[El-errata] New Ksplice updates for RHCK 9 (ELSA-2023-6583)

Thu Jan 18 18:07:05 UTC 2024

Synopsis: ELSA-2023-6583 can now be patched using Ksplice
CVEs: CVE-2021-39698 CVE-2021-43975 CVE-2022-28356 CVE-2022-3169 CVE-2022-3344 CVE-2022-3534 CVE-2022-3565 CVE-2022-3594 CVE-2022-3606 CVE-2022-3635 CVE-2022-38457 CVE-2022-40133 CVE-2022-40307 CVE-2022-40982 CVE-2022-42895 CVE-2023-0597 CVE-2023-1073 CVE-2023-1074 CVE-2023-1075 CVE-2023-1076 CVE-2023-1077 CVE-2023-1079 CVE-2023-1206 CVE-2023-1252 CVE-2023-1380 CVE-2023-1513 CVE-2023-1652 CVE-2023-1829 CVE-2023-1838 CVE-2023-1855 CVE-2023-1989 CVE-2023-2156 CVE-2023-2162 CVE-2023-2163 CVE-2023-2269 CVE-2023-23454 CVE-2023-23455 CVE-2023-23559 CVE-2023-25012 CVE-2023-26545 CVE-2023-28328 CVE-2023-30456 CVE-2023-3141 CVE-2023-31436 CVE-2023-3161 CVE-2023-3212 CVE-2023-3268 CVE-2023-33203 CVE-2023-3358 CVE-2023-33951 CVE-2023-33952 CVE-2023-3609 CVE-2023-3772 CVE-2023-39191 CVE-2023-4132 CVE-2023-4155 CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-4273 CVE-2023-42755 CVE-2023-44466 CVE-2023-45862

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-6583.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2023-6583.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 9 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2022-42895: Information disclosure in Bluetooth subsystem.

A missing sanity check when parsing a configuration request in Bluetooth
L2CAP implementation could result in out-of-bounds memory access.
A physically proximate attacker could use this flaw for information
disclosure.

* CVE-2023-1077: Memory Corruption in Real-Time Scheduling Class.

Incorrect error checking logic in the Real-Time Scheduling Class can lead to
memory corruption. This can allow a local user to cause denial-of-service or
escalate privileges.

* CVE-2023-26545: Stale pointer in MultiProtocol Label Switching subsystem.

Incorrect error handling in the MultiProtocol Label Switching subsystem
(MPLS) during the renaming of a device can lead to double free. This could
allow a local user to write to arbitrary memory locations or cause
denial-of-service.

* CVE-2023-1652: Use-after-free in NFS server support for NFS version 4.

A logic flaw in NFS server support for NFS version 4 could result in a
use-after-free. A local user could use this flaw to cause denial-of-service or
leak sensitive kernel information.

* Memory leak in the RDMA resource tracking when deleting an object.

An early return when deleting an object from the RDMA resource tracking
database causes a memory leak of the corresponding task structure.  An
attacker could use this flaw to cause a denial-of-service.

* CVE-2023-2269: Denial-of-service in Device Mapper-Multipathing subsystem.

A possible recursive locking scenario in Linux Kernel Device Mapper
Multipathing subsystem can lead to a deadlock. A local user can use
this flaw to cause denial of service.

* Note: Oracle will not provide a zero-downtime update for CVE-2022-3534, CVE-2022-3606.

The kernel is not affected by CVE-2022-3534, CVE-2022-3606 since the code
under consideration is not compiled.

* CVE-2023-2162: Use-after-free during iSCSI login.

A logic error in the iSCSI login path can result in a use-after-free
error.  This flaw could be exploited by a local attacker to cause
a denial-of-service or to aid in another type of attack.

* Note: Oracle has determined that CVE-2023-31436 is not applicable.

An arithmetic error in the sch_qfq driver can lead to an out-of-bounds
memory access.  A local attacker could exploit this flaw to leak
sensitive information or to cause other undefined behavior.

The kernel is not affected by CVE-2023-31436 since the code under
consideration is not compiled.

* CVE-2023-1074: Memory Leak in Stream Control Transmission Protocol.

A flaw in the Stream Control Transmission Protocol (sctp) can allow a
local user to start a malicious networking service that leaks kernel
memory. This could allow the user to starve resources leading to a
denial-of-service.

* CVE-2022-3594: Denial-of-service in r8152 USB network driver.

Improper management of logging in the r8152 driver when handling
interrupts can lead to logging of excessive data. A remote attacker
could use this flaw to flood the system logs and hinder the ability to
detect anomalous conditions.

* Note: Oracle has determined that CVE-2023-28328 is not applicable.

A missing length check on a buffer passed in from userspace via an ioctl
can result in a NULL pointer dereference.  This flaw could be exploited
by a remote attacker to cause a denial-of-service.

The kernel is not affected by CVE-2023-28328 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-23559 is not applicable.

A buffer overflow exists in the driver code for wireless USB devices based on
Remote Network Driver Interface Specification (RNDIS). This could allow a local
user to cause denial-of-service.

The kernel is not affected by CVE-2023-23559 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-33203 is not applicable.

Incorrect cleanup logic in the Qualcomm Ethernet Media Access Controller
(EMAC) Driver can cause a use-after-free when an emac based device is
removed. This can allow a user with physical access to escalate privileges
or cause undefined behavior.

The kernel is not affected by CVE-2023-33203 since the code under
consideration is not compiled.

* CVE-2023-3358: Denial-of-service when using Intel Integrated Sensor Hub.

A missing check after allocating memory when using Intel Integrated
Sensor Hub could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

* Incorrect XFS inode metadata stored to disk.

A race condition during certain XFS operations can lead to incorrect
inode metadata being written to disk.

* CVE-2021-43975: Out-of-bounds access in aQuantia AQtion(tm) Ethernet card driver.

A lack of input validation in aQuantia AQtion(tm) Ethernet card driver
could result in an out-of-bounds access. Compromised/Malfunctioning
devices could be used by an attacker to trigger this flaw and cause
a denial-of-service or execute arbitrary code.

* CVE-2023-1989: Denial-of-service when unloading the Bluetooth SDIO driver.

A missing clean-up routine to cancel a timer when removing a Bluetooth SDIO
could lead to a use-after-free.  A local, privileged user could use this
flaw to cause a denial-of-service.

* CVE-2023-2163: Out-of-bounds memory access in BPF program verifier.

A flaw in the BPF verifier may allow a BPF program path to be
prematurely marked as safe, potentially leading to an out-of-bounds
read or write access. An attacker could use this flaw for
denial-of-service or arbitrary code execution.

* CVE-2023-3161: Denial-of-service when setting font size.

A missing check when setting font size when using framebuffer could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2023-1073: Memory Corruption in HID subsystem.

An error in the human interface device (HID) subsystem during insertion
of a USB device can trigger memory corruption. This can allow a local
user to cause denial-of-service or escalate privileges.

* CVE-2023-2156: Denial-of-service in Routing Protocol for Low-Power and Lossy Networks.

Incorrect header size calculation in the RPL protocol can lead to an
assertion failure. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2023-2156: Insufficient input validation in IPv6 RPL Source Routing.

Insufficient input validation in IPv6 RPL Source Routing can lead to an
assertion failure. This can allow a remote unauthenticated attacker to
create a denial-of-service.

* CVE-2023-3609: Privilege escalation in U32 network packet classifier.

Incorrect reference counter handling in the network packet scheduler when
classifying using Universal 32-bit comparisons with hashing can lead to
use-after-free. This can allow a local user to trigger privilege escalation.

* CVE-2023-3212: NULL dereference in GFS2 file system.

On corrupt gfs2 file systems, the evict logic can dereference the journal
descriptor after it has been freed, leading to a NULL pointer dereference. A
local user with privileges can use this flaw to cause denial-of-service.

* CVE-2023-44466: Out-of-bounds memory access in Ceph file system messenger protocol.

An integer signedness error in the Ceph file system messenger protocol
when processing HELLO or AUTH frames could lead to a buffer overflow. A
remote attacker could use this flaw to execute arbitrary code.

* CVE-2023-3268: Out-of-bounds memory access in kernel-userspace relay file support.

An out-of-bounds memory access error exists in the kernel->userspace relay
support. This could allow a local attacker to crash the system or leak
kernel internal information.

* CVE-2023-3141: Use-after-free in the r592 driver's device removal path.

A race condition can occur when removing an r592 device that can lead to
a use-after-free.  This flaw could be exploited by a local attacker to
cause a denial-of-service, or to leak sensitive information from kernel
memory.

* CVE-2023-1838: Information leak in virtio net driver.

A race condition in the virtio network driver can lead to a
use-after-free scenario.  This flaw could be exploited by a local
attacker to cause a denial-of-service, or to leak privileged information
from kernel memory.

* CVE-2023-1380: Out-of-bounds read in Broadcom 802.11 Networking Device Driver.

Out-of-bounds read exists in the Broadcom 802.11 Networking Device Driver. This
can lead to a denial-of-service.

* Note: Oracle has determined that CVE-2023-1855 is not applicable.

A logic error in the APM X-Gene SoC hardware monitoring driver leads to a
use-after-free. A local user can use this flaw to cause denial-of-service or
leak information.

The kernel is not affected by CVE-2023-1855 since the code under
consideration is not compiled.

* CVE-2023-4206, CVE-2023-4207, CVE-2023-4208: Use-after-free when modifying Netfilter U32/route filters.

A logic error when copying an internal memory structure can lead to a
use-after-free when modifying certain Netfilter filters.  A local
attacker could exploit this flaw to escalate their privileges.

* CVE-2023-1076: Permission bypass in tun/tap sockets.

Incorrect initialization in the tun/tap socket code could allow sockets
to be treated incorrectly in filtering and routing decisions. This could
allow bypassing of network filters.

* Note: Oracle has determined that CVE-2022-3565 is not applicable.

A race condition in mISDN when l1oip_cleanup is called while a timer
handler is running may lead to a use-after-free. A local user could use
this flaw for a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2022-3565 since the code under
consideration is not compiled.

* CVE-2023-1075: Information disclosure in Transport Layer Security support.

A type confusion error in TLS support when checking for list emptiness
in tls_is_tx_ready() may lead to a read to an unauthorized memory
location. A local attacker could use this flaw to expose sensitive
information from the kernel.

* CVE-2023-4194: Permission bypass when using TUN/TAP device driver.

Usage of an incorrect permission attribute when opening a TAP or TUN
device could lead to a permission bypass. A local attacker could use
this flaw to bypass network filters and gain unauthorized access.

* CVE-2022-3169: Denial-of-service in NVM Express block device.

A flaw in ioctls of NVM Express block device could result in PCIe link
disconnect. A local user could use this flaw for a denial-of-service.

* Note: Oracle has determined that CVE-2022-3635 is not applicable.

The IDT 77252 ATM PCI device driver did not remove pending timers during
device exit, which could lead to a use-after-free. A local attacker could
potentially use this to cause a denial-of-service or execute arbitrary code.

The kernel is not affected by CVE-2022-3635 since the code under
consideration is not compiled.

* Use-after-free in wireless LAN (802.11) configuration API.

Improperly reset information from previous connections in cfg80211
during reconnect may lead to a use-after-free. A remote user could
use this flaw to cause a denial-of-service or possibly execute arbitrary
code.

* Note: Oracle has determined that CVE-2023-4132 is not applicable.

A logic error in the smsusb driver can lead to a use-after-free
scenario.  This flaw could be exploited by an unprivileged local
attacker to cause a denial-of-service.

The kernel is not affected by CVE-2023-4132 since the code under
consideration is not compiled.

* CVE-2023-3772: Denial-of-service in the IP framework for transforming packets.

A missing check in the IP framework for transforming packets could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2023-1079: Use-after-free in HID driver for Asus notebook built-in keyboard.

Insufficient locking in the HID driver for Asus notebook built-in keyboard can
allow a malicious USB device which advertises itself as an Asus device to
trigger a use-after-free. This may allow a local user to cause memory
corruption.

* Note: Oracle has determined that CVE-2022-28356 is not applicable.

A reference counting flaw in socket binding of the 802.2 LLC type 2
driver could happen in some error conditions. A local user could use
this flaw to cause a denial-of-service.

The kernel is not affected by CVE-2022-28356 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-25012 is not applicable.

Insufficient locking in the bigben HID driver can allow a malicious USB
device which advertises itself as a BigBen device to trigger a
use-after-free. This may allow a local user to cause memory corruption.

The kernel is not affected by CVE-2023-25012 since the code under
consideration is not compiled.

* Denial-of-service and filesystem corruption during XFS writeback.

A race between certain XFS writeback operations can lead to system
crashes and filesystem corruption.

* Note: Oracle has determined that CVE-2023-23454 is not applicable.

When dropping a packet in Class-Based Queueing (CBQ) packet scheduling
algorithm, invalid data may be read. A local user can use this to cause
denial-of-service.

The kernel is not affected by CVE-2023-23454 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-23455 is not applicable.

A logic error during a queue operation in the sch_atm driver can result
in an invalid pointer access.  This flaw could be exploited by a local
attacker to cause a denial-of-service.

The kernel is not affected by CVE-2023-23455 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2022-40307 is not applicable.

A race condition in EFI capsule loader when simultaneously performing a
write and a close operation on the device node may lead to a
use-after-free. A local user could use this flaw to cause a
denial-of-service or escalate privileges.

The kernel is not affected by CVE-2022-40307 since the code under
consideration is not compiled.

* CVE-2023-1252: Use-after-free when using overlayfs on ext4.

When using overlayfs with an ext4 filesystem, improper reference
counting of overlayfs request objects could result in a use-after-free
if multiple filesystem operations were performed simultaneously. A
malicious user might exploit this to cause a denial-of-service.

* CVE-2023-45862: Out-of-bounds read in USB ENE card reader when reading bootblock.

An incorrect allocation size when allocating a page buffer could lead to
a memory out-of-bounds array read. A local user with physical access
could potentially use this flaw to leak kernel memory or cause a
denial-of-service.

* CVE-2021-39698: Use-after-free in file polling interface.

The file polling implementation contains a potential use-after-free when
associated tasks are not correctly woke up. A malicious user might
exploit this to cause a denial-of-service or privilege escalation.

* Note: Oracle has determined that CVE-2023-1829 is not applicable.

A flaw in tcindex when deactivating filters can lead to a double-free. A
local attacker could use this flaw to cause a denial-of-service or
elevate privileges on the system.

The kernel is not affected by CVE-2023-1829 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-42755 is not applicable.

A flaw in the RSVP classifier may lead to an out-of-bounds memory read.
A local user could use this flaw to cause a denial-of-service. Note that
this update prevents the cls_rsvp and cls_rsvp6 modules from being loaded.

The kernel is not affected by CVE-2023-42755 since the code under
consideration is not compiled.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-1206.

Oracle has determined that patching CVE-2023-1206 on a running system
would not be safe and recommends a reboot.
Servers receiving connections from untrusted clients on an IPv6 address
could be targets of denial-of-service attacks.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-4155.

Oracle has determined that patching CVE-2023-4155 on a running system
would not be safe and recommends a reboot.

Hypervisors running on AMD CPUs with untrusted guests using Secure
Encrypted Virtualization features could potentially cause a host
denial-of-service.

* CVE-2023-1513: Information leak in KVM ioctl.

Incomplete initialization of structure returned to user during KVM's
KVM_GET_DEBUGREGS ioctl can lead to information leak. This can allow a local
user to access privileged data.

* CVE-2023-30456: Privilege escalation in Intel VMX subsystem for KVM.

Insufficient checking in Intel VMX system for KVM can allow a nested guest
to control values in the virtual machine control structure. This can allow a
local user to escalate privileges.

* CVE-2022-3344: Denial-of-service when allowing nested virtualization on AMD.

A logic error when handling nested guests from the hypervisor could lead
to a page fault on AMD. A guest attacker could use this flaw to cause a denial-
of-service.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-0597.

The lack of address randomization for the kernel per-cpu entry area could
allow an unprivileged user to guess the location of the kernel's CPU
exception stacks or other important data structures to aid certain types
of attacks targeting the kernel which require address space layout
determinism.

Oracle has determined that enabling address randomization for per-cpu
entry area on a running system would not be safe and recommends
a reboot if such mitigation is required.

* Note: Oracle will not provide a zero-downtime update for CVE-2022-38457.

CVE-2022-38457 is a use-after-free vulnerability in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.

* Note: Oracle will not provide a zero-downtime update for CVE-2022-40133.

CVE-2022-40133 is a use-after-free vulnerability in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.

* Note: Oracle will not provide a zero-downtime update for CVE-2022-40982.

The fix for this CVE on systems running EL9 is a microcode update for
affected CPUs. Customers will need to upgrade the microcode on affected
CPUs in order to mitigate this vulnerability.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-33951.

CVE-2023-33951 is an information leak in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-33952.

CVE-2023-33952 is a privilege escalation in the vmxgfx driver.
Oracle recommends a reboot for customer using this driver.

* CVE-2023-4273: Out-of-bounds memory access in exFAT.

Improper bounds checking in the exFAT driver when extracting the uni name
of a file from the directory index could lead to a stack overflow. A
local privileged attacker could use this flaw to execute arbitrary code
on the system.

* CVE-2023-39191: Local privilege escalation in eBPF subsystem.

Lack of input validation in the eBPF subsystem of the Linux kernel
while processing dynamic pointers within user-supplied eBPF programs
can lead to arbitrary code execution in the context of the kernel.
A local attacker with CAP_BPF privileges can use this flaw to escalate
privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.