[El-errata] New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2017-3567)

Sun May 21 02:15:05 PDT 2017

Synopsis: ELSA-2017-3567 can now be patched using Ksplice
CVEs: CVE-2014-9731 CVE-2015-5257 CVE-2015-6252 CVE-2015-7990 CVE-2016-2782 CVE-2017-2583 CVE-2017-2647 CVE-2017-5669 CVE-2017-5986 CVE-2017-6214 CVE-2017-7184 CVE-2017-7895

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3567.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.

* CVE-2015-5257: Denial-of-service in Whiteheat device probing.

Missing validation of USB endpoints could result in a NULL pointer
dereference when probing a Whiteheat USB device.  An attacker with a
malicious USB device and physical access to the system could use this
flaw to crash the system.

* CVE-2017-2647: Denial-of-service when invoking request_key() syscall.

A missing check in request_key() syscall could lead to a NULL pointer
dereference. A local unprivileged user could use this flaw to cause a
denial-of-service.

* CVE-2017-7184: Privilege escalation when using xfrm IP framework.

A missing check when using xfrm IP framework could lead to an out of
bound access. A local attacker could use this flaw to cause a denial of
service or to escalate privilege.

* CVE-2015-6252: Denial-of-service in Virtio networking accelerator.

Missing resource tracking could result in a memory leak when performing
the VHOST_SET_LOG_FD ioctl.  A local, privileged user with access to the
/dev/vhost-net device could use this flaw to trigger a
denial-of-service.

* CVE-2017-5669: Privilege bypass when using shmat() syscall to map page zero.

A logic error when mapping a page using shmat() syscall could allow a
user to map page zero and consequently bypass a protection mechanism
that exists for the mmap() system call.

* CVE-2016-2782: Crash in USB serial driver when malicious Treo device is connected.

Improper handling of USB endpoint probing during Treo device initialization
leads to a NULL pointer dereference.

* CVE-2017-6214: Denial-of-service when splicing from TCP socket.

A specially crafted packet can be queued to trigger an infinite loop in
IPv4 subsystem. This can be exploited by an remote attacker to cause
denial-of-service.

* CVE-2017-5986: Denial-of-service when using SCTP socket with concurrent thread.

A BUG_ON() could be triggered when queueing data in a full SCTP socket
while another thread disassociates the first thread from the socket. A
local attacker could use this flaw to cause a denial-of-service.

* CVE-2017-2583: Denial-of-service due to incorrect segments configuration within VMs.

A logic error leads to an incorrect configuration of segment selector
within a Virtual Machine. An attacker could use this incorrect
configuration to cause a denial-of-service of the VM.

* NULL pointer dereference in OCFS2 incoming connection race.

Incorrect state management in the OCFS2 incomming connection handling
code could result in a NULL pointer dereference and kernel crash when
racing with incoming data.

* CVE-2015-7990: Race condition when sending a message on unbound RDS socket.

Incorrect locking when checking the state of a socket before sending a
message could lead to a NULL pointer dereference.  A local, un-privileged
user could use this flaw to cause a denial-of-service.

* CVE-2014-9731: Multiple out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver leads to multiple
out-of-bounds memory accesses and potentially to a kernel panic.  An
attacker could use a specially crafted filesystem to cause a
denial-of-service.

* Use-after-free when accessing fast memory registration in the Infiniband driver.

Incorrect locking in the Infiniband driver when accessing the Fast Memory
Registration Pool (FMR) opens race conditions when allocating or freeing
resources, potentially leading to a use-after-free.  A local user with
privileged access to the Infiniband device could use this flaw to cause a
denial-of-service or potentially escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.