[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4011)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2018-4011 can now be patched using Ksplice
CVEs: CVE-2017-5715

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4011.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-5715: Spectre bypass in Intel VMX KVM guest exit.

A logic error when handling a guest exit could fail to restrict
speculative execution, potentially allowing a malicious guest to leak
information from the host kernel.

Orabug: 27369994


* CVE-2017-5715: Spectre bypass in 32-bit system calls.

Incorrect setting of restricted speculation for 32-bit system calls
could allow a malicious 32-bit application to bypass Spectre
protections, leaking the contents of system memory.

Orabug: 27339995


* Use-after-free in ptrace access checks.

Incorrect RCU locking could result in a use-after-free when checking
permissions for ptrace related accesses.  A local, unprivileged user
could use this flaw to crash the system.

Orabug: 27339995


* Incorrect ibrs_enabled+ibpb_enabled reporting.

A logic error when returning the ibrs_enabled/ibpb_enabled sysctl values
could incorrectly report that the protections where enabled despite
being disabled on the kernel command line.

Orabug: 27363792

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.