[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4685)

Tue Jun 18 05:27:44 PDT 2019

Synopsis: ELSA-2019-4685 can now be patched using Ksplice
CVEs: CVE-2017-7308 CVE-2018-14633 CVE-2018-14634 CVE-2018-20836 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11810 CVE-2019-11815 CVE-2019-11884

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4685.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4685.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2019-11477, CVE-2019-11478, CVE-2019-11479: Remote Denial-of-service in TCP stack.

A number of errors in the TCP stack could result in a remotely
triggerable denial of service on links with a small Maximum Segment Size
(MSS).  A remote user could use a maliciously crafted TCP stream to
either panic the system or exhaust resources.

A new sysctl, ksplice_net_ipv4.tcp_min_snd_mss can be used to to adjust
the minimum Maximum Segment Size and defaults to 48 bytes.

Orabug: 29890784, 29882565

* CVE-2018-14633: Information leak in iSCSI CHAP authentication.

A stack overflow in the iSCSI CHAP authentication MD5 computation could
result in an out of bounds access and denial of service or potentially
leaking sensitive data by an unauthenticated remote user.

Orabug: 29778873

* CVE-2018-14633: Permission bypass in SCSI authentication request process.

A logic error in SCSI authentication request process could lead to a
buffer overflow. A local attacker could use this flaw to expose SCSI
content without permission.

Orabug: 29778873

* Denial-of-service in Reliable Datagram Socket reconnection.

Incorrect timeout logic when performing a reconnection to the same IP
address could result in a flood of reconnect attempts.  This could be
exploited by a local user to trigger a network denial of service on the
interface.

Orabug: 29629985

* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.

Orabug: 29783151

* CVE-2019-11810: Denial-of-service in LSI Logic MegaRAID probing.

A logic error in the LSI Logic MegaRAID device probing could result in a
NULL pointer dereference and kernel crash under specific conditions.

Orabug: 29783169

* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().

Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.

Orabug: 29786769

* CVE-2019-11815: Use-after-free in RDS socket creation.

A logic error in the RDS code could fail to properly clean up a socket once
it is destroyed, which could then lead to a use-after-free on a new socket
creation.  This could be used to cause a denial-of-service.

Orabug: 29802783

* Kernel crash in OCFS2 reading of deleted inodes.

A race condition when reading an inode that has been deleted could
result in a kernel crash under specific conditions.

Orabug: 29811589

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.