[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2021-9450)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2021-9450 can now be patched using Ksplice
CVEs: CVE-2020-36311 CVE-2021-22543 CVE-2021-33624 CVE-2021-3491
CVE-2021-35039 CVE-2021-3573 CVE-2021-3609 CVE-2021-3612 CVE-2021-3679
CVE-2021-37576 CVE-2021-38160 CVE-2021-38199 CVE-2021-38204

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2021-9450.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2021-9450.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-3612: Privilege escalation in joystick subsystem due to
out-of-bounds write access.

Improper data validation in ioctls of joystick devices subsystem could
lead to out-of-bounds memory write access. A local user could use this
flaw to cause a denial-of-service or escalate their privileges.


* Note: Oracle has determined that CVE-2021-35039 is not applicable.

The kernel is not affected by CVE-2021-35039 since the code under
consideration is not compiled.


* CVE-2020-36311: Denial-of-service in KVM due to a soft lockup.

A flaw in SEV VM destruction of Kernel-based Virtual Machine could lead
to a soft lockup during encrypted regions deregistration. A local user
could use this flaw to cause a denial-of-service.


* CVE-2021-3609: Privilege escalation in CAN BCM due to use-after-free.

A race condition in the CAN BCM implementation could lead to use-after-free
vulnerability. A local attacker could potentially use this to execute
arbitrary code.

Orabug: 33114646


* CVE-2021-22543: Privilege escalation in KVM due to RO page check bypass.

The reference counts of VM_IO|VM_PFNMAP pages can be manipulated to
cause a deliberate use-after-free. This can be manipulated to cause
writes to arbitrary memory pages, allowing a malicious user with the
ability to create virtual machines to escalate their privileges.


* CVE-2021-38160: Privileges escalation in virtio-console due to a
buffer overflow.

A missing sanity check in the virtio-console functionality could allow
a console client to write corrupted data to the console and cause
a buffer overflow. A local user could use this flaw for a denial of
service or privileges escalation.


* CVE-2021-3491: Denial-of-service due to limit enforcement issues in IO
uring.

A local user could leverage inadequate enforcement of buffer size limits in
some IO uring code paths to cause a denial-of-service or potentially execute
arbitrary code.


* CVE-2021-33624: Information disclosure in BPF due to type confusion.

A type confusion flaw in Berkeley Packet Filter could lead to a branch
misprediction and consequently an unprivileged BPF program can read
arbitrary memory locations via a side-channel attack.


* CVE-2021-3679: Denial-of-service in kernel tracing module.

A flaw in the kernel tracing module could lead to infinite loop when
trace ring buffer is used in a specific way. A privileged local user
could use this flaw to starve the resources and cause denial-of-service.


* CVE-2021-38199: Denial-of-service in NFS due to incorrect
connection-setup ordering.

Incorrect connection-setup ordering flaw in Network File System could
allow NFS server operator to cause a denial of service by arranging
for the server to be unreachable during trunking detection.


* Note: Oracle has determined that CVE-2021-38204 is not applicable.

The kernel is not affected by CVE-2021-38204 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2021-37576 is not applicable.

Oracle has determined that CVE-2021-37576 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
files.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-3573.

Improper handling of HCI device detach events in the bluetooth subsystem
could leading to a use-after-free. A privileged local user could use
this flaw to cause a denial-of-service or possibly execute arbitrary
code.

CVE-2021-3573 affects bluetooth subsystem only and would require
CAP_NET_ADMIN privileges for exploiting the issue.

Oracle has determined that patching CVE-2021-3573 on a running system
would not be safe and therefore recommends affected hosts to reboot
into the newest Oracle UEKR6 kernel to mitigate the vulnerabilities.


* Unresponsive behavior when suspending XFS filesystems.

A logic error whilst draining an internal cache may cause exceedingly
long pauses when running fsfreeze against an XFS filesystem. This may
lead to degraded system performance and possible data loss.

Orabug: 33241131

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.