[El-errata] New Ksplice updates for RHCK 9 (ELSA-2023-2458)

Wed Jun 28 18:31:04 UTC 2023

Synopsis: ELSA-2023-2458 can now be patched using Ksplice
CVEs: CVE-2021-26341 CVE-2021-33061 CVE-2021-33655 CVE-2021-41073 CVE-2022-0500 CVE-2022-1184 CVE-2022-1462 CVE-2022-1671 CVE-2022-1789 CVE-2022-1882 CVE-2022-20141 CVE-2022-21505 CVE-2022-21546 CVE-2022-2196 CVE-2022-24448 CVE-2022-2588 CVE-2022-28388 CVE-2022-28389 CVE-2022-2905 CVE-2022-3028 CVE-2022-3303 CVE-2022-33743 CVE-2022-3435 CVE-2022-3522 CVE-2022-3524 CVE-2022-3566 CVE-2022-3567 CVE-2022-3577 CVE-2022-3586 CVE-2022-3619 CVE-2022-3623 CVE-2022-3625 CVE-2022-3628 CVE-2022-36280 CVE-2022-3629 CVE-2022-3640 CVE-2022-36879 CVE-2022-3707 CVE-2022-39188 CVE-2022-39189 CVE-2022-4128 CVE-2022-4129 CVE-2022-41674 CVE-2022-41850 CVE-2022-42703 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-42896 CVE-2022-43750 CVE-2022-43945 CVE-2022-4662 CVE-2022-47518 CVE-2022-47519 CVE-2022-47520 CVE-2022-47521 CVE-2022-47929 CVE-2023-0394 CVE-2023-0461 CVE-2023-0590 CVE-2023-1195 CVE-2023-1382

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-2458.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2023-2458.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 9 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Enable livepatching of jump labels.

* CVE-2022-3625: Denial-of-service in the Netlink device interface implementation.

A missing check when setting or getting Netlink device parameters could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service or possibly execute arbitrary code.

* CVE-2022-1789: Denial-of-service in Kernel-based Virtual Machine.

A flaw in handling guest TLB mapping invalidation requests of
Kernel-based Virtual Machine could result in a NULL pointer dereference.
A local use could use this flaw for a denial-of-service.

* CVE-2022-3028: Out-of-bounds memory access in IP framework XFRM subsystem.

A race condition can occur when multiple calls to the same function
in the IP framework can lead to a race condition, and subsequent
out-of-bounds memory accesses.  A local attacker could exploit this flaw
to leak kernel memory, or make arbitrary writes to kernel memory.

* CVE-2022-36879: Denial-of-service in XFRM.

An incorrect reference counting flaw in IP framework for transforming
packets when manipulating XFRM policy entries could result in release
a resource before it is made available for re-use. A local user could
use this flaw for a denial-of-service.

* CVE-2022-42896: Use-after-free in Bluetooth L2CAP.

A flaw in Bluetooth L2CAP protocol when accepting incoming connection
requests could lead to a use-after-free. A remote attacker could use
this flaw for a denial-of-service or for privilege escalation.

* CVE-2022-21505: Lockdown bypass in Integrity Measurement Architecture.

A flaw in Integrity Measurement Architecture could allow kernel lockdown
bypass by using kexec when Secure Boot is disabled. A local user could
use this flaw for code execution.

* CVE-2022-3628: Code execution in Broadcom FullMAC USB WiFi driver.

A missing sanity check when setting up the Broadcom FullMAC USB WiFi
driver could result in out-of-bounds access. A physically proximate
user could use this flaw to craft a malicious USB device and cause
a denial-of-service or execute arbitrary code.

* CVE-2022-2905: Out-of-bounds memory access in BPF subsystem.

Improper range check in the BPF subsystem when the JIT compiler is
invoked could result in an out-of-bounds read access. A local attacker
could possibly use this to cause a denial of service (system crash) or
expose sensitive information (kernel memory).

* CVE-2022-3629: Memory leak in virtual socket protocol.

A race condition in VMware vSockets Driver when attempting to connect a
vsock in non-blocking mode may lead to a reference count leak. A local
attacker could use this flaw to exhaust kernel memory and eventually
cause a denial-of-service.

* Improved update to CVE-2022-1184: Use-after-free in ext4 filesystem.

A flaw in ext4 filesystem when mounting and operating on a corrupted
image could lead to a use-after-free. A local user could use this flaw
to cause a denial-of-service or elevate privileges on the system.

* CVE-2023-0394: NULL dereference during IPv6 raw frame processing.

An arithmetic error when processing certain IPv6 header information can
lead to a NULL pointer dereference.  A malicious local user could
exploit this flaw to cause a denial-of-service.

* CVE-2022-28388: Code execution in 8devices USB2CAN interface.

A double-free in the USB2CAN interface from 8devices could result in
memory leaks and data corruption.  A local user could use this flaw for
a denial-of-service or code execution.

* CVE-2022-41850: Use-after-free during roccat device event processing.

A race condition can occur when the processing events for roccat
devices, which ultimately leads to a use-after-free.  This flaw could
be exploited by a malicious local user to cause a denial-of-service, or
to aid in another type of attack.

* CVE-2021-33655: Privilege escalation when setting font or screen size.

A missing check when setting screen size or font could lead to an
out-of-bounds memory access. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.

* CVE-2022-47929: NULL dereference in traffic control subsystem.

Specially crafted network traffic can cause a NULL pointer dereference
in the network traffic control subsystem.  This flaw could be exploited
by a malicious local user to cause a denial-of-service.

* CVE-2022-41674: Privilege escalation in cfg80211 subsystem.

Incorrect input validation in cfg80211 subsystem can lead to a buffer
overflow error. A local attacker able to inject WLAN frames could use
this flaw to escalate privileges.

* CVE-2022-42720: Privilege escalation in cfg80211 subsystem.

Improper reference counting in cfg80211 subsystem can lead to a use
after free error. A local attacker able to inject WLAN frames
could use this flaw to escalate privileges.

* CVE-2022-42721: Denial of service in cfg80211 subsystem.

A missing check in cfg80211 subsystem can lead to internal data
structures corruption of the kernel. A local attacker able to inject
WLAN frames could use this flaw to cause denial of service.

* CVE-2022-42722: Denial of service in beacon protection for P2P-device.

A missing check in mac80211 subsystem can lead to a null pointer
dereference error. A local attacker able to inject WLAN frames could
use this flaw to cause denial of service.

* CVE-2022-3619: Denial-of-Service in Bluetooth L2CAP.

Improperly released resources in Bluetooth L2CAP when handling
fragmented frames could result in a memory leak. A remote user could
use this flaw to exhaust the kernel memory and cause a
denial-of-service.

* CVE-2023-0590: Use-after-free in network scheduler.

A race condition in net scheduler when dropping the reference of a queue
discipline object in qdisc_graft() may lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service.

* CVE-2022-43750: Use-after-free in USB monitor.

Incorrect permission flags set on userspace memory mappings in usbmon
could lead to a use-after-free. A local attacker could use this flaw for
a denial-of-service or escalate privileges.

* CVE-2022-33743, XSA-405: Use-after-free in Xen network frontend driver.

A flaw in the Xen network frontend driver could lead to a use-after-free
when processing responses from a misbehaving backend. An attacker
controlling the network backend domain could use this flaw to cause a
denial-of-service or execute arbitrary code in a different domain.

* CVE-2022-4662: Denial-of-service in USB core.

Lack of protection from nested device resets in the USB core implementation
could lead to a system crash. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2022-1882: Use-after-free in pipe subsystem.

A race condition in the pipe subsystem could lead to a use-after-free
when a pipe node is freed. An unprivileged user could use this flaw to
cause a denial-of-service or escalate privileges.

* CVE-2022-2196: Information leak in Kernel-based Virtual Machine.

A flaw in KVM due to a missing flush of indirect branch predictors
at VM-exit time may result in a leak of information.
A nested guest VM (L2) may use this flaw to perform Spectre v2 attacks
on L1 guest VMs.

* CVE-2022-21546: Denial-of-service in SCSI write path.

Improper handling of certain types of writes to a SCSI device can
lead to a kernel crash.  A local attacker could exploit this flaw to
cause a denial-of-service.

* Improved update to CVE-2022-24448: Denial-of-service in NFSv4.

A flaw in parameter validation when opening files over an NFS mount
can result in a NULL pointer dereference. A local attacker could use
this flaw to cause a system crash.

* CVE-2022-3435: Information disclosure in IPv4.

A flaw in ioctls of IPv4 could result in out-of-bounds read access.
A local user could use this flaw for information disclosure.

* CVE-2023-1382: Use-after-free in the TIPC protocol server.

Incorrect reference counting when allocating a new TIPC connection opens a
race condition which can lead to a use-after-free.  A local, unprivileged
user could use this flaw to cause a denial-of-service or escalate its
privileges.

* CVE-2022-4129: Denial-of-service in Layer 2 Tunneling Protocol (L2TP).

Incorrect locking in the Layer 2 Tunneling Protocol (L2TP) can lead to a race
condition and NULL pointer dereference. A local user could use this to crash the
system leading to denial-of-service.

* CVE-2022-20141: Privilege escalation in inet sockets.

A locking error when opening/closing inet sockets could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges or cause a denial-of-service.

* CVE-2023-1195: Denial-of-service when using CIFS driver.

A missing pointer clearing when closing a CIFS session could use to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.

* CVE-2022-3566, CVE-2022-3567: Denial-of-service in IPv6 networking.

A race condition in IPv6 networking when converting an IPv6 socket into
IPv4 could lead to a data corruption. A local user could use this flaw
for a denial-of-service.

* Improved fix for CVE-2022-43945: Out-of-bounds memory access in NFSD.

A logic error in NFSD when a small RPC Call message arrives in an
oversized RPC record can lead to a buffer overflow. A remote attacker
could use this flaw for a denial-of-service or privilege escalation.

* CVE-2022-36280: Out-of-bounds access in vmwgfs driver during cursor snoop.

A failure to validate cursor size data during a snoop operation can
lead to an out-of-bounds memory access.  A malicious local user could
exploit this flaw to escalate their privileges, or to cause a
denial-of-service.

* CVE-2022-42703: Code execution in MMU-based Paged Memory Management Support.

A flaw in memory allocations tracking for anonymous VMA mappings in
MMU-based Paged Memory Management Support could lead to data structure
reuse. A local user could use this flaw to cause a denial-of-service or
execute arbitrary code.

* CVE-2022-3524: Memory-leak in IPv6 networking.

A race condition in IPv6 networking when converting an IPv6 socket into
IPv4 could lead to a memory-leak. A local user could use this flaw to
exhaust the system's memory and cause denial-of-service.

* CVE-2022-3707: Double-free in Intel GVT-g graphics driver.

Incorrect error handling in the Intel GVT-g graphics driver can lead to a
double free. This can allow a local user to cause denial-of-service.

* CVE-2023-0461: Use-after-free in Upper Level Protocol (ULP) subsystem.

Improper handling of sockets entering the LISTEN state can lead to
use-after-free. A local attacker could use this to cause denial-of-service or
execute arbitrary code.

* CVE-2022-4128: Denial-of-service in MPTCP protocol during disconnect time.

A NULL pointer dereference in MPTCP protocol driver when traversing the
subflow list at disconnect time can lead to denial-of-service. A local
attacker could use this flaw to crash the system.

* CVE-2022-39188: Denial-of-service in MMU-based Paged Memory Management Support.

A flaw in MMU-based Paged Memory Management Support when unmapping
a memory region could result in a system crash. A local user could use
this flaw for denial-of-service.

* CVE-2022-1462: Denial-of-service in the tty subsystem.

A logic error when using some of the ioctls of the tty subsystem could
lead to a race condition. A local attacker could use this flaw to cause
a denial-of-service or leak unauthorized memory.

* CVE-2022-39189: Privilege escalation in Kernel-based Virtual Machine.

A flaw in KVM instruction emulation could allow unprivileged guest
userspace access to guest kernel memory through stale TLB translations.
An unprivileged guest user could use this flaw to cause a
denial-of-service or gain arbitrary code execution in a guest VM.

* Note: Oracle has determined that CVE-2022-3640 is not applicable.

A logic flaw in receive data path of the Bluetooth subsystem could
result in a use-after-free. A local user could use this flaw to cause
a denial-of-service or execute arbitrary code.

Oracle has determined that this kernel is not affected by CVE-2022-2640
as the code in question is not compiled.

* Note: Oracle has determined that CVE-2022-3577 is not applicable.

A missing free of resources when registering pvrusb2 driver could lead
to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.

The kernel is not affected by CVE-2022-3577 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-2588 is not applicable.

A logic flaw in IP Route Classifier subsystem in some cases when
replacing a route filter could lead to a use-after-free. A local user
could use this flaw for denial-of-service or privilege escalation.

The kernel is not affected by CVE-2022-2588 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-3303 is not applicable.

The kernel is not affected by CVE-2022-3303 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-28389 is not applicable.

A flaw in error handling of Microchip CAN BUS Analyzer interface could
lead to a double-free. A local user could use this flaw to cause
a denial-of-service or code execution.

The kernel is not affected by CVE-2022-28389 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-47519, CVE-2022-47518, CVE-2022-47520, CVE-2022-47521 are not applicable.

Improper validation of various user-supplied parameters in the WILC1000
wireless driver may lead to a head-based buffer overflow. A local user
could use this flaw for a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2022-47519, CVE-2022-47518,
CVE-2022-47520, CVE-2022-47521 since the code under consideration
is not compiled.

* Note: Oracle has determined that CVE-2022-1671 is not applicable.

A NULL pointer dereference was found in the RxRPC session sockets
subsystem. This can allow a local user to cause denial-of-service or
leak privileged information.

The kernel is not affected by CVE-2022-1671 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2021-41073 is not applicable.

A local attacker could gain privileges by using IORING_OP_PROVIDE_BUFFERS
and exploiting a flaw in IO uring request handling which could lead to
freeing adjacent memory.

The kernel is not affected by CVE-2021-41073 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-3586 is not applicable.

A race condition in net scheduler when enqueuing a socket buffer into a
queue discipline may lead to a use-after-free. A local user could use
this flaw to cause a denial-of-service or disclose sensitive
information.

The kernel is not affected by CVE-2022-3586 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-3623 is not applicable.

CVE-2022-3623 is a flaw in HugeTLB file system which could lead to a
race condition when looking up a hugetlb page in some situations.
Oracle has determined that this vulnerability only affects Aarch64
architecture and x86_64 is not vulnerable.

* Note: Oracle has determined that CVE-2022-3522 is not applicable.

Investigation showed CVE-2022-3522 is not a security issue. The CVE
has been marked as "REJECTED" in the CVE list.

* Note: Oracle will not provide a zero-downtime update for CVE-2021-33061 (INTEL-SA-00571).

CVE-2021-33061 (INTEL-SA-00571) is scored CVSSv3 5.5 (medium severity)
and is due to improper isolation of shared resources in network on chip
for the Intel(R) 82599 Ethernet Controllers and Adapters. This
vulnerability could allow an authenticated user to potentially enable
denial of service via local access. A patch for this vulnerability
exist in the linux kernel's ixgbe driver.

Hosts without Intel(R) 82599 Ethernet adapter are not affected by this
issue.

Oracle has determined that patching CVE-2021-33061 (INTEL-SA-00571) on a
running system would not be safe and recommends a reboot if using an
Intel(R) Ethernet adapter.

* Note: Oracle will not provide a zero-downtime update for CVE-2022-0500.

A flaw in unrestricted eBPF usage by BPF_BTF_LOAD can lead to
out-of-bounds memory write in the BPF subsystem due to the way a user
loads BTF. This can allow a local user to escalate privileges or cause
denial-of-service.

Unprivileged BPF is controlled by the kernel.unprivileged_bpf_disabled
sysctl and is disabled by default.

* Note: Oracle will not provide a zero downtime update for CVE-2021-26341.

On the 8th of March 2022, Vrije Universiteit (VU) Amsterdam
researchers, AMD, Ampere, ARM and Intel jointly reported new security
vulnerabilities based on Branch Target Injection (BTI) (commonly
called Spectre v2 variants).

The reporters recommend disabling unprivileged BPF to mitigate this
vulnerability as well as using generic retpoline even when eIBRS is
available on the platform or on special AMD/Hygon CPUs.

Unprivileged BPF can already be disabled at runtime by setting the
kernel.unprivileged_bpf_disabled sysctl.

If your CPU is affected and is not already using retpoline as the
Spectre V2 mitigation, a reboot into the newest kernel will be
required in order to get the full retpoline mitigations in place.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.