[El-errata] New Ksplice updates for RHCK 9 (ELSA-2024-11486)

Wed Jan 15 13:43:23 UTC 2025

Synopsis: ELSA-2024-11486 can now be patched using Ksplice
CVEs: CVE-2024-27398 CVE-2024-46697 CVE-2024-47675 CVE-2024-50110 CVE-2024-50115 CVE-2024-50124 CVE-2024-50142 CVE-2024-50179 CVE-2024-50223 CVE-2024-50255

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-11486.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-11486.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 9 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2024-27398: Denial-of-service in Bluetooth Classic (BR/EDR) features.

A missing check when using Bluetooth Classic (BR/EDR) features could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2024-46697: Data corruption in NFS driver.

A logic error when encoding file attributes in the NFS driver
version 4 could lead to use of uninitialized memory. A local
attacker could use this flaw to cause data corruption.

* CVE-2024-47675: Denial-of-service in BPF tracing subsystem.

A logic error when using the BPF tracing subsystem could lead to
a use-after-free. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2024-50110: Information leak in Transformation user configuration interface driver.

A logic error when dumping information in the Transformation user
configuration interface driver could lead to use of uninitialized
memory. A local attacker could use this flaw to extract sensitive
information.

* CVE-2024-50115: Privilege escalation in KVM SVM driver.

A missing check when retrieving nested guest pages in the KVM SVM driver
could lead to an out-of-bounds memory access. A local attacker could use
this flaw to escalate privileges.

* CVE-2024-50124: Denial-of-service in Bluetooth Low Energy driver.

A missing check when using the Bluetooth Low Energy driver could
lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2024-50142: Denial-of-service in transformation user configuration interface.

A logic error when using the transformation user configuration interface
could lead to an integer overflow. A local attacker could use this flaw
to cause a denial-of-service.

* CVE-2024-50179: Denial-of-service in Ceph distributed file system driver.

A logic error when setting dirty pages in the Ceph distributed file
system driver could lead to a kernel assertion failure. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2024-50223: Denial-of-service in CFS scheduler.

A logic error when handling SIGSEGV signal in the CFS scheduler
could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

* CVE-2024-50255: Denial-of-service in Bluetooth subsystem.

A missing check when using the Bluetooth subsystem could lead
to a NULL pointer dereference. A local attacker could use this
flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.