in the initialization of pipe buffers may allow reading of
stale data from the underlying page cache. A local user could use
this flaw to write to read-only files or escalate privileges.
* CVE-2021-3506: Denial-of-service in F2FS due to out-of-bounds memory access.
An out-of-bounds memory access flaw in the F2FS file system could lead
to a system crash when retrieving the next Node Address Table page.
A local attacker could use this flaw to cause a denial-of-service.
* CVE-2022-0435: Denial-of-service in Transparent Inter-Process Communication protocol.
A buffer overflow flaw in The Transparent Inter-Process Communication
protocol could lead to crash in systems that have a TIPC bearer
configured. A remote attacker could use this flaw to cause a denial of
service.
* CVE-2021-45095: Denial-of-service in Phone Network protocol due to memory leaks.
A reference counting flaw in the Phone Network protocol functionality
when handling an error condition could lead to memory leaks. A local
user could use this flaw to cause a denial-of-service.
* CVE-2021-43976: Malicious Marvell mwifiex USB device causes DoS.
Incorrect handling of packet buffers received from a Marvell mwifiex USB
device could result in a kernel assertion failure. A malicious device
might exploit this to crash the kernel.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-18.04-updates
mailing list