[Ksplice][Ubuntu-21.04-Updates] New Ksplice updates for Ubuntu 21.04 Hirsute (USN-5092-1)

Tue Nov 9 16:04:39 PST 2021

Synopsis: USN-5092-1 can now be patched using Ksplice
CVEs: CVE-2021-34556 CVE-2021-35477 CVE-2021-3573 CVE-2021-3655 CVE-2021-3679 CVE-2021-37159 CVE-2021-37576 CVE-2021-38160 CVE-2021-38199 CVE-2021-38201 CVE-2021-38204 CVE-2021-38205 CVE-2021-41073

Systems running Ubuntu 21.04 Hirsute can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5092-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 21.04
Hirsute install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2021-38160: Privileges escalation in virtio-console due to a buffer overflow.

A missing sanity check in the virtio-console functionality could allow
a console client to write corrupted data to the console and cause
a buffer overflow. A local user could use this flaw for a denial of
service or privileges escalation.

* CVE-2021-3679: Denial-of-service in kernel tracing subsystem.

A logic error when constructing certain calls to the kernel tracing
subsystem may lead to a deadloop.  This may allow a privileged local
user to cause a denial-of-service.

* CVE-2021-38199: Denial-of-service in NFS due to incorrect connection-setup ordering.

Incorrect connection-setup ordering flaw in Network File System could
allow NFS server operator to cause a denial of service by arranging
for the server to be unreachable during trunking detection.

* Note: Oracle has determined that CVE-2021-37576 is not applicable.

The kernel is not affected by CVE-2021-37576 since the code under
consideration is not compiled.

* CVE-2021-38204: Denial-of-service in MAX3421 HCD (USB-over-SPI) support due to use-after-free.

A flaw in SPI write operations of MAX3421 HCD (USB-over-SPI) support
could lead to a use-after-free when removing a MAX-3421 USB device in
certain situations. A physically proximate attack could use this flaw
to cause a denial-of-service.

* CVE-2021-38201: Remote denial-of-service via NFSv4 READ_PLUS operation.

A flaw in the SUNRPC XDR parsing code could allow for out-of-bounds
accesses when handling NFSv4 READ_PLUS operations. A malicious client
with the ability to mount NFS shares might exploit this to cause a
denial-of-service.

* Note: Oracle has determined that CVE-2021-38205 is not applicable.

The kernel is not affected by CVE-2021-38205 since the code under
consideration is not compiled.

* CVE-2021-37159: Code execution in Option USB High Speed Mobile device driver.

Improper error handling during device initialization in Option USB High
Speed Mobile device driver could lead to a use-after-free and a double
free. A local user could use this flaw to cause a denial-of-service or
possibly execute arbitrary code.

* CVE-2021-41073: Privilege escalation in IO uring request handling.

A local attacker could gain privileges by using IORING_OP_PROVIDE_BUFFERS
and exploiting a flaw in IO uring request handling which could lead to
freeing adjacent memory.

* Note: Oracle will not provide a zero-downtime update for CVE-2021-34556, CVE-2021-35477.

An unprivileged BPF program can obtain sensitive information from kernel memory
via a Speculative Store Bypass side-channel attack by leveraging certain flaws
in the BPF implementation if unprivileged BPF is enabled.

Oracle has determined that patching CVE-2021-34556 and CVE-2021-35477 on
a running system would not be safe. These vulnerabilities have a medium
CVSS score of 5.5. In addition, disabling unprivileged BPF can be used
as a runtime mitigation.

Oracle recommends disabling unprivileged BPF or rebooting into the newest
kernel to mitigate these vulnerabilities.

* Note: Oracle will not provide a zero-downtime update for CVE-2021-3573.

Improper handling of HCI device detach events in the bluetooth subsystem
could lead to a use-after-free. A privileged local user could use
this flaw to cause a denial-of-service or possibly execute arbitrary
code.

CVE-2021-3573 affects only the bluetooth subsystem and would require
CAP_NET_ADMIN privileges for exploiting the issue.

Oracle has determined that patching CVE-2021-3573 on a running system
would not be safe and therefore recommends affected hosts to reboot
into the newest kernel to mitigate the vulnerabilities.

* CVE-2021-3655: Information disclosure in the SCTP Network subsystem.

Missing input validations in the SCTP networking subsystem may lead to
reading of uninitialized data. This may allow an attacker on the local
area network to cause an information disclosure.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.