[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 ( ELSA-2021-9459)

Fri Oct 8 08:22:08 PDT 2021

Synopsis:  ELSA-2021-9459 can now be patched using Ksplice
CVEs: CVE-2019-17133 CVE-2019-19448 CVE-2019-3900 CVE-2020-12114 
CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 
CVE-2020-26147 CVE-2021-0512 CVE-2021-27365 CVE-2021-3655 CVE-2021-3715 
CVE-2021-38160 CVE-2021-40490

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update,  ELSA-2021-9459.
More information about this errata can be found at
https://linux.oracle.com/errata/ ELSA-2021-9459.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-26139: Remote denial-of-Wifi-service via malicious EAPOL frames.

When acting as an access point, the kernel WiFi driver might forward
EAPOL frames to other devices that have not successfully authenticated.
A malicious device might exploit this to cause a denial-of-service of
the WiFi connection towards legitimately connected clients.

Orabug: 33369361

* CVE-2021-3655: Information disclosure in SCTP Network subsystem.

Missing input validations in the SCTP networking subsystem may lead to
reading of uninitialized data. This may allow an attacker on the local
area network to cause an information disclosure.

Orabug: 33369303

* CVE-2020-12114: Race condition in mountpoint counter causes DoS.

A race condition in synchronization surrounding the reference counter of
a filesystem mount point could allow a malicious user to corrupt the
counter, causing a kernel assertion failure and denial-of-service.

Orabug: 33369433

* CVE-2020-24588: Mishandling of malformed A-MPDU frames in 802.11 
Networking Stack.

Mishandling of malformed A-MPDU frames in 802.11 Wireless Networking
Stack could allow an attacker to inject network packets. A physically
proximate attacker could use this flaw to compromise the system
integrity.

Orabug: 33369361

* CVE-2021-38160: Buffer overflow in virtual console.

A logic error in virtual console subsystem may lead to a buffer
overflow. This may allow an untrusted device to corrupt data.

Orabug: 33369276

* CVE-2019-17133: Denial-of-service in WiFI SIOCGIWESSID ioctl().

Missing bounds checks when copying an SSID in the SIOCGIWESSID ioctl()
for an 802.11 WiFi device could result in a buffer overflow and kernel
crash.

Orabug: 33369390

* CVE-2021-3715: Use-after-free when changing route in route4 classifier 
driver.

A logic error when changing route in route4 classifier driver could lead
to a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 33369231

* CVE-2021-0512: Out-of-bounds memory accesses when accessing HID 
devices array fields.

Out-of-bounds reads and writes in HID driver during HID device
registration could lead to information disclosure and corruption of
internal data structures. A local attacker could use this flaw
to cause a denial-of-service or as an aid in another type of
attack.

Orabug: 33369121

* CVE-2021-40490: Race condition in ext4 subsystem.

A logic error in the ext4 subsystem may lead to a race condition. This
may allow a local attacker to undermine system integrity and possibly
execute arbitrary code.

Orabug: 33369043

* CVE-2019-19448: Use-after-free in Btrfs filesystem with a crafted 
btrfs filesystem image.

Mounting a crafted btrfs filesystem image, performing some operations
and making syncfs system call could lead to a use-after-free in Btrfs
filesystem. A local user with physical access to the system and
a malicious device could use this flaw to cause a system crash or
execution of arbitrary code on the system.

Orabug: 33369414

* CVE-2020-26147: Information disclosure/packet injection over WEP/WPA WiFi.

The kernel 802.11 WiFi driver erroneously combines encypted and
plaintext fragments, potentially allowing an attacker to intercept or
inject into a legitimate encrypted WiFi connection.

Orabug: 33369361

* CVE-2019-3900: Infinite loop in vhost_net driver under heavy load.

It is possible, under certain conditions, for the vhost_net driver to
get caught in a near-infinite loop while trying to process incoming
packets.  This flaw could be exploited by a malicious local or remote
attacker in order to cause a deny access to network services that rely
on the vhost_net driver.

Orabug: 33369374

* Note: Oracle will not provide a zero-downtime update for 
CVE-2020-24587 and CVE-2020-24586.

CVE-2020-24587 (CVSS v3 score of 2.6) and CVE-2020-24586 (CVSS v3 score of
3.5) might allow an attacker to inject L2 frames in a WiFi network using
WEP, WPA/CCMP or WPA/GCMP or to exfiltrate network data on certain
conditions.  Host machines that are not connected to a WiFi network are not
affected.

Oracle has determined that patching CVE-2020-24587 and CVE-2020-24586 would
not be safe and recommends affected hosts to reboot into the newest Oracle
UEKR6 kernel to mitigate the vulnerabilities.

Orabug: 33369361

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.