[El-errata] New Ksplice updates for RHCK 7 (RHSA-2018:1062-01)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Wed Apr 25 03:50:15 PDT 2018
Synopsis: RHSA-2018:1062-01 can now be patched using Ksplice
CVEs: CVE-2016-3672 CVE-2016-7913 CVE-2016-8633 CVE-2016-8658 CVE-2017-0786
CVE-2017-1000252 CVE-2017-1000407 CVE-2017-1000410 CVE-2017-12154 CVE-2017-12190
CVE-2017-13080 CVE-2017-13166 CVE-2017-14051 CVE-2017-14140 CVE-2017-15129
CVE-2017-15265 CVE-2017-15299 CVE-2017-16528 CVE-2017-17448 CVE-2017-17449
CVE-2017-17558 CVE-2017-18017 CVE-2017-18203 CVE-2017-7346 CVE-2017-8824
CVE-2017-8925 CVE-2017-9605 CVE-2017-9725 CVE-2018-1000004 CVE-2018-5750
CVE-2018-6927
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, RHSA-2018:1062-01.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2017-8824: Privileges escalation when calling disconnect() system call on
a DCCP socket.
A missing free when calling disconnect() system call on a DCCP socket
while it is in DCCP_LISTEN state could lead to a use-after-free. A local
attacker could use this flaw to escalate privileges.
* CVE-2016-8633: Buffer overflow in firewire net driver.
A logic error on incoming packets checks could lead to a rx buffer
overflow. A remote attacker could use this flaw to cause a
denial-of-service.
* CVE-2017-12190: Denial-of-service in block I/O page merging.
A failure to decrement a reference count when merging block I/O pages
can result in a memory leak. A local user could use this flaw to cause a
denial-of-service.
* CVE-2016-3672: ASLR bypass on 32-bit processes.
Enabling an unlimited stack size would completely disable ASLR for
process with the limit applied. A local user could use this flaw to
reduce the security of a setuid/setgid application.
* CVE-2017-1000252: Denial-of-service when receiving out of bounds KVM guest
interrupt.
A kernel assert when receiving out of bounds guest interrupts in KVM
could lead to a kernel hang. A local attacker from a guest VM could use
this flaw to cause a denial-of-service.
* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.
A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce. This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.
* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.
A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.
* CVE-2017-0786: Privilege escalation in Broadcom WIFI driver.
A failure to validate the results of a scan could result in kernel
memory corruption. A remote attacker could use this flaw to escalate
privileges.
* CVE-2016-8658: Memory corruption when configuring Broadcom 802.11 AP.
Missing data validation when configuring an 802.11 access point using a
Broadcom chipset can allow a privileged local user to trigger kernel
memory corruption and potentially gain elevated privileges.
* CVE-2017-9605: Information leak when user defines surface in VMware Virtual
GPU driver.
A missing initialization of local variable when user defines surface in
VMXGFX driver could leak stack information. A local attacker could use
this flaw to gain information about the running kernel and facilitate an
attack.
* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.
A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.
* CVE-2017-7346: Denial-of-service when user defines surface in VMware Virtual
GPU driver.
A missing check on user input could lead to an infinite loop. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2017-16528: Use-after-free when unbinding a MIDI sequencer device.
A missing canceling of a work queue when unbinding a MIDI sequencer
device could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.
* CVE-2017-8925: Memory leak when opening an Omninet serial driver.
An extra reference on the TTY was taken in the Omninet serial driver on
open, leading to a memory leak. A local, unprivileged user could use this
flaw to exhaust the memory on the system and cause a denial-of-service.
* CVE-2017-18203: Denial-of-service during device mapper destruction.
A race condition between creation and destruction of device mapper
objects can result in an assertion failure, leading to a kernel crash. A
local user could use this flaw to cause a denial-of-service.
* CVE-2017-9725: Memory corruption in contiguous memory allocation.
A type conversion error when allocating contiguous memory for Direct
Memory Access can result in memory corruption outside of the allocated
memory. A local user could use this flaw to cause undefined behavior or
a Kernel crash.
* CVE-2017-12154: Denial-of-service when using KVM nested virtualization.
A missing flag when setting up a nested virtualization using KVM could
give access to CR8 register to L2 guest. A local attacker could use this
register to disable system external interrupts from L2 guest and cause a
denial-of-service.
* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.
A race condition in the net namespace code could lead to a double
free and memory corruption.
* CVE-2017-15265: Use-after-free in ALSA seq port creation.
Failure to increment a reference count error during creation of an ALSA
seq port can result in a use-after-free. A local user could use this
flaw to escalate privileges.
* CVE-2017-17448: Unprivileged access to netlink namespace creation.
net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.
* CVE-2017-17449: Missing permission check in netlink monitoring.
Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.
* CVE-2017-17558: Buffer overrun in USB core via integer overflow.
Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.
* CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS
target.
A missing check when using TCPMSS target for TCP could lead to an
use-after-free. A remote attacker could use this flaw to cause a
denial-of-service.
* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.
A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.
* CVE-2018-1000004: Use-after-free when using MIDI sequencer ioctl.
A race condition when using MIDI sequencer ioctl could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2018-6927: Integer overflow when re queuing a futex.
A missing check when calling futex system call with "requeue" option could
lead to an integer overflow. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2016-7913: Use-after-free of XC2028 TV tuner driver name string.
The priv->ctrl.fname string containing the firmware name can be freed
twice, potentially causing memory corruption and a kernel panic or other
exploitable behavior.
* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.
A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash. An attacker could use this flaw
to cause a host denial-of-service from the guest.
* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.
Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.
* CVE-2017-13166: Privilege escalation when using V4L2 ioctls.
Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.
* CVE-2017-14140: Permission bypass when checking credentials for filesystem
accesses.
A flaw in the ptrace access checks allows a temporarily unprivileged
process to access files that it was not supposed to. A local, unprivileged
user could potentially use this flaw to escalate privileges.
* Improve the interface to freeze tasks.
Provides an alternative method for freezing selected tasks using a flag in
struct task_struct. This is useful starting with 3.10 due to freezer
optimizations.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata
mailing list