[El-errata] New Ksplice updates for RHCK 9 (ELSA-2024-2394)

Fri Jun 28 04:59:05 UTC 2024

Synopsis: ELSA-2024-2394 can now be patched using Ksplice
CVEs: CVE-2020-26555 CVE-2022-38096 CVE-2022-40307 CVE-2022-45887 CVE-2022-45934 CVE-2022-48632 CVE-2022-48655 CVE-2022-48708 CVE-2023-1989 CVE-2023-24023 CVE-2023-25775 CVE-2023-28866 CVE-2023-31083 CVE-2023-31436 CVE-2023-33250 CVE-2023-34256 CVE-2023-3567 CVE-2023-3611 CVE-2023-37453 CVE-2023-3773 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-39198 CVE-2023-4133 CVE-2023-42752 CVE-2023-42754 CVE-2023-42756 CVE-2023-45863 CVE-2023-4623 CVE-2023-46862 CVE-2023-4881 CVE-2023-5090 CVE-2023-51779 CVE-2023-51780 CVE-2023-52434 CVE-2023-52435 CVE-2023-52448 CVE-2023-52469 CVE-2023-52470 CVE-2023-52476 CVE-2023-52486 CVE-2023-52516 CVE-2023-52522 CVE-2023-52529 CVE-2023-52530 CVE-2023-52578 CVE-2023-52580 CVE-2023-52587 CVE-2023-52597 CVE-2023-52610 CVE-2023-52669 CVE-2023-52691 CVE-2023-52694 CVE-2023-52768 CVE-2023-52769 CVE-2023-52774 CVE-2023-52776 CVE-2023-52821 CVE-2023-52826 CVE-2023-52827 CVE-2023-52829 CVE-2023-52853 CVE-2023-52861 CVE-2023-52866 CVE-2023-6040 CVE-2023-6121 CVE-2023-6176 CVE-2023-6531 CVE-2023-6622 CVE-2023-6915 CVE-2023-6931 CVE-2023-6932 CVE-2024-0565 CVE-2024-0641 CVE-2024-0775 CVE-2024-0841 CVE-2024-1085 CVE-2024-24855 CVE-2024-26586 CVE-2024-26593 CVE-2024-26607 CVE-2024-26620 CVE-2024-26633 CVE-2024-26665 CVE-2024-26671 CVE-2024-26688 CVE-2024-26752 CVE-2024-26763 CVE-2024-26766 CVE-2024-26979

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-2394.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-2394.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 9 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2020-26555: Permission bypass from an unauthorized nearby Bluetooth device.

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN.

* CVE-2022-38096, CVE-2024-26979: Privilege escalation in VMWare virtualized graphics driver.

A flaw in the vmwgfx execbuf implementation can cause a NULL-pointer
dereference that is exploitable to cause a user on a system using
virtualized graphics to escalate their privileges or cause a
denial-of-service.

* CVE-2022-45934: Denial-of-Service in Bluetooth L2CAP.

An integer overflow flaw in Bluetooth L2CAP when sending L2CAP
configuration request packets could result in a system crash. A local
user could use this flaw to cause a denial-of-service.

* CVE-2023-1989: Use-after free in Bluetooth SDIO driver.

A race condition in the Bluetooth SDIO driver's device removal path can
lead to a use-after-free scenario.  This flaw could be exploited by a
malicious local user to cause a denial-of-service or other undefined
behavior.

* CVE-2023-24023: Authentication bypass when pairing Bluetooth devices.

A missing check when receiving encryption key over Bluetooth could lead
to an authentication bypass. An attacker close to the machine could use
this flaw to impersonate a paired device.

* CVE-2023-25775: Information disclosure in the Intel(R) Ethernet Controller RDMA driver.

A flaw in irdma allows to program zero-length STAGs in hardware. An
attacker could use this flaw to access sensitive kernel information.

* CVE-2023-28866: Denial-of-service in the Bluetooth HCI driver.

A missing NULL terminated element in an array in the Bluetooth HCI driver
could lead to an out-of-bounds memory access.  An attacker could use this
flaw to cause a denial-of-service.

* CVE-2023-31083: Denial-of-service in Bluetooth HCI UART driver.

A race condition in Bluetooth HCI UART driver between HCIUARTSETPROTO and
HCIUARTGETPROTO ioctl commands may lead to a null pointer dereference.
A local user could use this flaw to cause a system crash.

* CVE-2023-34256: Out-of-bounds read in ext4 checksum handling.

An arithmetic error in a checksum generation routine in the ext4 driver
can lead to an out-of-bounds read.  This flaw could be exploited by a
malicious local user to leak sensitive information or to aid in another
type of attack.

* CVE-2023-3567: Information leak when using Virtual Terminal.

A logic error when using Virtual Terminal driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service or leak sensitive information.

* CVE-2023-37453: Denial-of-service in USB core.

A race condition in the USB subsystem could lead to an out-of-bounds read
while handling device descriptors in some situations. A local attacker
could potentially use this flaw to cause a denial-of-service.

* CVE-2023-3773: Information leak when using XFRM subsystem.

A logic error when using XFRM subsystem could lead to an out-of-bounds
read. A local attacker could use this flaw to leak information about
running kernel and facilitate an attack.

* CVE-2023-39189: Out-of-bounds access in Netfilter OSF over NFNETLINK interface.

Insufficient input validation in the Netfilter OSF over NFNETLINK interface
can lead to an out-of-bounds read.  This can lead to information disclosure.

* CVE-2023-39193: Out-of-bounds access in Netfilter xt_sctp module.

Incomplete input validation in Netfilter xt_sctp extension module allows a
local user with CAP_NET_ADMIN privileges to cause an out-of-bounds read.  This
can lead to a denial-of-service or information disclosure.

* CVE-2023-39194: Information disclosure when using xfrm subsystem.

A missing check when using xfrm subsystem could lead to an out-of-bounds
access. A local user could use this flaw to leak sensitive information.

* CVE-2023-39198: Use-after-free in QXL virtual GPU driver.

A race condition in the QXL virtual GPU driver could lead to a
use-after-free vulnerability. A local attacker could use this flaw
to cause a denial-of-service or potentially escalate privileges.

* CVE-2023-4133: Denial-of-service in Chelsio Communications T4/T5/T6 Ethernet driver.

An incorrect resources release logic of cxgb4 device when detaching in
the Chelsio Communications T4/T5/T6 Ethernet support driver in the
Linux kernel can lead to a use-after-free flaw. A local attacker can
use this flaw to cause denial-of-service.

* CVE-2023-42752: Out-of-bounds memory access in TCP/IP networking.

Insufficient checks for integer overflow when allocating a socket buffer
could lead to an out-of-bounds memory write. A local user could use this
flaw for arbitrary code execution.

* CVE-2023-42754: Denial-of-service on IPV4 link failure.

A missing check on IPV4 link failure could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.

* CVE-2023-42756: Denial-of-service in the netfilter subsystem.

A race condition in netfilter between IPSET_CMD_ADD and IPSET_CMD_SWAP
can lead to a kernel panic. A local user could use this flaw to cause a
denial-of-service.

* CVE-2023-45863: Out-of-bounds write in a library routine for handling generic kernel objects.

Handling of internal kernel objects can race, leading to an
out-of-bounds write. An attacker with root access can exploit
this to cause denial-of-service or aid in other types of attacks.

* CVE-2023-46862: NULL pointer dereference in io_uring subsystem.

A missing check in the io_uring subsystem could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.

* CVE-2023-4881: Out-of-bounds access in Netfilter nf_tables exthdr subsystem.

Incorrect logic in the Netfilter nf_tables exthdr subsystem can lead to
out-of-bounds stack write.  This can potentially lead to stack corruption and
denial-of-service or information disclosure.

* CVE-2023-5090: Privilege escalation from KVM guests when configuring the x2apic.

A logic error in the KVM MSR interception routine allows a KVM guest to
configure the host x2apic.  A local, unprivileged guest VM could use this
flaw to escalate privileges to that of the host hypervisor.

* CVE-2023-51779: Denial-of-service when receiving data over Bluetooth.

A locking issue when receiving data over Bluetooth could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.

* CVE-2023-51780: Use-after-free in the ATM networking stack.

Asynchronous Transfer Mode (ATM) ioctl calls can race with datagram
reception causing a use-after-free error. A local attacker can
exploit this to cause a denial-of-service or privilege escalation.

* CVE-2023-52434: Denial-of-service in SMB3 and CIFS support driver.

Missing checks in SMB3 and CIFS support driver in the Linux kernel
can lead to an out-of-band access. An attacker can use this flaw to
cause denial-of-service or as a step in another type of attacks.

* CVE-2023-52435: Denial-of-service in net subsystem.

The core net subsystem is responsible for segmenting socket buffers for
various protocols. A missing bound check while doing that can lead to a
null-pointer dereference. A local attacker can exploit this flaw to
cause a denial-of-service.

* CVE-2023-52448: Denial-of-service in GFS2 filesystem.

Printing a resource group from the GFS2 filesystem can lead to a
null-pointer dereference. A local attacker can exploit this flaw
to cause denial-of-service.

* CVE-2023-52470: Denial-of-service in AMD Radeon display driver.

Allocation of scanout buffers for AMD Radeon GPUs can lead to a
null-pointer dereference. A local attacker can exploit this flaw
to cause denial-of-service.

* CVE-2023-52476: Denial-of-service in Performance monitoring driver.

A missing check when handling a vsyscall while LBR sampling active
in the Performance monitoring driver in the Linux kernel can lead
to an incorrect memory access. A local attacker can use this flaw
to cause denial-of-service.

* CVE-2023-52486: Denial-of-service in Direct Rendering Manager subsystem.

When replacing the scanned-out framebuffer with a new one, a deadlock
is possible leading to a use-after-free. A local attacker can exploit
this flaw to cause denial-of-service or aid in other types of attacks.

* CVE-2023-52522: Denial-of-service in Network support driver.

A missing memory barrier in the networking support driver in the Linux
kernel can lead to a data race. A local attacker could use this to
cause corruption of kernel data structures and cause a
denial-of-service.

* CVE-2023-52529: Resource leak in Sony PS2/3/4 driver.

A missing memory release in Sony PS2/3/4 accessories HID driver
in the Linux kernel during error handling leads to a memory leak.
An attacker with a physical access to the device can use this flaw
to destabilize the kernel or as a step in another types of attack.

* CVE-2023-52530: Privilege escalation when adding a key in Generic IEEE 802.11 Networking Stack (mac80211).

A missing check when adding a key in Generic IEEE 802.11 Networking
Stack (mac80211) could lead to a use-after-free. A local attacker could
use this flaw to escalate privileges or facilitate an attack.

* CVE-2023-52578: Data race in 802.1d Ethernet Bridging driver.

A missing lock in the 802.1d Ethernet Bridging driver in the Linux
kernel can lead to a data race. An attacker can use this flaw to
cause a corruption of internal kernel data structures and cause
instability.

* CVE-2023-52580: Denial-of-service in ETH_P_1588 flow dissector.

An incorrect length calculation of the PTP ethernet raw frame
in ETH_P_1588 flow dissector of the Linux kernel can lead to a
internal assertion triggering and kernel crash. An attacker can
use this flaw to cause denial-of-service.

* CVE-2023-52587: Deadlock in ipoib multicast mode.

Incorrect locking when iterating the multicast list for an IP-over-IB
connection could result in an infinite loop. A malicious user able to
create IP-over-IB connections might be able to exploit this to cause a
denial-of-service on the system.

* CVE-2023-52610: Denial-of-Service in the Traffic Control subsystem.

A flaw in the Traffic Control's connection tracking action could lead to
memory leaks or crash. A local unprivileged user could use this flaw
to cause a denial-of-service.

* CVE-2023-6040: Privilege escalation in Netfilter.

The Netfilter subsystem did not properly validate network family
support while creating a new Netfilter table. A local attacker
could use this flaw to cause a denial-of-service or potentially
escalate privileges.

* CVE-2023-6121: Out-of-bounds read in NVMe-oF/TCP subsystem.

NVMe Qualified Names (NQNs) used to identify the endpoints when setting
up connections are not NULL terminated, leading to out-of-bounds read.
An attacker can exploit this remotely by sending a malicious payload to
extract sensitive information from the kernel memory.

* CVE-2023-6176: Privilege escalation in Transport Layer Security subsystem.

Incorrect error handling in the Transport Layer Security subsystem while
performing cryptographic operations in some situations could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service or potentially escalate privileges.

* CVE-2023-6531: Use-after-free in io_uring subsystem.

Garbage collection of io_uring files races with the operations of
Unix-domain sockets which use the files, leading to a use-after-free
error. A local attacker can exploit this to cause a denial-of-service
or privilege escalation.

* CVE-2023-6622: Denial-of-service in Netfilter.

The Netfilter subsystem did not properly handle dynamic set expressions
provided by userspace, which could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* CVE-2023-6915: Denial-of-service in kernel ID allocator.

During the freeing operation, if there are no nearby IDs allocated,
a NULL pointer is stored which is not checked for and thus is later
dereferenced. A local attacker can exploit this flaw to cause a
denial-of-service.

* CVE-2023-6931: Privilege escalation in Kernel Performance Events.

The Kernel Performance Events subsystem did not properly validate
all event sizes when attaching new events, which could lead to
an out-of-bounds write. A local attacker could use this flaw
to cause a denial-of-service or potentially escalate privileges.

* CVE-2023-6932: Privilege escalation in IGMP.

A race condition in the IGMP protocol implementation could lead
to a use-after-free vulnerability. A local attacker could use
this flaw to cause a denial-of-service or potentially escalate
privileges.

* CVE-2024-0565: Out-of-bounds access when reading encrypted SMB2 data.

When receiving SMB2 encryption information, the kernel CIFS client fails
to correctly validate the remote "NextCommand" field. A malicious server
might exploit this to cause a denial-of-service on the client.

* CVE-2024-0641: Denial-of-service in TIPC protocol implementation.

The Transparent Inter Process Communication (TIPC) protocol implementation
used incorrect locking during certain operations, leading to a possible
deadlock. A local attacker could use this flaw to cause a denial-of-service.

* CVE-2024-0775: Information leak when remounting ext4 filesystem.

A reference count issue when remounting ext4 filesystem could lead to a
use-after-free. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.

* CVE-2024-0841, CVE-2024-26688: Denial-of-service when configuring a HugeTLB file system.

A logic error when configuring a HugeTLB file system using fsconfig
syscall could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2024-1085: Use-after-free in the Netfilter nf_tables subsystem.

A double-free exists in the kernel's Netfilter nf_tables component. A local
user can use this to cause a denial-of-service.

* CVE-2024-24855: Denial-of-service when using scsi device driver.

A locking error when using scsi device driver could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2024-26586: Denial-of-service in Mellanox Technologies Spectrum driver.

A logic error in Mellanox Technologies Spectrum driver could lead
to a kernel stack corruption. A local attacker could use this to
cause a denial-of-service.

* CVE-2024-26593: Data corruption in Intel 82801 (ICH/PCH) I2C driver.

The i2c-i801 driver has a flawed implementation of the block-write
block-read process call transactions, leading to reading wrong data
and leaving residual data in the device FIFO buffer. An attacker can
exploit this flaw to cause data corruption, denial-of-service, or aid
in other types of attacks.

* CVE-2024-26633: Denial-of-service when using IP-in-IPv6 tunnel driver.

A logic error when using IP-in-IPv6 tunnel driver could lead to an
uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2024-26665: Privilege escalation in TCP/IP networking.

A logic error in TCP/IP networking when building IPv6 PMTU error could
lead to an out-of-bounds memory access. A local attacker could use this
flaw to escalate privilege.

* CVE-2024-26671: Denial-of-service in block subsystem.

Lack of a CPU barrier in block multiqueue core code can lead to
re-ordering of some calls which leads to IO hang due to a race.
A local attacker can exploit this flaw to cause denial-of-service.

* CVE-2024-26752: Packet corruption during IPv6 header calculation in L2TP.

A mathematical error when calculating part of the IPv6 header can cause
the L2TP driver to transmit corrupted packets.  This flaw could
potentially be exploited to aid in another type of attack.

* CVE-2024-26763: Data corruption using dm-crypt.

A logic error in dm-crypt driver when reading data while encrypting it
could lead to data corruption. A local attacker could use this flaw to
corrupt data.

* CVE-2024-26766: Out-of-bounds write in Intel OPA Gen1 adapter driver.

A logical error in the Intel OPA Gen1 adapter driver can lead to an
off-by-one error, lead to an out-of-bounds write which can be triggered
by a simple sendmsg() syscall. A local attacker can exploit this flaw
to cause a denial-of-service or privilege escalation.

* Note: Oracle has determined that CVE-2022-40307 is not applicable.

A race condition in EFI capsule loader when simultaneously performing a
write and a close operation on the device node may lead to a
use-after-free. A local user could use this flaw to cause a
denial-of-service or escalate privileges.

The kernel is not affected by CVE-2022-40307
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2022-45887 is not applicable.

A memory leak in the Technotrend/Hauppauge USB DEC driver can occur
when a device is disconnected. A local attacker can use this flaw
to cause a denial-of-service.

The kernel is not affected by CVE-2022-45887
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-31436, CVE-2023-3611 are not applicable.

An arithmetic error in the Quick Fair Queueing network scheduler can
lead to an out-of-bounds write.  This flaw can be exploited by a local
attacker to escalate their privilege.

The kernel is not affected by CVE-2023-31436, CVE-2023-3611
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-39192 is not applicable.

Incomplete input validation in Netfilter xt_u32 extension module
allows a local privileged user to cause an out-of-bounds read.  This can
lead to a denial-of-service or information disclosure.

The kernel is not affected by CVE-2023-39192
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-4623 is not applicable.

A flaw in net/sched: sch_hfsc component may lead to a use-after-free. A
local user could use this flaw for privilege escalation.

The kernel is not affected by CVE-2023-4623 since the code under
consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52469 is not applicable.

A race in the power management code of the AMD GPU driver for CIK ASICs
can lead to a use-after-free error. A local attacker can exploit this
flaw to cause a denial-of-service or aid in other types of attacks.

The kernel is not affected by CVE-2023-52469
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52597 is not applicable.

Racing of an IRQ and handling of floating point control register for a
KVM can lead to the corruption of said register on System/390 machines.
A local attacker can exploit this flaw to cause denial-of-service, data
corruption, or aid in other types of attacks.

The kernel is not affected by CVE-2023-52597 since the code under
consideration is not compiled (kernel is not built for System/390).

* Note: Oracle has determined that CVE-2022-48632 is not applicable.

The kernel is not affected by CVE-2022-48632
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2022-48655 is not applicable.

The kernel is not affected by CVE-2022-48655
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2022-48708 is not applicable.

The kernel is not affected by CVE-2022-48708
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-33250 is not applicable.

The kernel is not affected by CVE-2023-33250
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52516 is not applicable.

The kernel is not affected by CVE-2023-52516
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52669 is not applicable.

The kernel is not affected by CVE-2023-52669
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52691 is not applicable.

The kernel is not affected by CVE-2023-52691
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52694 is not applicable.

The kernel is not affected by CVE-2023-52694
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52768 is not applicable.

The kernel is not affected by CVE-2023-52768
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52769 is not applicable.

The kernel is not affected by CVE-2023-52769
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52774 is not applicable.

The kernel is not affected by CVE-2023-52774
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52776 is not applicable.

The kernel is not affected by CVE-2023-52776
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52821 is not applicable.

The kernel is not affected by CVE-2023-52821
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52826 is not applicable.

The kernel is not affected by CVE-2023-52826
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52827 is not applicable.

The kernel is not affected by CVE-2023-52827
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52829 is not applicable.

The kernel is not affected by CVE-2023-52829
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52853 is not applicable.

The kernel is not affected by CVE-2023-52853
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52861 is not applicable.

The kernel is not affected by CVE-2023-52861
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2023-52866 is not applicable.

The kernel is not affected by CVE-2023-52866
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2024-26607 is not applicable.

The kernel is not affected by CVE-2024-26607
since the code under consideration is not compiled.

* Note: Oracle has determined that CVE-2024-26620 is not applicable.

The kernel is not affected by CVE-2024-26620
since the code under consideration is not compiled.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.