[El-errata] New Ksplice updates for UEKR7 5.15.0 on OL8 and OL9 (ELSA-2024-12159)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Mar 1 21:14:17 UTC 2024 

Synopsis: ELSA-2024-12159 can now be patched using Ksplice
CVEs: CVE-2020-26555 CVE-2023-25775 CVE-2023-28464 CVE-2023-35827 
CVE-2023-46343 CVE-2023-46813 CVE-2023-46862 CVE-2023-51779 
CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 CVE-2023-5717 CVE-2023-6111 
CVE-2023-6121 CVE-2023-6246 CVE-2023-6531 CVE-2023-6606 CVE-2023-6622 
CVE-2023-6817 CVE-2023-6932 CVE-2024-0193 CVE-2024-0340 CVE-2024-0607

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-12159.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-12159.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR7 5.15.0 on
OL8 and OL9 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Slow loss recovery when receiving SACK for TLP retransmit.

When a SACK for a TLP retransmit is received with an RTT below the
current minimum RTT limit, slow loss recovery can occur.

Orabug: 36114420


* Note: Oracle has determined that CVE-2023-35827 is not applicable.

The kernel is not affected by CVE-2023-35827 since the code under
consideration is not compiled.


* CVE-2020-26555: Permission bypass from an unauthorized nearby 
Bluetooth device.

Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN.


* Note: Oracle has determined that CVE-2023-46343 is not applicable.

The NFC Controller Interface (NCI) implementation did not properly
handle certain memory allocation failure conditions, which could
lead to a null pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
The kernel is not affected by CVE-2023-46343 since the code under
consideration is not compiled.


* CVE-2023-6121: Out-of-bounds read in NVMe-oF/TCP subsystem.

NVMe Qualified Names (NQNs) used to identify the endpoints when setting
up connections are not NULL terminated, leading to out-of-bounds read.
An attacker can exploit this remotely by sending a malicious payload to
extract sensitive information from the kernel memory.


* CVE-2023-6932: Privilege escalation in IGMP.

A race condition in the IGMP protocol implementation could lead
to a use-after-free vulnerability. A local attacker could use
this flaw to cause a denial-of-service or potentially escalate
privileges.


* Potential NULL pointer dereference in netfilter subsystem.

Between some checks and use, a socket may get detached and have
an internal pointer set to NULL, leading to a NULL pointer
dereference. A local attacker can exploit this flaw to cause
denial-of-service.


* CVE-2023-6531: Use-after-free in io_uring subsystem.

Garbage collection of io_uring files races with the operations of
Unix-domain sockets which use the files, leading to a use-after-free
error. A local attacker can exploit this to cause a denial-of-service
or privilege escalation.


* CVE-2023-6817: Privilege escalation in Netfilter.

The Netfilter subsystem did not properly handle inactive elements
in its PIPAPO data structure, which could lead to a use-after-free
vulnerability. A local attacker could use this flaw to cause a
denial-of-service or potentially escalate privileges.


* CVE-2023-51780: Use-after-free in the ATM networking stack.

Asynchronous Transfer Mode (ATM) ioctl calls can race with datagram
reception causing a use-after-free error. A local attacker can
exploit this to cause a denial-of-service or privilege escalation.


* Note: Oracle has determined that CVE-2023-51782 is not applicable.

ROSE ioctl calls can race with accepting a connection, causing a
use-after-free error. A local attacker can exploit this to cause
a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2023-51782 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2023-51781 is not applicable.

AppleTalk ioctl calls can race with datagram reception causing a
use-after-free error. A local attacker can exploit this to cause
a denial-of-service or privilege escalation.

The kernel is not affected by CVE-2023-51781 since the code under
consideration is not compiled.


* CVE-2023-6606: Information disclosure in Common Internet File System.

The CIFS network file system implementation did not always
properly validate the server frame size, which could lead to
an out-of-bounds write. A local attacker could use this flaw
to cause a denial-of-service or potentially expose sensitive
information.


* CVE-2024-0193: Privilege escalation in Netfilter.

The Netfilter subsystem did not properly check deactivated elements
in some situations, which could lead to a use-after-free vulnerability.
A local attacker could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* CVE-2023-6622: Denial-of-service in Netfilter.

The Netfilter subsystem did not properly handle dynamic set expressions
provided by userspace, which could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2023-5717: Privilege escalation in the Linux kernel's Performance 
Events.

A logic error in the Linux kernel's Performance Events could lead to a
heap out-of-bounds write. A local attacker could use this flaw to cause
a denial-of-service or escalate privileges.


* CVE-2023-46813: Permission bypass when using AMD Secure Encrypted 
Virtualization.

A logic error when using AMD Secure Encrypted Virtualization could let a
local attacker have arbitrary write access to kernel memory. A local
attacker could use this flaw to cause a denial-of-service or escalate
privileges.


* CVE-2024-0607: Denial-of-service in the netfilter subsystem.

A logical error in the netfilter subsystem could lead to an
out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2023-46862: NULL pointer dereference in io_uring subsystem.

A missing check in the io_uring subsystem could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.


* CVE-2023-51779: Denial-of-service when receiving data over Bluetooth.

A locking issue when receiving data over Bluetooth could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* CVE-2024-0340: Information leak when using Vhost.

A missing zeroing of kernel memory when using Vhost could lead to an
information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* Denial-of-service when using Broadcom NetXtreme-C/E ethernet network 
driver.

An invalid transfer completion by the Broadcom NetXtreme-C/E ethernet
network driver can cause a use-after-free error. A local attacker can
exploit this to cause denial-of-service.

Orabug: 36075753


* CVE-2023-28464: Use-after-free in Bluetooth subsystem.

A double free was found in the bluetooth subsystem when cleaning up a
connection, leading to a use-after-free error. A local attacker can
exploit this to cause denial-of-service or privilege escalation.


* Note: Oracle has determined that CVE-2023-6111 is not applicable.

The kernel is not affected by CVE-2023-6111.


* CVE-2023-25775: Information disclosure in the Intel(R) Ethernet 
Controller RDMA driver.

A flaw in irdma allows to program zero-length STAGs in hardware. An
attacker could use this flaw to access sensitive kernel information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list