[Ksplice][Ubuntu-22.04-Updates] New Ksplice updates for Ubuntu 22.04 Jammy (USN-6025-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Wed Apr 26 10:11:56 UTC 2023
Synopsis: USN-6025-1 can now be patched using Ksplice
CVEs: CVE-2022-4129 CVE-2022-47929 CVE-2022-4842 CVE-2023-0386 CVE-2023-0394 CVE-2023-1073 CVE-2023-1074 CVE-2023-1281 CVE-2023-1652 CVE-2023-26545
Systems running Ubuntu 22.04 Jammy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6025-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 22.04
Jammy install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-47929: NULL dereference in traffic control subsystem.
Specially crafted network traffic can cause a NULL pointer dereference
in the network traffic control subsystem. This flaw could be exploited
by a malicious local user to cause a denial-of-service.
* CVE-2023-0394: NULL dereference during IPv6 raw frame processing.
An arithmetic error when processing certain IPv6 header information can
lead to a NULL pointer dereference. A malicious local user could
exploit this flaw to cause a denial-of-service.
* CVE-2023-1652: User-after-free in NFS server support for NFS version 4.
A logic flaw in NFS server support for NFS version 4 could result in a
user-after-free. A local user could use this flaw to cause denial-of-service or
leak sensitive kernel information.
* CVE-2022-4129: Denial-of-service in Layer 2 Tunneling Protocol (L2TP).
Incorrect locking in the Layer 2 Tunneling Protocol (L2TP) can lead to a race
condition and NULL pointer dereference. A local user could use this to crash the
system leading to denial-of-service.
* CVE-2023-1073: Memory Corruption in HID subsystem.
An error in the human interface device (HID) subsystem during insertion
of a USB device can trigger memory corruption. This can allow a local
user to cause denial-of-service or escalate privileges.
* CVE-2023-1074: Memory Leak in Stream Control Transmission Protocol.
A flaw in the Stream Control Transmission Protocol (sctp) can allow a
local user to start a malicious networking service that leaks kernel
memory. This could allow the user to starve resources leading to a
denial-of-service.
* CVE-2022-4842: Denial-of-service in NTFS3.
A flaw in NTFS3 when trying to punch a hole in a sparse or compressed
file could lead to a NULL pointer dereference. A local user could use
this flaw for a denial-of-service.
* CVE-2023-0386: Privilege escalation in Overlay filesystem.
A uid mapping bug in OverlayFS when copying a capable file from a nosuid
mount into another mount may allow a low-privileged user to run a binary
as root. A local unprivileged user can use this flaw to gain
administrative privileges on the system.
* CVE-2023-1281: Use-after-free in Packet Classifier based on Traffic Control Indices.
The imperfect hash area in the traffic control index filter can be
updated while packets are traversing which can lead to a use-after-free.
A local attacker can use this to escalate privileges.
* CVE-2023-26545: Use-after-free in MultiProtocol Label Switching.
Failure to overwrite a pointer value in MPLS in case of an allocation
failure during the renaming of a device may lead to a double-free. A
local attacker could use this flaw to cause a denial-of-service or
possibly execute arbitrary code.
* Resource leak in kernel oops handler.
A missing restriction on the number of times the kernel can oops before
crashing may lead to a leak of kernel resource such as reference counts,
locks or memory allocations. An attacker could abuse the oops handler to
cause a denial-of-service or execute arbitrary code.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-22.04-updates
mailing list