[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3619-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Apr 16 13:36:03 PDT 2018 

Synopsis: USN-3619-1 can now be patched using Ksplice
CVEs: CVE-2015-7833 CVE-2016-3134 CVE-2016-7097 CVE-2017-0861 CVE-2017-1000407 CVE-2017-1000410 CVE-2017-11472 CVE-2017-13080 CVE-2017-15129 CVE-2017-16528 CVE-2017-16532 CVE-2017-16536 CVE-2017-16646 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-16994 CVE-2017-16995 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2017-17862 CVE-2017-18075 CVE-2017-5753 CVE-2017-7518 CVE-2018-1000026 CVE-2018-1000028 CVE-2018-5332 CVE-2018-5333 CVE-2018-5344 CVE-2018-8043

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3619-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver.

A missing check when freeing resources in Reliable Datagram Sockets
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.

An out-of-bounds access in the kvm_mmio tracepoint could result in a
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.


* CVE-2017-16995: Privilege escalation in BPF 32-bit loads.

Incorrect sign extension of 32-bit loads could allow a local,
unprivileged user to execute arbitrary code and escalate privileges.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.

A race condition in the net namespace code could lead to a double
free and memory corruption.


* CVE-2017-17450: Unprivileged access to netlink namespaces.

A missing permission check in the netfilter xt_osf code allows an
unprivileged user to create user and net namespaces without the proper
permissions.


* CVE-2017-13080: Key Reinstallation Attacks (KRACK) on WPA2 protocol.

A weakness in the four-way handshake of the WPA2 protocol allows an
attacker within radio range to force reuse a nonce.  This could allow he
attacker to eavesdrop on encrypted communications as well as inject and
manipulate data into a WiFi stream.


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2017-16528: Use-after-free when unbinding a MIDI sequencer device.

A missing cancelling of a work queue when unbinding a MIDI sequencer
device could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices.

Logic errors when using DiBcom DiB0700 USB DVB devices could lead to a
kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2017-7518: Privilege escalation in KVM emulation subsystem.

An implementation error in the syscall instruction emulation in KVM
leads to a kernel exception raised in userspace. A user/process inside
guest could use this flaw to potentially escalate their privileges
inside guest.


* CVE-2017-16994: Information leak when using mincore system call.

A logic error with huge TLBs when using mincore system call could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2017-16536: NULL pointer dereference when registering a Conexant cx231xx USB video device.

A missing check when probing a Conexant cx231xx USB video device could
lead to a NULL pointer dereference. A local attacker could use a crafted
USB device to cause a denial-of-service.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-1000407: Denial-of-service from KVM guest on Intel processors.

A KVM guest on Intel VMX processors could flood the I/O port 0x80 with
write requests, leading to a host crash.  An attacker could use this flaw
to cause a host denial-of-service from the guest.


* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm.  A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash.  A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.


* CVE-2017-16914: Denial-of-service in USB over IP NULL transfer buffer handling.

A failure to correctly validate a NULL transfer buffer in the USB over
IP subsystem can result in a NULL pointer dereference, leading to a
Kernel crash. A local user with access to a USB over IP device could use
this flaw to cause a denial-of-service.


* CVE-2017-17807: Permissions bypass when requesting key on default keyring.

When calling request_key() with no keyring specified, the requested key
is generated and added to the keyring even if the user does not have
write permissions.


* CVE-2017-17449: Missing permission check in netlink monitoring.

Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.


* CVE-2017-18075: Denial-of-service in freeing of parallel crypto wrapper.

A logic error when feeing a parallel crypto wrapper instance can result
in an incorrect free, leading to a Kernel crash or other unspecified
behaviour. A local user could use this flaw to cause a
denial-of-service.


* CVE-2018-1000028: Permission bypass when using rootsquash with NFS.

A logic error when using rootsquash feature of NFS could lead to a
permission bypass. A remote attacker could use this flaw to access
sensitive information stored on a shared filesystem.


* CVE-2015-7833: Denial-of-service when probing USBvision device.

Incorrect input validation when probing a USBvision device could lead to
out of bounds memory accesses and kernel panic.  A local attacker with
physical access could use a fake USB device with handcrafted USB descriptor
to cause a denial-of-service.


* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2017-17862: Denial-of-service in BPF verifier.

Failure to verify unreachable code could result in a denial-of-service
when performing JIT compilation of a BPF program.  A local, unprivileged
user could use this flaw to crash the system.


* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.

Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.


* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2017-16911: Information disclosure in USB over IP HCI status report.

A failure to correctly sanitize information reported by the Kernel about
USB over IP HCI device can result in a sensitive memory address being
disclosed to userspace. A local, unprivileged user could use this flaw
to facilitate a further attack.


* CVE-2017-11472: Kernel information leak in ACPI operand cache.

Failing to flush the ACPI operand cache could print a kernel stack dump
in the log, revealing kernel addresses to an unprivileged user.


* Improved fix to CVE-2016-3134: Memory corruption when parsing netfilter source chains.

The original upstream fix caused netfilter ruleset loading to require
several minutes, potentially causing soft-lockups.


* Improved fix to CVE-2016-7097: Group permission bypass when setting ACLs.

Multiple logic errors when setting POSIX ACLs in various filesystems could
lead to an incorrect set-group-id bit being set or cleared.  A local
unprivileged user could use this flaw to access files otherwise restricted,
potentially allowing a privilege escalation.


* CVE-2017-16912, CVE-2017-16913: Denial-of-service in USBIP command validation.

A validation error when parsing information from an USB over IP packet
can result in an out-of-bounds memory access leading to a Kernel crash.
A remote USB over IP client could use this flaw to cause a
denial-of-service.


* CVE-2018-8043: NULL pointer dereference when registering Broadcom UniMAC MDIO bus controller.

A missing check when registering Broadcom UniMAC MDIO bus controller
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* Improved fix for CVE-2017-5753: Speculative execution in KVM VMCS field-to-offset table.

The KVM VMCS field-to-offset table is vulnerable to a Spectre variant 1
side-channel attack. An unprivileged guest could exploit this flaw to
read arbitrary memory in the host.

Orabug: 27380831

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list