[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (OVMSA-2024-0011)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Sep 18 08:29:30 UTC 2024 

Synopsis: OVMSA-2024-0011 can now be patched using Ksplice
CVEs: CVE-2021-47236 CVE-2021-47353 CVE-2022-48627 CVE-2023-52574 CVE-2023-52615 CVE-2023-52620 CVE-2023-52628 CVE-2023-52881 CVE-2023-6040 CVE-2024-26675 CVE-2024-26704 CVE-2024-26778 CVE-2024-26805 CVE-2024-26816 CVE-2024-35978 CVE-2024-36016 CVE-2024-36883 CVE-2024-36960

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle VM Security Fix Advisory, OVMSA-2024-0011.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-47236: Denial-of-service in CDC EEM driver.

A logic error when using the CDC EEM driver could lead to a memory leak.
A local attacker could use this flaw to cause a denial-of-service.

Orabug: 36806622


* CVE-2021-47353: Denial-of-service in UDF file system driver.

A missing check when setting a symlink in the UDF file system driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.

Orabug: 36806640


* CVE-2022-48627: Data corruption in virtual terminal driver.

Optimisation of a function call in virtual terminal driver can lead to
data corruption due to copying between overlapping buffers. A local
attacker can exploit this flaw to cause a denial-of-service, corrupt
data, or aid in other types of attacks.

Orabug: 36802212


* CVE-2023-52574: Denial-of-service in Ethernet team driver.

A logic error when using the Ethernet team driver could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 36654606


* CVE-2023-52615: Denial-of-service in Hardware Random Number Generator.

A read from /dev/hwrng into a memory mapped by another read can
lead to a deadlock. A local attacker can exploit this flaw to
cause a denial-of-service.

Orabug: 36806668


* CVE-2023-52620: Privilege escalation in the netfilter subsystem.

An incorrect parameter validation in netfilter subsystem can
lead to a change of data structures internal to the kernel. A local
attacker could use this flaw to escalate privileges.

Orabug: 36654625


* CVE-2023-52628: Out-of-bounds access in Netfilter nf_tables exthdr subsystem.

Incorrect logic in the Netfilter nf_tables exthdr subsystem can lead to
out-of-bounds stack write.  This can potentially lead to stack corruption and
denial-of-service or information disclosure.

Orabug: 36654631


* CVE-2023-52881: Remote denial-of-service in TCP/IP networking.

A missing check when receiving ACK in the TCP/IP networking subsystem
could lead to processing malicious packets. A remote attacker could use
this flaw to cause a denial-of-service.

Orabug: 36806731


* CVE-2023-6040: Privilege escalation in Netfilter.

The Netfilter subsystem did not properly validate network family
support while creating a new Netfilter table. A local attacker
could use this flaw to cause a denial-of-service or potentially
escalate privileges.

Orabug: 36192155


* CVE-2024-26675: Denial-of-service in PPP async serial channel driver.

Lack of maximum size check when setting Maximum Receive Unit using the
ppp_async ioctl can lead to an attempt to allocate an oversized sockets,
which would fail and thus the ioctl operation fails. A local attacker
can exploit this flaw to cause denial-of-service.

Orabug: 36530335


* CVE-2024-26704: Denial-of-service in ext4 filesystem.

When moving extents in ext4 filesystem, a failure to cope for an
unsuccessful loop exit when calculating the moved length can lead
to a double-free and divide-by-zero error. A local attacker can
exploit this flaw to cause denial-of-service or aid in other types
of attacks.

Orabug: 36530519


* CVE-2024-26778: Denial-of-service in S3 Savage support.

Incorrect checks on parameters passed from userspace when using S3
Savage support could lead to a kernel crash. A local attacker could use
this flaw to cause a denial-of-service.

Orabug: 36530913


* CVE-2024-26805: Information leak in Netlink driver during packet creation.

An incorrect buffer length calculation when creating new packets in
the Netlink driver causes uninitialized memory to be copied into a
packet buffer. This flaw could be exploited to leak sensitive
information from the running kernel.

Orabug: 36531057


* CVE-2024-26816: Information leak in /sys/kernel/notes for x86 systems.

An unprivileged attacker can read /sys/kernel/notes which contains
relocations of Xen variables. As System.map file is also readable
by an unprivileged attacker, KASLR can be bypassed since the attacker
can find out the relative offsets and combine that with the Xen
relocation address to find the address of any kernel symbol, which
can facilitate an attack, like privilege escalation.

Orabug: 36531115


* CVE-2024-35978: Denial-of-service in Bluetooth driver.

A missing free when an HCI request is completed in the Bluetooth driver
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 36643456


* CVE-2024-36016: Privilege escalation in GSM MUX line discipline driver.

A missing check when using GSM MUX line discipline driver could lead to
an out-of-bounds memory access. A local attacker could use this flaw to
escalate privileges.

Orabug: 36678070


* CVE-2024-36883: Denial-of-service in Networking namespace support.

A race condition when using Networking namespace support could lead to
an out-of-bounds memory access. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 36683115


* CVE-2024-36960: Information leak in DRM driver for VMware Virtual GPU.

A logic error when using the DRM driver for VMware Virtual GPU could
lead to an out-of-bounds memory read. A local attacker could use this
flaw to extract sensitive information.

Orabug: 36691531

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list