[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5676)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu May 21 14:04:14 PDT 2020


Synopsis: ELSA-2020-5676 can now be patched using Ksplice
CVEs: CVE-2018-19854 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-19527 CVE-2019-19532 CVE-2019-19768 CVE-2019-19965 CVE-2019-20096 CVE-2020-11494 CVE-2020-2732 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5676.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5676.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Out-of-bounds access when classifying network packets with traffic control index.

A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.

Orabug: 31181100


* NULL dereference while writing Hyper-V SINT14 MSR.

It is possible for KVM's IOAPIC scan logic to be triggered
inappropriately when attempting to write to Hyper-V's SINT14 MSR.
If an IOAPIC has not been initialized, this can lead to a NULL
dereference, and subsequent kernel panic.  This could be used
to cause a denial-of-service.

Orabug: 31004914


* CVE-2020-9383: Information leak in floppy disk driver.

A flaw in floppy driver could lead to an out-of-bounds read causing
the information leak when assigning the floppy disk controller.

Orabug: 31067513


* NULL pointer dereference when initializing Differentiated Services marker driver.

A missing check when initializing Differentiated Services marker driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.

Orabug: 30453287


* CVE-2018-19854: Information leak in cryptography socket NETLINK_CRYPTO call.

Incorrect string copying in the NETLINK_CRYPTO report could result in
leaking the contents of kernel stack memory to an unprivileged local
user.

Orabug: 31081816


* CVE-2019-19965: Denial-of-service in SCSI device removal.

A race condition when probing SCSI devices could result in a NULL
pointer dereference and kernel crash.  A local user with privileges to
add or remove SCSI devices could use this flaw to crash the system.

Orabug: 30770911


* Invalid memory access when sending an excessively large packet using Segmentation Offloads.

A missing check when sending an excessively large packet using
Segmentation Offloads could lead to an invalid memory access. A local
attacker could use this flaw to cause a denial-of-service.

Orabug: 31161828


* Livelock in loop device block resize operation.

A failure to handle a block size change on an existing loopback device can
result in a livelock. A local user with the ability to configure a loopback
device could use this flaw to cause a denial-of-service.

Orabug: 31161462


* CVE-2019-14814, CVE-2019-14815, CVE-2019-14816: Denial-of-service when parsing access point settings in Marvell WiFi-Ex driver.

Logic errors when parsing access point settings in Marvell WiFi-Ex
driver could lead to buffer overflows. A local attacker could use this
flaw to cause a denial-of-service.

Orabug: 31104480


* CVE-2019-20096: Memory leak while changing DCCP socket SP feature values.

Under certain conditions, it is possible for the __feat_register_sp
function to leak small amounts of memory.  This could potentially be
exploited by a local attacker to waste system resources and degrade
performance, or to aid in another type of attack.

Orabug: 30755059


* Improved fix for CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

The fix for CVE-2020-2732 might result in a failure for some guest
systems to correctly boot.

Orabug: 31118690


* Race condition in ipoib during high request load causes denial-of-service.

A race condition in ipoib request queue handling could result in
requests never being processed, effectively causing a denial of ipoib
service.

Orabug: 31118993


* CVE-2020-11494: Information leak in serial line CAN device communication.

When communicating with a CAN device over serial, a buffer structure is
transmitted without proper sanitization, potentially exposing stack
memory over the network.

Orabug: 31136752


* Use-after-free when removing generic block device.

A race condition when accessing a block device that is in the process of
being removed could result in the device structure being accessed after
freed. This could result in memory corruption or a denial-of-service.

Orabug: 31161462


* Memory corruption when reading EFI sysfs entries.

If multiple threads read an EFI sysfs variable with a size greater than
1024 bytes, one thread's buffer variable might be overwritten by the
other, resulting in memory corruption or a kernel crash.

Orabug: 30990726


* CVE-2020-8648: Use-after-free in virtual terminal selection buffer.

Invalid locking around the kernel virtual terminal selection buffer
handling could result in memory corruption if a race occurred between
reading and writing the buffer.

Orabug: 30923296


* Various Spectre-V1 information leaks in KVM.

Various array accesses in KVM lack protection against Spectre variant
1 type attacks. An attacker could exploit this bug to read privileged
kernel memory.

Orabug: 31191092


* CVE-2019-19527: Denial-of-service in USB HID device open.

A race condition when opening a USB HID device could result in a
use-after-free and kernel crash.

Orabug: 31206359


* CVE-2020-8647, CVE-2020-8649: Use-after-free in the VGA text console driver.

A missing check when resizing console in the VGA text console driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 31143946


* CVE-2019-19532: Denial-of-service when initializing HID devices.

A failure to properly check a device-controlled parameter in the USB
HID (bluetooth) subsystem lead to reading or writing past memory
bounds. An attacker can exploit this bug with a specially crafted USB
device to escalate privileges or cause a denial-of-service.

Orabug: 30622561


* Divide-by-zero when CPU capacity changes causes denial-of-service.

Incorrect comparisons between 32 and 64-bit integers when CPU capacity
changes could result in a denial-of-service on systems with extremely
large numbers of CPU cores.

Orabug: 31124463


* CVE-2019-19768: Use-after-free when reporting an IO trace.

Lack of correct synchronization between releasing a structure used to store
a trace and filling that structure coud lead to a use-after-free.  A local
user with the ability to enable tracing on the block IO sub-system could
use this flaw to cause a denial-of-service or potentially escalate
privileges.

Orabug: 31123575

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.






More information about the El-errata mailing list