[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2024-12151)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Feb 22 08:15:20 UTC 2024 

Synopsis: ELSA-2024-12151 can now be patched using Ksplice
CVEs: CVE-2021-44879 CVE-2023-25775 CVE-2023-28464 CVE-2023-4244 CVE-2023-45863 CVE-2023-45898 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 CVE-2023-6121 CVE-2023-6531 CVE-2023-6606 CVE-2023-6932

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-12151.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-12151.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Slow loss recovery when receiving SACK for TLP retransmit.

When a SACK for a TLP retransmit is received with an RTT below the
current minimum RTT limit, slow loss recovery can occur.

This update provides system administrators with sysctl tunables
(net.ipv4.tcp_delack_min/max) to control the minimum/maximum amount of
time to delay before sending an ACK.

Orabug: 35875891


* Note: Oracle will not provide a zero-downtime update for CVE-2023-4244.

A race condition in the set implementation of nftables between
the control plane and the garbage collection worker could lead to a
use-after-free. A local user with CAP_NET_ADMIN access could use this
flaw to cause a crash or expose sensitive kernel information.

Oracle has determined that patching CVE-2023-4244 on a running system
would not be safe and recommends a reboot.

On workloads that permit it, a temporary mitigation is to disallow
unprivileged users from creating namespaces:

sudo sysctl -w kernel.unprivileged_userns_clone=0


* CVE-2023-25775: Information disclosure in the Intel(R) Ethernet Controller RDMA driver.

A flaw in irdma allows to program zero-length STAGs in hardware. An
attacker could use this flaw to access sensitive kernel information.


* CVE-2023-6606: Information disclosure in Common Internet File System.

The CIFS network file system implementation did not always
properly validate the server frame size, which could lead to
an out-of-bounds write. A local attacker could use this flaw
to cause a denial-of-service or potentially expose sensitive
information.


* CVE-2023-51780: Use-after-free in the ATM networking stack.

Asynchronous Transfer Mode (ATM) ioctl calls can race with datagram
reception causing a use-after-free error. A local attacker can
exploit this to cause a denial-of-service or privilege escalation.


* Note: Oracle has determined that CVE-2023-51781 is not applicable.

AppleTalk ioctl calls can race with datagram reception causing a
use-after-free error. A local attacker can exploit this to cause
a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2023-51781 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2023-51782 is not applicable.

ROSE ioctl calls can race with accepting a connection, causing a
use-after-free error. A local attacker can exploit this to cause
a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2023-51782 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2021-44879 is not applicable.

A NULL pointer dereference error can occur in the F2FS filesystem due
to an incorrect check during garbage collection. A local attacker can
exploit this to cause denial-of-service.

The kernel is not affected by CVE-2021-44879 since the code under
consideration is not compiled.


* CVE-2023-6121: Out-of-bounds read in NVMe-oF/TCP subsystem.

NVMe Qualified Names (NQNs) used to identify the endpoints when setting
up connections are not NULL terminated, leading to out-of-bounds read.
An attacker can exploit this remotely by sending a malicious payload to
extract sensitive information from the kernel memory.


* Potential NULL pointer dereference in netfilter subsystem.

Between some checks and use, a socket may get detached and have
an internal pointer set to NULL, leading to a NULL pointer
dereference. A local attacker can exploit this flaw to cause
denial-of-service.


* Overwriting of read-only files in BTRFS filesystem.

Incorrect checking during send command can lead to overwriting of
read-only files. An attacker can exploit this flaw to cause a
denial-of-service, privilege escalation, or aid in other types of
attacks.


* CVE-2023-45863: Out-of-bounds write in a library routine for handling generic kernel objects.

Handling of internal kernel objects can race, leading to an
out-of-bounds write. An attacker with root access can exploit
this to cause denial-of-service or aid in other types of attacks.


* CVE-2023-6531: Use-after-free in io_uring subsystem.

Garbage collection of io_uring files races with the operations of
Unix-domain sockets which use the files, leading to a use-after-free
error. A local attacker can exploit this to cause a denial-of-service
or privilege escalation.


* CVE-2023-6932: Privilege escalation in IGMP.

A race condition in the IGMP protocol implementation could lead
to a use-after-free vulnerability. A local attacker could use
this flaw to cause a denial-of-service or potentially escalate
privileges.


* Denial-of-service when using Broadcom NetXtreme-C/E ethernet network driver.

An invalid transfer completion by the Broadcom NetXtreme-C/E ethernet
network driver can cause a use-after-free error. A local attacker can
exploit this to cause denial-of-service.

Orabug: 36075755


* Note: Oracle has determined that CVE-2023-45898 is not applicable.

A use-after-free error was introduced in the ext4 filesystem after
an improvement was added which utilized pre-existing allocations.
A local attacker can exploit this to cause a denial-of-service or
privilege escalation.

The kernel is not affected by CVE-2023-45898 since the code introducing
the issue is not present.


* Denial-of-service when using InfiniBand driver.

Due to improper handling of disconnection requests in a specific case,
the RDMA connections will be blocked until a timeout is reached. A
local attacker can exploit this to cause a denial-of-service.

Orabug: 36143228


* CVE-2023-28464: Use-after-free in Bluetooth subsystem.

A double free was found in the bluetooth subsystem when cleaning up a
connection, leading to a use-after-free error. A local attacker can
exploit this to cause denial-of-service or privilege escalation.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://oss.oracle.com/pipermail/el-errata/attachments/20240222/75a291a7/attachment.sig>

More information about the El-errata mailing list