[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2020-5914)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Dec 4 09:47:12 PST 2020 

Synopsis: ELSA-2020-5914 can now be patched using Ksplice CVEs:
CVE-2019-16089 CVE-2019-19036 CVE-2019-19448 CVE-2019-19770 CVE-2020-10768
CVE-2020-11565 CVE-2020-12114 CVE-2020-12656 CVE-2020-12826 CVE-2020-13974
CVE-2020-14381 CVE-2020-14390 CVE-2020-24490 CVE-2020-25211 CVE-2020-25641
CVE-2020-25643 CVE-2020-25645 CVE-2020-26088 CVE-2020-26541 CVE-2020-8648
CVE-2020-8694

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5914.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5914.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-25211: Denial-of-service in Netfilter due to out-of-bounds memory access.

A flaw in Netfilter framework implementation could lead to
a out-of-bounds memory access. A local user could use this flaw to cause
a system crash and a denial-of-service.

Orabug: 31872853, 31872865


* CVE-2020-26088: Missing permissions check when creating raw sockets.

A failure to check for the CAP_NET_RAW capability in the raw socket
creation path can allow unprivileged users to create raw network
sockets.


* CVE-2020-13974: Integer overflow in virtual terminal keyboard interface.

Improper handling of ASCII key events in the kernel's virtual terminal
driver could lead to an integer overflow on repeated keypresses. This
could potentially result in an unspecified security impact.


* CVE-2019-19770: use-after-free in the debugfs from blktrace.

A race condition present in the use of debugfs from blktrace can cause
dereferencing a buffer which has been freed leading to use-afer-free.


* CVE-2020-12114: Denial-of-service due to memory corruption in Linux Filesystem.

A race condition in Linux Filesystem implementation could lead to
a mountpoint reference counter corruption resulting in a system crash.
A local user could use this flaw to cause a denial-of-service (DoS).


* CVE-2020-14390: Memory corruption when resizing the framebuffer.

A logic error when handling framebuffer resizing and scrollbacks could
lead to memory corruption.  A local use could use this to cause a
denial-of-service or possibly arbitrary code execution or privilege
escalation.

Orabug: 31914650


* Memory corruption when writing to pressure interface.

Pressure information for each resource in the system is accessible
through the respective file in /proc/pressure/ – cpu, memory, and io.
Issuing write request with count parameter set to 0 on any file under
/proc/pressure/ could result in a memory corruption and eventually
kernel crash. A local, privileged user could use this flaw.


* CVE-2020-25645: Possible information leak between encrypted geneve endpoints.

A logic error may end up inadvertently transmitting data between two
geneve endpoints unencrypted. This may allow unintended parties to view
confidential network data.

Orabug: 32013938


* CVE-2020-25643: Memory corruption in WAN HDLC-PPP due to missing error checking.

A missing error handling code in WAN HDLC-PPP implementation could lead
to a memory corruption. A local user could use this flaw to cause
a denial-of-service or an arbitrary code execution.

Orabug: 31989185


* CVE-2020-24490: Privilege escalation in Bluetooth subsystem due to heap buffer overflow.

A flaw in Bluetooth implementation could lead to a heap buffer overflow
when processing extended advertising report events. A remote attacker
could use this flaw to cause a denial of service or to potentially
execute arbitrary code on the system by sending a specially crafted
Bluetooth packet.


* CVE-2020-8694: Platypus Attack Mitigation.

A side-channel attack utilizing the Intel RAPL subsystem driver may
cause an information leak.  This may allow an unprivileged user to
view confidential data.

Orabug: 32040802


* CVE-2019-19448: Use-after-free in Btrfs filesystem with a crafted btrfs filesystem image.

Mounting a crafted btrfs filesystem image, performing some operations
and making syncfs system call could lead to a use-after-free in Btrfs
filesystem. A local user with physical access to the system and
a malicious device could use this flaw to cause a system crash or
execution of arbitrary code on the system.


* CVE-2020-11565: Out-of-bounds access when mounting tmpfs.

A missing check on mpol mount option when mounting tmpfs could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-16089: Denial-of-service while checking NBD netlink status.

A failure to check for errors from certain function calls in the NBD
netlink status path can lead to a NULL pointer dereference and
subsequent kernel panic.  A local user could potentially exploit this
flaw to cause a denial-of-service.

Orabug: 31972480


* CVE-2019-19036: Denial-of-service during btrfs btree operations.

A logic error in the btrfs code path which handles btree operations can
lead to a kernel assertion being triggered, resulting in a system panic.
A local attacker could exploit this flaw using a crafted btrfs image to
cause a denial-of-service.


* CVE-2020-12826: Privilege escalation in process signal handling.

A logic error in the way signal are passed from child to parent could
lead to a child sending any signal to a parent. A local attacker could
use this flaw to escalate privileges.


* Improved fix to CVE-2020-8648: Use-after-free in the virtual terminal driver.

A locking error in the virtual terminal driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service or escalate privileges.


* CVE-2020-10768: Information leak using Spectre V2 gadgets due to incorrect prctl configuration.

A logic error could let a local user enable indirect branch prediction
even if it has been force disabled to mitigate Spectre V2 attacks. A
local attacker could use this flaw to leak information about a victim
process.


* CVE-2020-25641: Denial-of-service in biovec when zero-length biovec is issued.

A flaw in biovec implementation could cause the system to enter
an infinite loop when a zero-length biovec request is issued to
the block subsystem. A local, non privileged user could exploit
this vulnerability to cause a denial-of-service.

Orabug: 31955136

* Note: Oracle will not provide a live update for CVE-2020-12656.

CVE-2020-12656 is a disputed CVE for a memory leak which can only be
leveraged by the root user by loading and unloading kernel modules.


* Note: Oracle will not provide a live update for CVE-2020-14381.

Oracle has determined that patching this vulnerability live on a running
system would not be safe and is recommending to reboot the affected hosts.
The vulnerability applies to hosts with untrusted users being able to
create futexes on a filesystem that is about to be unmounted, and as such
requires a privileged user to unmount the filesystem at the right time to
be leveraged.


* Note: Oracle will not providing an update for CVE-2020-26541.

CVE-2020-26541 is only applicable at boot time, as such, by the time Oracle
Ksplice live updates are applied, the relevant code has already ran and
cannot be used to compromise the host.

Orabug: 31961115


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list