[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-3741-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Nov 1 09:19:10 PDT 2018 

Synopsis: USN-3741-1 can now be patched using Ksplice
CVEs: CVE-2018-10853 CVE-2018-3620 CVE-2018-3646 CVE-2018-5390 CVE-2018-5391

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3741-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault (x86_64 only).

A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.

Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported.  Both of these mitigations have workload
dependent performance implications and can be tuned by the
administrator.  This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use.  Where untrusted guests are in
use it is recommended to disable SMT.

NOTE: This update is not intended to protect non-64 bit systems.

SMT disable:

/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT.  Default: on.

L1D flushing:

/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
  - "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
  no noticeable performance impact
  - "cond": flush only in high risk transfers, mitigates CVE-2018-3620
  with the minimum number of flushes
  - "always": flush on every VM entry, fully mitigates CVE-2018-3620
  with the most overhead.
Default: "cond"


* CVE-2018-10853: Privilege escalation in guest vm when executing privileged instructions.

A missing check on privilege when executing instructions from guest
userspace could lead to a privilege escalation to guest kernel. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2018-5391: Remote denial-of-service in IP fragment handling.

A malicious remote user can use a flaw in IP fragment handling to starve
IP processing on the system causing loss of connectivity.


* CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.

A malicious remote user can send large numbers of out-of-order TCP
packets, causing the local server to waste time processing its local
data structures and resulting in an effective denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list