[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4025)

Tue Feb 13 00:22:46 PST 2018

Synopsis: ELSA-2018-4025 can now be patched using Ksplice
CVEs: CVE-2017-0861 CVE-2017-12193 CVE-2017-14140 CVE-2017-15115 CVE-2017-17712 CVE-2017-5715 CVE-2017-8824

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4025.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Additional indirect branch speculation improvements for CVE-2017-5715.

The original fix for CVE-2017-5715 did not cover all kernel entry paths
allowing a local user to carry out Spectre attacks in very specific
conditions. Orabug: 27449045

* CVE-2017-17712: Information leak in raw IPV4 socket sendmsg().

A race condition in the raw_sendmsg() call for IPV4 raw sockets could
allow a local user to leak the contents of kernel memory.

* CVE-2017-15115: Use-after-free in SCTP peel off operation inside network namespace.

A logic error when performing an SCTP peel off operation from a network
namespace can result in an incorrect free, leading to a subsequent
use-after-free. A local user could use this flaw to cause a
denial-of-service, or potentially escalate privileges.

Orabug: 27386999

* CVE-2017-14140: ASLR bypass due to insufficient permissions checks in move_pages.

A failure to correctly check permissions when using the move_pages
system call can allow an attacker to map out the address space of a
process which shares the same uid. A local user could use this flaw to
facilitate a further attack.

Orabug: 27364690

* CVE-2017-12193: Denial-of-service in generic associative array implementation.

A logic error when inserting a new entry into an associative array can
result in a NULL pointer dereference, leading to a Kernel crash. A local
user could use this flaw to cause a denial-of-service.

Orabug: 27364592

* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.

Orabug: 27344841

* CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket.

A missing free when calling connect() system call on a DCCP socket while it is
in DCCP_LISTEN state could lead to a use-after-free. A local attacker
could use this flaw to escalate privileges.

* Denial-of-service in Huge TLB mappings during process exit.

Incorrect reference counting on shared page tables could result in
triggering a kernel assertion and crash when exiting a process.  A local,
unprivileged user could use this flaw to crash the system.

Orabug: 26988581

* Secure-boot protections bypass in /dev/mem mmap().

Missing securelevel checks in the /dev/mem driver could allow a user to
access system memory via an mmap() call, defeating secure-boot
protections.

Orabug: 27234850

* Kernel crash in Broadcom NetXtreme-C/E firmware responses.

Incorrect locking when reading parameters from a firmware response could
result in memory corruption and a kernel crash.

Orabug: 27199588

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.