[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2022-9264)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2022-9264 can now be patched using Ksplice
CVEs: CVE-2020-36516 CVE-2022-0617 CVE-2022-1016 CVE-2022-1158 CVE-2022-22942 CVE-2022-24448 CVE-2022-26966

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9264.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9264.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-1158: Use-after-free in the KVM subsystem.

A flaw in the KVM subsystem may allow a guest virtual machine to
trigger a use-after-free exception. This may lead to denial-of-service
and possible loss of system confidentiality.

Orabug: 34023597


* CVE-2022-24448: Information leak when NFSv4 directory lookup fails.

If an open is performed with O_DIRECTORY on a regular file mounted over
NFSv4, the returned file descriptor will be uninitialized, potentially
leaking sensitive kernel information.

Orabug: 33958154


* CVE-2022-22942: Use-after-free in VMware Virtual GPU driver.

Improper error handling flaw in VMware Virtual GPU driver could lead
to a stale entry to be left in the file descriptor table resulting in
use-after-free. Unprivileged, local users could use this flaw in order
to gain access to files opened by other processes on the system through
a dangling file pointer and cause information disclosure or privilege
escalation.

Orabug: 33840432


* CVE-2022-0617: NULL-pointer dereference when processing UDF metadata.

When converting a UDF filesystem control block to its expanded form, an
invalid block could result in a NULL callback being invoked, resulting
in a system crash. A malicious user or filesystem image might exploit
this to cause a denial-of-service.

Orabug: 33870266


* CVE-2022-26966: Information disclosure in CoreChip SR9700 USB 10/100 Ethernet adapter.

A missing sanity check flaw in CoreChip SR9700 USB 10/100 Ethernet
adapter could result in sensitive information leaking from  heap memory
to user space. A local user could use this flaw for information
disclosure.

Orabug: 33962705


* Don't flush cache if hardware enforces cache coherency across encryption domains.

In some hardware implementations, coherency between the encrypted and
unencrypted mappings of the same physical page in a VM is enforced. In
such a system, it is not required for software to flush the VM's page
from all CPU caches in the system prior to changing the value of the
C-bit for the page.

Orabug: 33921125


* CVE-2020-36516: Multiple vulnerabilities in TCP/IP protocol.

The mixed IPID assignment method with the hash-based IPID assignment
policy could allow an attacker to perform a Man-in-the-Middle Attack.
A remote attacker could use this flaw to pretend to be the sender of
the TCP/IP packet for an existing TCP/IP session and inject data into
the TCP session or terminate that session.

Orabug: 33917056


* Reinitialize logbuf lock if CPU is halted while holding the lock.

If a CPU is halted while holding logbuf_lock, then subsequent printk()
operations on the panic CPU will deadlock. Add a helper to reinitialize
the logbuf locks and do this before calling panic notifiers, to reduce
the chance of a deadlock.

Orabug: 33740420


* CVE-2022-1016: Information leak in the netfilter subsystem.

A flaw in the netfilter subsystem result in a use-after-free. This may
allow a local unprivileged user to cause an information leak, resulting
in loss of system confidentiality.

Orabug: 34035701

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.