[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2022-9260)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Apr 8 06:18:23 UTC 2022 

Synopsis: ELSA-2022-9260 can now be patched using Ksplice
CVEs: CVE-2017-11176 CVE-2020-36516 CVE-2021-20322 CVE-2021-3772 
CVE-2022-0330 CVE-2022-26966

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9260.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9260.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-26966: Information leak by the USB2NET SR9700 device driver.

The driver for SR9700 based USB ethernet devices does not correctly sanitize
packets allowing badly formatted packets to potentially leak information to
user space.

Orabug: 33962995


* CVE-2021-3772: Denial-of-service in the SCTP Network subsystem.

A flaw in the SCTP networking subsystem may allow an attacker to cause
denial-of-service by killing existing SCTP associations.

Orabug: 33924717


* CVE-2020-36516: Off-Path attack on the TCP/IP subsystem.

A flaw in the IPID assignment method can allow an attacker to inject 
data into
a victim's TCP session or terminate the session.

Orabug: 33917058


* CVE-2021-20322: Information leak in IPv4 ICMP exception cache.

The IPv4 ICMP exception cache uses a hash table that is vulnerable to
brute force attacks. A malicious remote user might exploit this to learn
which UDP ports are in use on the system, potentially opening other
attack vectors.

Orabug: 33894531


* Note: Oracle will not provide a zero-downtime update for CVE-2022-0330.

Oracle has determined that patching CVE-2022-0330 on a running system 
would not
be safe. The issue occurs only if a local user has privileges to access the
i915 Intel GPU and the user is running malicious code on it. Oracle 
recommends
a reboot to mitigate these issues if the host is affected.

Orabug: 33835812

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list