[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4071)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Sat Apr 28 00:43:48 PDT 2018


Synopsis: ELSA-2018-4071 can now be patched using Ksplice
CVEs: CVE-2017-14051 CVE-2017-15537 CVE-2017-16646 CVE-2018-1068

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4071.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler.

A failure to validate information from userspace can result in an
unbounded kernel memory allocation. A local user could use this flaw to
cause memory exhaustion or a kernel crash, resulting in a
denial-of-service.


* Denial-of-service in SCSI Lower Level Drivers (LLD) infrastructure.

A missing callback entry for I/O Control Block (IOCB) timeout event
results in null pointer dereference and subsequent kernel crash. An
attacker could exploit this bug to cause a denial-of-service.


* Denial-of-service when creating session in QLogic HBA Driver.

A null pointer dereference when handling work event for creating new
session in QLogic Fibre Channel HBA Driver in SCSI subsystem leads to
kernel crash. An attacker could exploit this to cause a denial-of-service.


* CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices.

Logic errors when using DiBcom DiB0700 USB DVB devices could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-15537: Information disclosure in FPU restoration after signal.

A failure to correctly handle an error case can result in a warning
being displayed and FPU information from another process being leaked. A
local user could use this flaw to facilitate a further attack.


* Kernel panic in HyperV guest-to-host transport.

Missing pointer validation can trigger a NULL pointer dereference and
kernel panic when transferring data from the guest to host.


* Memory leak when closing VMware VMXNET3 ethernet device.

A logic error when closing VMware VMXNET3 ethernet device could lead to
a memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Memory corruption in IP packet redirection.

Incorrect reference counting when redirecting IPv4, IPv6 and DCCP packets can
trigger a use-after-free condition and kernel panic.


* NULL pointer dereference in Hyper-V transport driver on allocation failure.

Failure to check the result of an allocation could lead to a NULL pointer
dereference and kernel panic.


* CVE-2018-1068: Privilege escalation in bridging interface.

Lack of userspace parameter sanitization in the 32-bit syscall interface
for bridging allows a user with limited privilege to write into kernel
memory. This flaw could be exploited to escalate privilege.


* Data-loss when writing to XFS filesystem.

A performance feature in XFS filesystem ends up allowing transactions
being cancelled under heavy load. This could lead to in-memory data
corruption and file system shutdown.


* Denial-of-service when following symlink in ext4 filesystem.

Incorrect error handling when following a symlink in ext4 filesystem
leads to a NULL pointer dereference. This could allow a local user to
cause a denial-of-service.


* Denial-of-service during NFS server migration.

Multiple vulnerabilities in the NFS subsystem causes NULL pointer
dereference and soft lockup when performing server migration. This leads
to a denial-of-service.


* Denial-of-service during RDS socket operation.

Calling getsockname() on an unbound RDS socket could lead to a
segmentation fault. An attacker may exploit this to cause a
denial-of-service.


* Denial-of-service when querying ethernet statistics.

Failure to validate stat type when performing a query on e1000 network
adapter leads to a NULL pointer dereference. A local user could exploit
this to cause a denial-of-service.


* Denial-of-service in Hyper-V utilities driver.

Incorrect error propagation when receiving transport message in Hyper-V
utilities driver leads to memory leak. This could cause kernel memory
exhaustion and eventually a denial-of-service.


* Denial-of-service in Broadcom NetXtreme-C/E network adapter.

When sending Hardware Resource Manager (HWRM) message to the network
adapter, incorrect variable scoping leads to a use-after-free
vulnerability. This could cause a denial-of-service.


* Denial-of-service when configuring SR-IOV virtual function.

Incorrect bound check when configuring Broadcom NetXtreme-C/E SR-IOV
driver leads to a NULL pointer dereference. This could be exploited to
cause a denial-of-service.


* NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.

If the receive buffer is resized while the read index points outside the
buffer, this could lead to a NULL pointer dereference.


* Kernel panic during asynchronous event registration in LSI Logic MegaRAID SAS driver.

In certain circumstances a user application could attempt to register an
asynchronous event with an invalid class range, causing a kernel panic.


* Kernel crash during PCI hotplug of Emulex LightPulse FibreChannel driver.

Due to a missing timer cancellation, removing an LPFC card or driver could
cause a kernel crash in the timer management code.


* Kernel crash during Emulex LightPulse FibreChannel I/O.

If the LPFC device is removed, applications can still attempt to submit
out-of-range (or otherwise invalid) I/O which will crash the kernel.


* NULL pointer dereference during Emulex LightPulse FibreChannel removal.

Due to a race in the LPFC driver, device or driver removal could cause a
NULL pointer dereference.


* Hard lockup in Emulex LightPulse FibreChannel driver.

Due to a race between non-maskable interrupts and ELS commands in the
LPFC driver, the kernel could deadlock.


* Deadlock during abort command in QLogic QLA2XXX driver.

Incorrect locking in the QLogic QLA2XXX driver can cause a deadlock when
a transmission timeout happens and a command is aborted.


* Kernel crash when creating RDS-over-IPv6 sockets.

Due to incorrect module reference counting, it was possible to unload
the IPv6 module while there were still RDS-over-IPv6 sockets in use.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.






More information about the El-errata mailing list