[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2020-5845)

Fri Oct 2 06:02:38 PDT 2020

Synopsis: ELSA-2020-5845 can now be patched using Ksplice

CVEs: CVE-2014-9900 CVE-2015-2150 CVE-2017-18552 CVE-2018-1000026
CVE-2018-1128 CVE-2018-1129 CVE-2018-13096 CVE-2018-13097 CVE-2018-13098
CVE-2018-13100 CVE-2018-14613 CVE-2018-14614 CVE-2018-16882 CVE-2018-17972
CVE-2018-18281 CVE-2018-20169 CVE-2018-20784 CVE-2018-20976 CVE-2019-0136
CVE-2019-10220 CVE-2019-11487 CVE-2019-14898 CVE-2019-15117 CVE-2019-15118
CVE-2019-15211 CVE-2019-15218 CVE-2019-15902 CVE-2019-15918 CVE-2019-15921
CVE-2019-15927 CVE-2019-16746 CVE-2019-17075 CVE-2019-17133 CVE-2019-18805
CVE-2019-18885 CVE-2019-19049 CVE-2019-19051 CVE-2019-19052 CVE-2019-19063
CVE-2019-19066 CVE-2019-19073 CVE-2019-19074 CVE-2019-19523 CVE-2019-19528
CVE-2019-19530 CVE-2019-19535 CVE-2019-19536 CVE-2019-19642 CVE-2019-19768
CVE-2019-19807 CVE-2019-19922 CVE-2019-2024 CVE-2019-20812 CVE-2019-2101
CVE-2019-3874 CVE-2019-3900 CVE-2019-5108 CVE-2019-9245 CVE-2019-9453
CVE-2019-9455 CVE-2019-9458 CVE-2019-9506 CVE-2020-0067 CVE-2020-0305
CVE-2020-10720 CVE-2020-10751 CVE-2020!  -10767 CVE-2020-10769
CVE-2020-10781 CVE-2020-11565 CVE-2020-12114 CVE-2020-12771 CVE-2020-13974
CVE-2020-14331 CVE-2020-16166 CVE-2020-1749 CVE-2020-24394 CVE-2020-8992

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5845.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5845.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2018-20169: Missing bound check when reading extra USB descriptors.

A failure to properly check the minimum and maximum size of an extra USB
descriptor in the USB sub-system could lead to reading or writing past
memory bounds.  An attacker with the ability to send specially crafted
extra descriptors from a USB device could use this flaw to escalate
privileges or cause a denial-of-service.

* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.

* CVE-2020-0067: Out-of-bounds read due to no bounds check in F2FS filesystem support.

Missing bounds check in Extended attribute LIST operations of F2FS
filesystem support implementation could lead to local information
disclosure. A local user could use this flaw to cause the information
leak.

* CVE-2018-18281: Information leak in mremap syscall.

A logic error in the mremap code could allow one process to access
memory of a different process.

* CVE-2018-13097: Out-of-bounds access in superblock of F2FS filesystem.

A missing check in code handling superblock of F2FS filesystem could
lead to an out-of-bounds access or a divide by zero error. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-19063: Denial-of-service in the rtlwifi driver.

A bug in the error path during initialization in rtlwifi USB driver leads
to memory leak. An attacker with physical access may possibly exploit
this bug to cause a denial-of-service.

* CVE-2019-0136: Denial-of-service in Intel(R) wifi driver.

Insufficient access control in the Intel(R) PROSet/Wireless WiFi driver
may allow an unauthenticated user in the same network to cause a
denial-of-service.

* CVE-2018-20784: Denial-of-service in task scheduling.

A logic in the kernel task scheduler could result in an infinite loop
under high load conditions.  A local, unprivileged user could use this
flaw to cause a denial of service.

* CVE-2018-20976: Use-after-free when mounting XFS filesystem.

A logic error when mounting XFS filesystem fails during super block
creation, could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.

* CVE-2015-2150: Denial-of-service in Xen host from the guest.

A flaw in the Xen hypervisor allows guests to disable PCI_COMMAND on PCI
device reset, later causing a host crash when the guest tries to access the
device.  A local guest user could use this flaw to cause a
denial-of-service in the host.

* CVE-2019-19523: Use-after-free when disconnecting ADU USB devices.

Logic errors when disconnecting ADU USB devices could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2018-16882: Privilege escalation in nested Intel KVM interrupts.

A use-after-free in the Intel KVM posted interrupt handling code could
allow a privileged user in a guest to gain code execution on the L1
hypervisor.

* CVE-2019-19052: Memory leak when opening USB Socket CAN device driver.

A missing free of resources when opening USB Socket CAN device driver
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.

* CVE-2018-13100: Denial-of-service when mounting a crafted F2FS image with an invalid secs_per_zone.

A missing check when mounting a crafted F2FS image with an invalid
secs_per_zone could lead to a divide by zero error. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2019-15927: Out-of-bounds accesses in usb audio driver.

A missing check in usb audio driver could lead to out-of-bounds
accesses. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-9506: Information disclosure when transmitting over bluetooth.

The Bluetooth BR/EDR specification permits sufficiently low encryption key
length and does not prevent an attacker from influencing the key length
negotiation. This allows practical brute-force attacks (aka "KNOB") that can
decrypt traffic and inject arbitrary ciphertext without the victim noticing.

This is the fix in kernel to disallow arbitrarily short encryption key.
However, the actual bug is in the protocol so we encourage customers to
also upgrade the firmware on their bluetooth device.

* CVE-2019-5108: Denial-of-service of a wireless access point during roaming of a station.

A logic error in protocol implementation when a station connect to an
access point during roaming could let an attacker within the internal
network cause a denial-of-service of the access point.

* CVE-2020-10751: SELinux bypass in netlink message validation.

A failure to correctly process multiple netlink messages in the SELinux
implementation can result in incorrectly allowing messages to be sent. A
local user could use this flaw to bypass SELinux restrictions.

* Oracle will not provide zero-downtime update for CVE-2019-19049.

Oracle has determined that the vulnerability does not affect a
running system.

* CVE-2019-15918: Out-of-bounds access during CIFS mount.

A subtle error in handling certain combinations of mount options can
cause an out-of-bounds access in the CIFS mount path.  This could cause
a system to exhibit unexpected behavior, and may lead to a
denial-of-service.

* CVE-2019-9245: Information leak in F2FS via extended attribute entry_size.

When reading extended attributes on a Flash-Friendly File System, a
specially crafted attribute request could potentially expose kernel
memory to userspace.

* CVE-2019-2024: Use-after-free when disconnecting a Empia EM28xx USB device.

A logic error when disconnecting a Empia EM28xx USB device could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2020-13974: Integer overflow in virtual terminal keyboard interface.

Improper handling of ASCII key events in the kernel's virtual terminal
driver could lead to an integer overflow on repeated keypresses. This
could potentially result in an unspecified security impact.

* CVE-2019-19528: Denial-of-service when disconnecting IO Warrior USB device.

Logic errors when disconnecting IO Warrior USB device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2020-12114: Race condition in mountpoint counter causes DoS.

A race condition in synchronization surrounding the reference counter of
a filesystem mount point could allow a malicious user to corrupt the
counter, causing a kernel assertion failure and denial-of-service.

* CVE-2019-19807: Use-after-free when registering timer in ALSA driver.

A logic error when registering timer in ALSA driver fails could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-15218: Denial-of-service in Siano Mobile Digital TV USB tuner probing.

Missing error checking when setting up endpoints for a Siano Mobile
Digital TV tuner could result in an invalid pointer dereference and
kernel crash.  A physically present user with a malicious device could
use this flaw to crash the system.

* Note: Oracle will not be providing a zero downtime update for CVE-2018-1128.

* CVE-2019-19530: Denial-of-service in USB CDC-ACM probing.

Incorrect reference counting when probing a USB CDC-ACM device could
result in a use-after-free and kernel crash.  A local user with the
ability to insert USB devices could use this flaw to crash the system.

* CVE-2020-11565: Out-of-bounds access when mounting tmpfs.

A missing check on mpol mount option when mounting tmpfs could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2019-2101: Information leak when initializing a usb video device.

Incomplete input validation in the uvcvideo subsystem leads to an
out-of-bound read when initializing a USB video device. A malicious
device could exploit this vulnerability to read privileged kernel memory
and possibly escalate privilege.

* CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver.

A missing check when parsing USB descriptor in ALSA USB driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* Note: Oracle will not provide a zero-downtime update for CVE-2019-15211.

* CVE-2018-14614: Out-of-bounds access when removing dirty segment in F2FS filesystem.

A logic error when removing dirty segment in F2FS filesystem could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* Improved fix for CVE-2018-17972: Information leak in /proc kernel stack dumps.

A failure to restrict accessing /proc/self/task/*/stack to only
root could allow an unprivileged user to get information about the
stack and its contents on another process.

* CVE-2019-19066: Denial-of-service int SCSI bfa driver.

While querying port statistics in the SCSI bfa driver, incorrect error
handling causes a memory leak. An attacker could possibly exploit this
to cause a denial-of-service.

* CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver.

A logic error when checking input source type in ALSA USB driver could
lead to a stack overflow. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2019-19051: Memory leak when changing power status of Intel Wireless WiMAX Connection 2400 driver.

A missing free of resources when changing power status of Intel Wireless
WiMAX Connection 2400 driver could lead to a memory leak. A local
attacker could use this flaw to leak information about running kernel
and facilitate an attack.

* CVE-2018-1129: Signature check bypass of cephx message.

A wrong computation of message's signature in the cephx authentication
protocol could let an attacker bypass signature check and alter message
payload. Note that any existing ceph client will not be protected
against this CVE and needs to be restarted.

* CVE-2019-3900: Infinite loop in vhost_net driver under heavy load.

It is possible, under certain conditions, for the vhost_net driver to
get caught in a near-infinite loop while trying to process incoming
packets.  This flaw could be exploited by a malicious local or remote
attacker in order to cause a deny access to network services that rely
on the vhost_net driver.

* CVE-2020-1749: Information disclosure in IPv6 IPSec tunneling.

A logic error in the IPv6 implementation of IPSec can lead to some
protocols being routed outside of the IPSec tunnel in an unencrypted
form. A network based attacker could use this flaw to read confidential
information.

* CVE-2019-11487: Invalid memory access when overflowing pages refcount.

A reference count issue could let an attacker overflow pages reference
count and leads to invalid memory accesses. A local attacker could use
this flaw to cause a denial-of-service.

* CVE-2019-18805: Denial-of-service in IPv4 round trip time configuration.

A failure to validate a change to the round trip time for IPv4 can
result in undefined behaviour. A local user with the ability to
configure this value could use this flaw to cause a denial-of-service.

* CVE-2019-19535, CVE-2019-19536: Information leak when initializing PCAN-USB device.

When loading a PCAN-USB driver, kernel passes an uninitialized buffer
to the device. This could leak privileged kernel memory to the device
and allow a malicious device to escalate privilege.

* CVE-2018-13098: Out-of-bounds read when mounting F2FS filesystem.

A failure to correctly validate inodes when mounting an F2FS filesystem can
result in an out-of-bounds read. A local user with the ability to mount an F2FS
filesystem could use this flaw to leak information from the kernel.

* CVE-2018-13096: Out-of-bounds access when mounting F2FS image.

A logic error when mounting a specially crafted F2FS image with an
abnormal bitmap size could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.

* CVE-2019-9453: Out-of-bounds access when parsing extended attribute of F2FS filesystem.

A logic error when parsing extended attribute of a corrupted or
specially crafted F2FS filesystem could lead to an out-of-bounds access.
A local attacker could use this flaw to cause a denial-of-service.

* CVE-2017-18552: Memory corruption in the RDS protocol.

A lack of input validation in RDS protocol sockets could lead to an
out-of-bounds memory access. An attacker could use this to cause memory
corruption and potentially crash the kernel or elevate privileges.

Orabug: 29037000

* CVE-2019-15921: Denial-of-service in generic netlink socket family.

Incorrect error handling in the generic netlink socket family could lead
to a memory leak. A malicious local user could potentially use this to
cause denial-of-service.

* CVE-2019-20812: Soft lockup in packet sockets with zero timeout.

Due to incorrect logic in packet socket, an attacker could request a zero
timeout, which would cause a soft lockup. A malicious local user could use
this to cause denial of service.

* CVE-2019-9458: Use-after-free in V4L2 event subscription.

Due to insufficient locking in the V4L2 driver, an event subscription
could be freed while it is still in use. A malicious user could use
this to cause denial of service or potentially elevate privileges.

* CVE-2019-9455: Information leak in V4L2 when setting output buffer size.

An incorrect check in the V4L2 subsystem could cause potentially
privileged information to be leaked to userspace. A malicious local
user could use this to facilitate other attacks on the kernel.

* CVE-2019-19073, CVE-2019-19074: Denial-of-service in the ath9k wireless driver.

A memory leak during driver initialization in the Atheros HTC-based
wireless subsystem could cause kernel memory exhaustion. An attacker
could exploit this flaw to cause a denial-of-service.

Orabug: 31351570, 31351557

* CVE-2020-10720: Use-after-free in generic receive offload fragmentation.

A use-after-free in the generic receive offload code could result in a
kernel crash when receiving a fragmented packet under specific
conditions.

* CVE-2020-0305: Use-after-free when failing to open file on character device.

A mishandled error case when opening a file on a generic character
device might result in a write to an invalid pointer, potentially
resulting in memory corruption or a denial-of-service.

* CVE-2020-12771: Deadlock during BCache node coalesce failure.

A logic error when taking locks during a coalesce of notes in the BCache
driver can result in a deadlock.

Orabug: 31350644

* CVE-2019-15902: Bounds-check bypass in sys_ptrace().

An error when backporting original Spectre v1 fix for ptrace in stable
kernels makes it vulnerable to Spectre v1. A local attacker could
exploit this flaw to gain information about the running system.

* CVE-2019-10220: Privileges escalation when parsing directory from a bad SMB server.

A logic error in the way path are parsed in SMB client could let an
attacker running a SMB server manipulating files outside shared mount
point on the client side.

* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.

Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.

* CVE-2020-10769: Out-of-bounds memory access in authenticated encryption key parsing.

A logic error when reading unaligned keys for authenticated encryption can lead
to an integer underflow and result in a out-of-bounds memory access, leading to
a kernel crash. A local user could use this flaw to cause a denial-of-service.

* CVE-2014-9900: Information disclosure in Wake-On-LAN driver.

Due to a failure to correctly clear memory, sensitive kernel information
can be disclosed to userspace when information about Wake-On-LAN support
is requested. A local attacker could use this flaw to facilitate a
further attack on the kernel.

* Improved fix for CVE-2019-19768: Use-after-free when reporting an IO trace.

Lack of correct synchronization between releasing a structure used to store
a trace and filling that structure coud lead to a use-after-free.  A local
user with the ability to enable tracing on the block IO sub-system could
use this flaw to cause a denial-of-service or potentially escalate
privileges.

* CVE-2019-19642: Denial-of-service in kernel relay file open path.

A failure to properly check the return value of certain calls when
opening a kernel relay file can lead to a NULL pointer dereference, and
subsequent kernel panic.  This flaw could be exploited by a local
unprivileged user to cause a denial-of-service.

* Incorrect reporting of Process Address Space ID on AMD systems.

A logic error when decoding an error in the AMD IOMMU implementation can
result in incorrect information about the error being reported.

Orabug: 31693603

* CVE-2020-24394: Information leak when exporting a filesystem over NFS.

A logic error when exporting a filesystem without ACL support over NFS
could lead to wrong permissions being used for newly created files. An
attacker could use this flaw to leak information stored in this
filesystem.

Orabug: 31779888

* CVE-2019-17075: Denial-of-service in Chelsio T4/T5 RDMA TPT entries.

Incorrect mapping of transfer buffers could result in performing DMA to
an incorrect physical address leading to memory corruption and use of
uninitialized values.  An attacker could use this flaw to crash the
system.

Orabug: 31351782

* CVE-2019-16746: Buffer overflow when receiving beacon over wireless network.

A missing check a beacon header received over wireless network could
lead to a buffer overflow. A remote attacker could use this flaw to
cause a denial-of-service.

Orabug: 30785180

* CVE-2020-14331: Out-of-bounds writes in ioctls of Console display driver.

Out-of-bounds writes in ioctls of Console display driver could happen
when calling an ioctl VT_RESIZE in order to resize the console. This
flaw could allow a local user with access to the VGA console to crash
the system or potentially escalating their privileges on the system.

Orabug: 31705120

* CVE-2020-16166: Confidentiality vulnerability in the generation of the device ID.

A flaw in the generation of the device ID from the network RNG could
result in a potential issue allowing remote attackers to make
observations that help to obtain sensitive information about
the internal state of the network RNG and compromise the data
confidentiality.

Orabug: 31698084

* CVE-2019-3874: Denial-of-service by consuming a large amount of memory using SCTP socket.

A wrong accounting of SCTP socket buffers used by userspace application
in the cgroup subsystem could let a local user bypass a cgroup memory
limit and cause a denial-of-service.

Orabug: 31351959

* CVE-2020-10781: Denial-of-service using Zram hot_add file sysfs entry.

A wrong permission setting on /sys/class/zram-control/hot_add file could
let an attacker create zram devices nodes and exhaust kernel memory. A
local attacker could use this flaw to cause a denial-of-service.

Orabug: 31510724

* CVE-2019-17133: Denial-of-service in WiFI SIOCGIWESSID ioctl().

Missing bounds checks when copying an SSID in the SIOCGIWESSID ioctl()
for an 802.11 WiFi device could result in a buffer overflow and kernel
crash.

Orabug: 31351799

* CVE-2018-14613: Multiple denial-of-services in the btrfs when mounting crafted images.

Lack of validation of a btrfs filesystem could lead to a denial-of-service.
An attacked could use those flaws with a specially crafted image to cause a
denial-of-service.

Orabug: 31351986

* CVE-2019-14898: Denial-of-service when writing to file-max sysctl.

Lack of bounds check when writing a big number to the file-max sysctl could
cause a denial-of-service.

Orabug: 31350719

* Note: Oracle will not be providing a zero downtime update for CVE-2019-19922.

CVE-2019-19922 is a flaw in the fair scheduler whereby certain workloads
could allow a local attacker to decrease the performances of non-cpu-bound
processes.

Orabug: 31350999

* Channel recovery on transmition timeout in the Mellanox MLX5E driver.

In the case of a lost interrupt when getting a transmition timeout, the
channels could not be recovered.  This patch adds a mechanism in order to
recover from this scenario.

Orabug: 31753102

* CVE-2019-18885: Denial-of-service in BTRFS extent verification.

A logic error when verifying extents during mount of a BTRFS filesystem
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to mount a crafted BTRFS image could use
this flaw to cause a denial-of-service.

Orabug: 31867382

* CVE-2020-10767: Information leak using Spectre V2 attack due to IBPB being disabled.

A logic error when STIBP is not supported by the hardware makes IBPB
disabled unconditionally by default. A local attacker could use this
flaw to leak information about other processes.

Orabug: 31867441

* Missing rejected events in the Infiniband driver when receiving rejected messages.

A logic error when handling a REJ message in the Infiniband driver causes a
missed rejected event in the active side.

Orabug: 31784659

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.