[El-errata] New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2019-4636)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue May 21 03:43:37 PDT 2019
Synopsis: ELSA-2019-4636 can now be patched using Ksplice
CVEs: CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4636.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* Ksplice NMI patching enablement update.
Patching the NMI entry/exit code is subject to race conditions when
disabling and re-enabling IBRS on concurrent NMI.
* CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, CVE-2018-12127: Microarchitectural Data Sampling.
A hardware vulnerability on various Intel x86 processors can allow a process to
speculatively access privileged information stored in CPU microarchitectural
buffers. A local user or guest VM could use this flaw to learn information
about the host kernel or hypervisor and use this to facilitate a further
Updated microcode is required for the mitigation to be effective, please see
the output of /sys/devices/system/cpu/vulnerabilities/mds to determine whether
the microcode supports the mitigation.
This update does not mitigate the vulnerability when SMT is in use. SMT can be
disabled with the following command:
echo off > /sys/devices/system/cpu/smt/control
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata