[El-errata] New Ksplice updates for RHCK 7 (ELSA-2019-2029)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Aug 14 08:26:40 PDT 2019 

Synopsis: ELSA-2019-2029 can now be patched using Ksplice
CVEs: CVE-2018-10853 CVE-2018-13053 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-14625 CVE-2018-15594 CVE-2018-16658 CVE-2018-18281 CVE-2018-7755 CVE-2018-9363 CVE-2018-9517 CVE-2019-11810 CVE-2019-11833 CVE-2019-3459 CVE-2019-3819 CVE-2019-3882 CVE-2019-3900 CVE-2019-5489 CVE-2019-7222

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-2029.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-2029.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-11833: Information leak in ext4 extent tree block.

A missing zeroing of uninitialized memory in ext4 extent tree block
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* CVE-2019-11810: Denial-of-service in LSI Logic MegaRAID probing.

A logic error in the LSI Logic MegaRAID device probing could result in a
NULL pointer dereference and kernel crash under specific conditions.


* CVE-2019-7222: Information disclosure in KVM VMX emulation.

Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.


* CVE-2019-5489: Information leak in the mincore() syscall implementation.

Missing checks in the mincore() syscall could let a local attacker
observes page cache access patterns on other process in the system and
lead to an information leak.


* CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.

Missing checks on options lengths when processing L2CAP options could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2018-18281: Information leak in mremap syscall.

A logic error in the mremap code could allow one process to access
memory of a different process.


* CVE-2018-16658: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-13094: NULL-pointer dereference when shrinking xfs inode.

When attempting to shrink an xfs inode for a file with corrupted
extended attributes, the non-existent attribute buffer might be
dereferenced, resulting in a denial-of-service.


* CVE-2018-13093: NULL-pointer dereference when reusing inodes in xfs.

If an XFS filesystem becomes corrupted, the local inode cache might
attempt to re-allocate in-use inodes. This can result in a deadlock or
NULL-pointer dereference and denial-of-service.


* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.


* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.


* CVE-2018-9363: Remote code execution in Bluetooth HIDP driver.

An integer overflow in the Bluetooth HIDP driver could result in a
buffer overflow and memory corruption.  A remote user could use this
flaw to trigger a denial of service or potentially, gain code execution.


* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak.  A local attacker could use this flaw to get address of
running kernel and facilitate an attack.


* CVE-2018-10853: Privilege escalation in guest vm when executing privileged instructions.

A missing check on privilege when executing instructions from guest
userspace could lead to a privilege escalation to guest kernel. A local
attacker could use this flaw to cause a denial-of-service.


* Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl.

A missing use of the indirect call protection macro in the vhost ioctl
code could lead to speculative execution. A locaal attacker could use
this flaw to leak information about the running system.


* CVE-2019-3882: Denial-of-service when repeatedly DMA mapping device MMIO.

By repeatedly mapping device MMIO memory via mmap, a malicious user
could potentially consume unbounded system memory, resulting in resource
starvation and a denial-of-service.


* CVE-2018-14625: Kernel information leak when releasing a vsock.

A use-after-free bug when releasing an AF_VSOCK socket may allow an
attacker to read kernel memory from inside VM guest. This could be
exploited to leak privileged information and possibly impersonate
AF_VSOCK messages destined to other clients.


* CVE-2018-9517: Privilege escalation in L2TP session creation.

A race condition during L2TP session creation could result in memory
corruption.  A local, unprivileged user could use this flaw to trigger a
use-after-free and elevate privileges.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-15594.

CVE-2018-15594 is a Spectre v2 leak in paravirt kernels.  This impacts
Xen and KVM VM guest kernels where retpoline is used as the Spectre v2
mitigation.  Enabling IBRS for Spectre v2 mitigation or upgrading to a
newer kernel mitigates CVE-2018-15594.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-3900.

CVE-2019-3900 is a denial-of-service for vhost devices.  Virtual Machine
hosts using vhost devices for networking untrusted guests should reboot
into a newer kernel to mitigate CVE-2019-3900.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-13095.

CVE-2018-13095 is a denial-of-service when mounting maliciously crafted
XFS filesystems.  Systems that allow mounting of untrusted filesystems
should reboot into the latest released kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list