[El-errata] New Ksplice updates for RHCK 8 (ELSA-2023-7077)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Jan 5 09:03:40 UTC 2024


Synopsis: ELSA-2023-7077 can now be patched using Ksplice
CVEs: CVE-2019-15291 CVE-2021-43975 CVE-2022-28388 CVE-2022-3169 CVE-2022-3594 CVE-2022-3640 CVE-2022-38457 CVE-2022-40133 CVE-2022-40982 CVE-2022-42895 CVE-2022-45869 CVE-2022-45887 CVE-2022-4744 CVE-2023-0458 CVE-2023-0590 CVE-2023-0597 CVE-2023-1073 CVE-2023-1074 CVE-2023-1075 CVE-2023-1077 CVE-2023-1079 CVE-2023-1118 CVE-2023-1206 CVE-2023-1252 CVE-2023-1380 CVE-2023-1382 CVE-2023-1637 CVE-2023-1855 CVE-2023-1989 CVE-2023-1998 CVE-2023-2269 CVE-2023-23455 CVE-2023-23559 CVE-2023-2513 CVE-2023-26545 CVE-2023-28328 CVE-2023-28772 CVE-2023-30456 CVE-2023-31084 CVE-2023-3141 CVE-2023-31436 CVE-2023-3159 CVE-2023-3161 CVE-2023-3212 CVE-2023-3268 CVE-2023-33203 CVE-2023-3358 CVE-2023-33951 CVE-2023-33952 CVE-2023-35823 CVE-2023-35824 CVE-2023-3609 CVE-2023-3611 CVE-2023-3772 CVE-2023-4132 CVE-2023-4155 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-44466 CVE-2023-45862 CVE-2023-4732

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-7077.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2023-7077.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 8 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2023-23455: Denial-of-service in ATM Virtual Circuit queue operation.

A logic error during a queue operation in the sch_atm driver can result
in an invalid pointer access.  This flaw could be exploited by a local
attacker to cause a denial-of-service.


* CVE-2022-42895: Information disclosure in Bluetooth subsystem.

A missing sanity check when parsing a configuration request in Bluetooth
L2CAP implementation could result in out-of-bounds memory access.
A physically proximate attacker could use this flaw for information
disclosure.


* CVE-2023-26545: Stale pointer in MultiProtocol Label Switching subsystem.

Incorrect error handling in the MultiProtocol Label Switching subsystem
(MPLS) during the renaming of a device can lead to double free. This could
allow a local user to write to arbitrary memory locations or cause
denial-of-service.


* Note: Oracle has determined that CVE-2023-1855 is not applicable.

A logic error in the APM X-Gene SoC hardware monitoring driver leads to a
use-after-free. A local user can use this flaw to cause denial-of-service or
leak information.

The kernel is not affected by CVE-2023-1855 since the code under
consideration is not compiled.


* CVE-2023-1118: Use-after-free in ENE eHome Receiver/Transceiver driver.

A logic error in the ENE integrated infrared receiver/transceiver leads
to a use-after-free. A local user can use this flaw to cause
denial-of-service or escalate privileges.


* CVE-2023-1382: Use-after-free in the TIPC protocol server.

Incorrect reference counting when allocating a new TIPC connection opens a
race condition which can lead to a use-after-free.  A local, unprivileged
user could use this flaw to cause a denial-of-service or escalate its
privileges.


* CVE-2023-2513: Use-after-free during ext4 extended attribute operations.

A logic error when setting certain extended attributes on an ext4
filesystem can result in a use-after-free scenario.  This flaw could be
exploited by a malicious local attacker to cause a denial-of-service or
to aid in another type of attack.

Orabug: 35382025


* CVE-2023-31436: Out-of-bounds memory access in sch_qfq driver.

An arithmetic error in the sch_qfq driver can lead to an out-of-bounds
memory access.  A local attacker could exploit this flaw to leak
sensitive information or to cause other undefined behavior.


* CVE-2022-3594: Denial-of-service in r8152 USB network driver.

Improper management of logging in the r8152 driver when handling
interrupts can lead to logging of excessive data. A remote attacker
could use this flaw to flood the system logs and hinder the ability to
detect anomalous conditions.


* CVE-2023-0458: Information leak in system calls to get and set resource limits.

A flaw in the do_prlimit() function, which is invoked by a number of system
calls to get and set resource limits, could be used to leak kernel memory
as part of a side-channel attack (such as MDS).


* CVE-2023-1079: Use-after-free in HID driver for Asus notebook built-in keyboard.

Insufficient locking in the HID driver for Asus notebook built-in keyboard can
allow a malicious USB device which advertises itself as an Asus device to
trigger a use-after-free. This may allow a local user to cause memory
corruption.


* Note: Oracle has determined that CVE-2023-33203 is not applicable.

Incorrect cleanup logic in the Qualcomm Ethernet Media Access Controller
(EMAC) Driver can cause a use-after-free when an emac based device is
removed. This can allow a user with physical access to escalate privileges
or cause undefined behavior.

The kernel is not affected by CVE-2023-33203 since the code under
consideration is not compiled.


* CVE-2023-1989: Denial-of-service when unloading the Bluetooth SDIO driver.

A missing clean-up routine to cancel a timer when removing a Bluetooth SDIO
could lead to a use-after-free.  A local, privileged user could use this
flaw to cause a denial-of-service.


* CVE-2022-28388: Code execution in 8devices USB2CAN interface.

A double-free in the USB2CAN interface from 8devices could result in
memory leaks and data corruption.  A local user could use this flaw for
a denial-of-service or code execution.


* CVE-2023-1075: Information disclosure in Transport Layer Security support.

A type confusion error in TLS support when checking for list emptiness
in tls_is_tx_ready() may lead to a read to an unauthorized memory
location. A local attacker could use this flaw to expose sensitive
information from the kernel.


* CVE-2023-3161: Denial-of-service when setting font size.

A missing check when setting font size when using framebuffer could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2023-3141: Use-after-free in the r592 driver's device removal path.

A race condition can occur when removing an r592 device that can lead to
a use-after-free.  This flaw could be exploited by a local attacker to
cause a denial-of-service, or to leak sensitive information from kernel
memory.


* CVE-2023-3212: NULL dereference in GFS2 file system.

On corrupt gfs2 file systems, the evict logic can dereference the journal
descriptor after it has been freed, leading to a NULL pointer dereference. A
local user with privileges can use this flaw to cause denial-of-service.


* CVE-2022-45869: Denial-of-service when using virtualization with TDP MMU.

A locking error when using nested virtualization with TDP MMU enabled
could lead to a race condition. An attacker from a guest could use this
flaw to cause a denial-of-service.


* CVE-2023-31084: Potential deadlock during DVB driver event processing.

An incorrect use of a semaphore can potentially cause a deadlock in the
DVB core driver.  This flaw could be exploited by an unprivileged local
attacker to cause a denial-of-service.


* CVE-2023-35824: Use-after-free during dm1105 device removal.

A race condition in the dm1105 driver's device removal path can result
in a use-after-free.  This flaw could be exploited by a local attacker
to cause a denial-of-service or other unexpected behavior.


* CVE-2022-45887: Memory leak in Technotrend/Hauppauge USB DEC driver.

A memory leak in the Technotrend/Hauppauge USB DEC driver can occur
when a device is disconnected. A local attacker can use this flaw
to cause a denial-of-service.


* CVE-2023-35823: Use-after-free in Philips SAA7134 TV card driver.

Incorrect cleanup logic in the saa7134 driver can cause a use-after-free
when the device is removed. This can allow a user with physical access
to escalate privileges or cause undefined behavior.


* CVE-2023-28772: Buffer overflow in seq_buf helper.

A missing check in the seq_buf helper to write raw memory into a buffer
in ASCII hex could lead to a buffer overflow. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2023-3268: Out-of-bounds memory access in kernel-userspace relay file support.

An out-of-bounds memory access error exists in the kernel->userspace relay
support. This could allow a local attacker to crash the system or leak
kernel internal information.


* CVE-2023-3772: Denial-of-service in the IP framework for transforming packets.

A missing check in the IP framework for transforming packets could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2023-1380: Out-of-bounds read in Broadcom 802.11 Networking Device Driver.

Out-of-bounds read exists in the Broadcom 802.11 Networking Device Driver. This
can lead to a denial-of-service.


* CVE-2023-4206, CVE-2023-4207, CVE-2023-4208: Use-after-free when modifying Netfilter U32/route filters.

A logic error when copying an internal memory structure can lead to a
use-after-free when modifying certain Netfilter filters.  A local
attacker could exploit this flaw to escalate their privileges.


* CVE-2023-3611: Privelege escalation in QFQ network scheduler.

An arithmetic error in the Quick Fair Queueing network scheduler can
lead to an out-of-bounds write.  This flaw can be exploited by a local
attacker to escalate their privilege.


* CVE-2022-4744: Privilege escalation in TUN/TAP device driver.

A flaw in the TUN/TAP device driver when freing a device could result in
a double-free. A local user could use this flaw for denial-of-service or
privilege escalation.


* CVE-2023-30456: Privilege escalation in Intel VMX subsystem for KVM.

Insufficient checking in Intel VMX system for KVM can allow a nested guest
to control values in the virtual machine control structure. This can allow a
local user to escalate privileges.


* CVE-2023-3609: Privilege escalation in U32 network packet classifier.

Incorrect reference counter handling in the network packet scheduler when
classifying using Universal 32-bit comparisons with hashing can lead to
use-after-free. This can allow a local user to trigger privilege escalation.


* CVE-2022-3640: Use-after-free in Bluetooth subsystem.

A logic flaw in receive data path of the Bluetooth subsystem could
result in a use-after-free. A local user could use this flaw to cause
a denial-of-service or execute arbitrary code.


* CVE-2023-1252: Use-after-free when using overlayfs on ext4.

When using overlayfs with an ext4 filesystem, improper reference
counting of overlayfs request objects could result in a use-after-free
if multiple filesystem operations were performed simultaneously. A
malicious user might exploit this to cause a denial-of-service.


* CVE-2023-1073: Memory Corruption in HID subsystem.

An error in the human interface device (HID) subsystem during insertion
of a USB device can trigger memory corruption. This can allow a local
user to cause denial-of-service or escalate privileges.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-1206.

Oracle has determined that patching CVE-2023-1206 on a running system
would not be safe and recommends a reboot.
Servers receiving connections from untrusted clients on an IPv6 address
could be targets of denial-of-service attacks.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-4155.

Oracle has determined that patching CVE-2023-4155 on a running system
would not be safe and recommends a reboot.

Hypervisors running on AMD CPUs with untrusted guests using Secure
Encrypted Virtualization features could potentially cause a host
denial-of-service.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-0597.

The lack of address randomization for the kernel per-cpu entry area could
allow an unprivileged user to guess the location of the kernel's CPU
exception stacks or other important data structures to aid certain types
of attacks targeting the kernel which require address space layout
determinism.

Oracle has determined that enabling address randomization for per-cpu
entry area on a running system would not be safe and recommends
a reboot if such mitigation is required.


* Note: Oracle will not provide a zero-downtime update for CVE-2022-40982.

The fix for this CVE on systems running EL8 is a microcode update for
affected CPUs. Customers will need to upgrade the microcode on affected
CPUs in order to mitigate this vulnerability.


* CVE-2022-3169: Denial-of-service in NVM Express block device.

A flaw in ioctls of NVM Express block device could result in PCIe link
disconnect. A local user could use this flaw for a denial-of-service.


* CVE-2023-2269: Denial-of-service in Device Mapper-Multipathing subsystem.

A possible recursive locking scenario in Linux Kernel Device Mapper
Multipathing subsystem can lead to a deadlock. A local user can use
this flaw to cause denial of service.


* CVE-2019-15291: Denial-of-service in B2C2 FlexCop driver probing.

Incorrect device validation when probing a B2C2 FlexCop driver could
result in a NULL pointer dereference and kernel crash.  A local user
with the ability to insert USB devices could use this flaw to crash the
system.


* CVE-2023-0590: Use-after-free in network scheduler.

A race condition in net scheduler when dropping the reference of a queue
discipline object in qdisc_graft() may lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service.


* CVE-2023-3358: Denial-of-service when using Intel Integrated Sensor Hub.

A missing check after allocating memory when using Intel Integrated
Sensor Hub could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2023-1077: Memory Corruption in Real-Time Scheduling Class.

Incorrect error checking logic in the Real-Time Scheduling Class can lead to
memory corruption. This can allow a local user to cause denial-of-service or
escalate privileges.


* CVE-2023-1074: Memory Leak in Stream Control Transmission Protocol.

A flaw in the Stream Control Transmission Protocol (sctp) can allow a
local user to start a malicious networking service that leaks kernel
memory. This could allow the user to starve resources leading to a
denial-of-service.


* CVE-2023-3159: Use-after-free in Firewire driver.

A data race in Firewire driver could lead to a use-after-free. A local
attacker with special privilege could use this flaw to cause a denial
of service or execute arbitrary code.


* CVE-2021-43975: Out-of-bounds access in aQuantia AQtion(tm) Ethernet card driver.

A lack of input validation in aQuantia AQtion(tm) Ethernet card driver
could result in an out-of-bounds access. Compromised/Malfunctioning
devices could be used by an attacker to trigger this flaw and cause
a denial-of-service or execute arbitrary code.


* CVE-2023-28328: Denial-of-service in Azurewave AZ6027 driver during ioctl processing.

A missing length check on a buffer passed in from userspace via an ioctl
can result in a NULL pointer dereference.  This flaw could be exploited
by a remote attacker to cause a denial-of-service.


* CVE-2023-4132: Use-after-free in Siano MDTV reciever driver.

A logic error in the smsusb driver can lead to a use-after-free
scenario.  This flaw could be exploited by an unprivileged local
attacker to cause a denial-of-service.


* CVE-2023-44466: Out-of-bounds memory access in Ceph file system messenger protocol.

An integer signedness error in the Ceph file system messenger protocol
when processing HELLO or AUTH frames could lead to a buffer overflow. A
remote attacker could use this flaw to execute arbitrary code.


* CVE-2023-45862: Denial-of-service when using ENE UB6250 reader driver.

A logic error when using ENE UB6250 reader driver could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Note: Oracle has determined that CVE-2023-23559 is not applicable.

A buffer overflow exists in the driver code for wireless USB devices based on
Remote Network Driver Interface Specification (RNDIS). This could allow a local
user to cause denial-of-service.

The kernel is not affected by CVE-2023-23559 since the code under
consideration is not compiled.


* CVE-2023-1998: Information disclosure due to disabled Single Thread Indirect Branch Predictors.

With legacy Indirect Branch Restricted Speculation (IBRS), Single Thread
Indirect Branch Predictors (STIBP) was incorrectly determined to be not
needed. This could allow cross-thread branch target injection and
information disclosure.


* CVE-2023-1637: Speculative MSRs when suspend to RAM.

A speculative execution flaw that boot CPU could be vulnerable in the
Linux kernel X86 CPU Power management when user resuming CPU from
suspend to RAM was found. A local user could use this flaw to
get unauthorized access to memory.


* CVE-2023-4732: Denial-of-service in the memory management subsystem.

A logic error in the memory management subsystem could lead to a kernel
assert. A local attacker could use this flaw to cause a denial-of-
service.


* Note: Oracle will not provide a zero-downtime update for CVE-2022-38457.

CVE-2022-38457 is a use-after-free vulnerability in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.


* Note: Oracle will not provide a zero-downtime update for CVE-2022-40133.

CVE-2022-40133 is a use-after-free vulnerability in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-33951.

CVE-2023-33951 is an information leak in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-33952.

CVE-2023-33952 is a privilege escalation in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list