[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5294-1)

Oracle Ksplice quentin.casasnovas at oracle.com
Tue Mar 1 09:09:03 UTC 2022 

Synopsis: USN-5294-1 can now be patched using Ksplice
CVEs: CVE-2019-18198 CVE-2021-22600 CVE-2021-4083 CVE-2021-43975 CVE-2022-22942

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5294-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-22600: Privilege escalation in Packet protocol subsystem due to double-free.

A logic flaw causing a double-free in Packet protocol subsystem could
be exploited by a local user through crafted syscalls. A local user
could use this flaw for a denial-of-service or privilege escalation.


* CVE-2021-43975: Out-of-bounds access in aQuantia AQtion(tm) Ethernet card driver.

A lack of input validation in aQuantia AQtion(tm) Ethernet card driver
could result in an out-of-bounds access. Compromised/Malfunctioning
devices could be used by an attacker to trigger this flaw and cause
a denial-of-service or execute arbitrary code.


* CVE-2021-4083: Race condition in garbage collection of BSD Unix domain sockets.

Possible race condition in BSD Unix domain sockets garbage collection
could result in a read-after-free error. A local user could use this
flaw to cause denial-of-service or privileges escalation.


* CVE-2022-22942: Use-after-free in VMware Virtual GPU driver.

Improper error handling flaw in VMware Virtual GPU driver could lead
to a stale entry to be left in the file descriptor table resulting in
use-after-free. Unprivileged, local users could use this flaw in order
to gain access to files opened by other processes on the system through
a dangling file pointer and cause information disclosure or privilege
escalation.


* CVE-2019-18198: Code execution in IPv6 due to use-after-free.

A reference counting flaw in the IPv6 routing implementation could lead
to a use-after-free. A local user could use this flaw to cause a denial
of service or execute arbitrary code.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.04-updates mailing list