[Ksplice][Ubuntu-22.04-Updates] New Ksplice updates for Ubuntu 22.04 Jammy (USN-6626-1)

Fri Mar 1 05:15:03 UTC 2024

Synopsis: USN-6626-1 can now be patched using Ksplice
CVEs: CVE-2023-32250 CVE-2023-32252 CVE-2023-32257 CVE-2023-34324 CVE-2023-35827 CVE-2023-46813 CVE-2023-6039 CVE-2023-6176 CVE-2023-6622 CVE-2024-0641

Systems running Ubuntu 22.04 Jammy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6626-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 22.04
Jammy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2023-6176: Privilege escalation in Transport Layer Security subsystem.

Incorrect error handling in the Transport Layer Security subsystem while
performing cryptographic operations in some situations could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service or potentially escalate privileges.

* Note: Oracle has determined that CVE-2023-35827 is not applicable.

The kernel is not affected by CVE-2023-35827 since the code under
consideration is not compiled.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-34324.

Oracle has determined that patching CVE-2023-34324 on a running system
would not be safe and recommends a reboot.

* CVE-2023-6622: Denial-of-service in Netfilter.

The Netfilter subsystem did not properly handle dynamic set expressions
provided by userspace, which could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

* CVE-2024-0641: Denial-of-service in TIPC protocol implementation.

The Transparent Inter Process Communication (TIPC) protocol implementation
used incorrect locking during certain operations, leading to a possible
deadlock. A local attacker could use this flaw to cause a denial-of-service.

* CVE-2023-32250, CVE-2023-32252, CVE-2023-32257: Race condition in kernel SMB server.

The kernel implementation of SMB server was vulnerable to a race condition
while handling certain session operations. A remote attacker could use
this vulnerability to cause a denial-of-service or potentially execute
arbitrary code.

* CVE-2023-46813: Permission bypass when using AMD Secure Encrypted Virtualization.

A logic error when using AMD Secure Encrypted Virtualization could let a
local attacker have arbitrary write access to kernel memory. A local
attacker could use this flaw to cause a denial-of-service or escalate
privileges.

* Note: Oracle will not provide a zero-downtime update for CVE-2023-6039.

CVE-2023-6039 affects only the Microchip LAN78XX USB Ethernet driver
and would require either CAP_NET_ADMIN privileges or physical access
for exploiting the issue.

Oracle has determined that patching CVE-2023-6039 on a running system
would not be safe and recommends a reboot for affected systems.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.