[Ksplice][Ubuntu-22.04-Updates] New Ksplice updates for Ubuntu 22.04 Jammy (USN-6725-1)

Oracle Ksplice gregory.herrero at oracle.com
Fri May 10 21:44:08 UTC 2024


Synopsis: USN-6725-1 can now be patched using Ksplice
CVEs: CVE-2023-1193 CVE-2023-1194 CVE-2023-32254 CVE-2023-32258 CVE-2023-38427 CVE-2023-38430 CVE-2023-38431 CVE-2023-3867 CVE-2023-46838 CVE-2023-52340 CVE-2023-52429 CVE-2023-52436 CVE-2023-52438 CVE-2023-52439 CVE-2023-52441 CVE-2023-52442 CVE-2023-52443 CVE-2023-52444 CVE-2023-52445 CVE-2023-52448 CVE-2023-52449 CVE-2023-52451 CVE-2023-52454 CVE-2023-52456 CVE-2023-52457 CVE-2023-52458 CVE-2023-52462 CVE-2023-52463 CVE-2023-52464 CVE-2023-52467 CVE-2023-52469 CVE-2023-52470 CVE-2023-52480 CVE-2023-52609 CVE-2023-52610 CVE-2023-52612 CVE-2023-6356 CVE-2023-6535 CVE-2023-6536 CVE-2024-22705 CVE-2024-23850 CVE-2024-23851 CVE-2024-24860 CVE-2024-26586 CVE-2024-26589 CVE-2024-26591 CVE-2024-26597 CVE-2024-26598 CVE-2024-26631 CVE-2024-26633

Systems running Ubuntu 22.04 Jammy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6725-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 22.04
Jammy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* XSA-448, CVE-2023-46838: Denial-of-service in Xen virtual networking stack.

Zero-length transmission requests can lead to NULL pointer dereference
in the Xen hypervisor's virtual networking stack. A remote attacker
can exploit this flaw to cause denial-of-service.


* CVE-2023-52439: Use-after-free and double-free in Userspace IO.

A race between open and unregister functions will lead to a
use-after-free and a double-free. A local attacker can exploit this
flaw to cause denial-of-service or aid in other type of attacks.


* Note: Oracle has determined that CVE-2023-52451 is not applicable.

While doing a memory lookup for the powerpc pseries platform, an
out-of-bounds access is possible. A local attacker could exploit
this flaw to extract sensitive information from the kernel memory
or cause denial-of-service.

The kernel is not affected by CVE-2023-52451 since the code under
consideration is not compiled.


* CVE-2023-52449: Denial-of-service in Memory Technology Device layer.

Incorrect handling of unsorted block images after creating
a partition in the memory technology device layer can lead
to a null-pointer dereference. A local attacker can exploit
this flaw to cause denial-of-service.


* CVE-2023-52448: Denial-of-service in GFS2 filesystem.

Printing a resource group from the GFS2 filesystem can lead to a
null-pointer dereference. A local attacker can exploit this flaw
to cause denial-of-service.


* CVE-2023-52445: Use-after-free in Hauppauge WinTV-PVR USB2 driver.

Disconnecting a context in pvrusb2 driver can lead to a use-after-free
error. A local attacker can exploit this flaw to cause a privilege
escalation or denial-of-service.


* CVE-2023-52470: Denial-of-service in AMD Radeon display driver.

Allocation of scanout buffers for AMD Radeon GPUs can lead to a
null-pointer dereference. A local attacker can exploit this flaw
to cause denial-of-service.


* CVE-2023-52469: Use-after-free in AMD GPU driver.

A race in the power management code of the AMD GPU driver for CIK ASICs
can lead to a use-after-free error. A local attacker can exploit this
flaw to cause a denial-of-service or aid in other types of attacks.


* Note: Oracle has determined that CVE-2024-26598 is not applicable.

During peripheral interrupt translation, incorrect refcounting by the
KVM Virtual Generic Interrupt Controller (VGIC) for ARM machines can
lead to a use-after-free. A local attacker can exploit this flaw to
cause denial-of-service or privilege escalation.

The kernel is not affected by CVE-2024-26598 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2023-52457 is not applicable.

Removal of an 8250 UART device will cause a memory leak and a potential
use-after-free. A local attack can exploit this flaw to access
sensitive information from kernel memory or cause denial-of-service.

The kernel is not affected by CVE-2023-52457 since the code under
consideration is not compiled.


* CVE-2023-6356, CVE-2023-6535, CVE-2023-6536, CVE-2023-52454: Denial-of-service when using NVMe over TCP.

Incorrect handling of lengths and offsets in fields of TCP packets
by the NVMe driver could lead to a NULL pointer dereference. A remote
attacker could exploit this flaw to cause a denial-of-service by
sending specially-crafted malicious packets.


* CVE-2023-52340: Uncontrolled resource consumption in IPv6 stack.

ICMPv6 "Package Too Big" response from the remote receiver causes the
the routing table being cloned for each such packet transmission, which
can increase the table size to more than a set low threshold for the
garbage collector. Continuous reception of messages will starve the CPU
such that a remote attacker can exploit this to cause denial-of-service.


* CVE-2024-23851, CVE-2023-52429: Missing validation in software RAID ioctl.

The kernel Multiple Device (or software RAID) subsystem has ioctls that
do not properly validate their inputs. A malicious user can exploit this
to cause the system to attempt to allocate more than INT_MAX memory,
which can cause a crash and denial-of-service.


* CVE-2024-22705: Information leak in kernel SMB server.

The kernel implementation of SMB server did not properly validate
request buffer sizes, which could lead to an out-of-bounds read
vulnerability. An attacker could use this vulnerability to cause
a denial-of-service or potentially obtain sensitive information.


* CVE-2023-52436: Denial-of-service in F2FS xattr.

In F2FS filesystem, the xattr list was not null-terminated explicitly,
leading to a possible out-of-bounds access. A local attacker can exploit
this flaw to extract sensitive information from the kernel memory, or
cause denial-of-service.


* CVE-2023-52438: Use-after-free in Android Binder subsystem.

A race in the binder module present in the Android IPC subsystem
could lead to a use-after-free error. A local attacker can exploit
this flaw to cause denial-of-service or privilege escalation.


* CVE-2023-52612: Out-of-bounds write when performing cryptographic compression.

A logic error when using cryptographic synchronous compression
operations could lead to a buffer overflow. A local attacker could use
this flaw to cause a denial-of-service or escalate privileges.


* CVE-2024-26633: Denial-of-service when using IP-in-IPv6 tunnel driver.

A logic error when using IP-in-IPv6 tunnel driver could lead to an
uninitialized memory access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2023-52444: Filesystem corruption in renaming on f2fs.

The f2fs filesystem rename code contains a flaw in its handling of
inodes. A malicious user might exploit this to corrupt a filesystem or
cause other misbehavior.


* CVE-2023-52609: Deadlock in Android binder with pinned mem pages.

A logic error when using Android binder could lead to a deadlock. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2023-52443: NULL-pointer dereference in AppArmor profile name.

An empty profile name for an AppArmor profile leads to a null-pointer
dereference. A local attacker may exploit this flaw to cause
denial-of-service.


* CVE-2024-26597: Out-of-bounds read when configuring RmNet MAP driver.

A bigger-than-expect value for maxtype when configuring the Qualcomm
RmNet MAP driver can lead to an out-of-bounds read. A local attacker
can exploit this flaw to read sensitive information from kernel memory
or cause denial-of-service.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-32258.

A race condition in the kernel SMB server between close and logoff
requests can lead to a use-after-free. A remote attacker can use
this vulnerability to cause a denial-of-service or potentially
execute arbitrary code.

Oracle has determined that patching CVE-2023-32258 on a running system
would not be safe and therefore recommends rebooting affected hosts
into the newest kernel to mitigate the vulnerability.


* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2023-52441.

The kernel implementation of SMB server does not properly handle
certain SMB1 requests, which can lead to out-of-bounds access. A
remote attacker could use this to cause a denial-of-service or
potentially obtain sensitive information.

Fixes for this CVE are still undergoing analysis and testing.
A zero-downtime update may be provided at a later date.


* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2023-52480.

A race condition in the kernel SMB server between session lookup
and expire can lead to a use-after-free. A remote attacker can
use this to cause a denial-of-service.

Fixes for this CVE are still undergoing analysis and testing.
A zero-downtime update may be provided at a later date.


* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2023-3867 and CVE-2023-52442.

The kernel implementation of SMB server does not properly handle
compound requests, which can lead to out-of-bounds access. A
remote attacker could use this to cause a denial-of-service or
potentially obtain sensitive information.

Fixes for this CVE are still undergoing analysis and testing.
A zero-downtime update may be provided at a later date.


* CVE-2023-1194, CVE-2023-38427: Out-of-bounds read in kernel SMB server.

The kernel implementation of SMB server did not properly validate
certain requests, which could lead to multiple out-of-bounds read
vulnerabilities. A remote attacker could use this to cause a
denial-of-service or potentially obtain sensitive information.


* CVE-2023-1193: Denial-of-service in kernel SMB server.

A logic error in handling certain SMB requests could lead
to a use-after-free. A remote attacker could use this to
cause a denial-of-service.


* CVE-2023-32254: Code execution in kernel SMB server.

A race condition between concurrent tree disconnect SMB requests
could lead to a use-after-free. A remote attacker could use this
vulnerability to cause a denial-of-service or potentially execute
arbitrary code.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-38430 and CVE-2023-38431.

The kernel implementation of SMB server does not properly validate
request headers, which can lead to out-of-bounds reads. A remote
attacker could use this to cause a denial-of-service or
potentially obtain sensitive information.

Oracle has determined that patching these CVEs on a running system
would not be safe and therefore recommends rebooting affected hosts
into the newest kernel to mitigate the vulnerability.


* Note: Oracle has determined that CVE-2023-52464 is not applicable.

Use of an incorrect string manipulation function in the Cavium ThunderX
memory controller (EDAC) driver could lead to an out-of-bounds write.
A local attacker could exploit this flaw to cause denial-of-service
or privilege escalation.

The kernel is not affected by CVE-2023-52464 since the code under
consideration is not compiled.


* CVE-2024-26589: Out-of-bounds access in the BPF subsystem.

A missing check in the BPF subsystem when verifying flow dissector
routines can allow out-of-bounds access. A BPF program can thus be used
to cause denial-of-service or privilege escalation.


* CVE-2024-26586: Denial-of-service in Mellanox Technologies Spectrum driver.

A logic error in Mellanox Technologies Spectrum driver could lead
to a kernel stack corruption. A local attacker could use this to
cause a denial-of-service.


* CVE-2023-52610: Denial-of-Service in the Traffic Control subsystem.

A flaw in the Traffic Control's connection tracking action could lead to
memory leaks or crash. A local unprivileged user could use this flaw
to cause a denial-of-service.


* CVE-2023-52458: Denial-of-service in the block layer.

Incorrect error checking in the kernel's block layer support when
adding or resizing a partition could lead to an IO error or null
pointer dereference. A privileged local user could use this flaw
to cause a denial-of-service.


* Note: Oracle has determined that CVE-2023-52467 is not applicable.

Insufficient error checks when using dynamically allocated memory in
Multi-Function Devices (MFD) System Control driver can lead to a NULL
pointer dereference. A local user can use this to cause denial-of-service.

The kernel is not affected by CVE-2023-52467 since the code under
consideration is not compiled.


* CVE-2024-23850: Denial-of-service in Btrfs filesystem.

The Btrfs filesystem did not properly handle read operations on newly
created subvolumes in some cases. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2023-52462: Privilege escalation in the BPF subsystem.

Incorrect logic in the BPF verifier can allow corruption of a spilled pointer
on the stack. A local attacker can potentially use this flaw to escalate
privileges.


* CVE-2024-26591: NULL pointer dereference in the BPF subsystem.

Incomplete logic in the the BPF subsystem when computing a trampoline key, can
lead to NULL pointer dereference. A local attacker can use this flaw to cause
a denial-of-service.


* CVE-2024-24860: Race condition in the Bluetooth device driver.

Incorrect locking in the Bluetooth device driver interface to change the
maximum and minimum encryption key size can lead to inconsistent key size
restrictions. A privileged local attacker can potentially use this race
condition to cause a denial-of-service.


* Note: Oracle has determined that CVE-2023-52456 is not applicable.

Oracle has determined that the vulnerability does not affect a
running system since the code under consideration is not compiled.


* CVE-2024-26631: Race condition in IPv6 Multicast subsystem.

Insufficient locking when destroying a device in the IPv6 Multicast
subsystem can lead to a data race. This can be used by a local user
to cause a denial-of-service or other undefined behavior.


* CVE-2023-52463: Denial-of-service in the EFI Variable filesystem.

EFI Variable filesystem will not set a SetVariable callback when the firmware
does not support it, but can call the callback function if the filesystem gets
remounted read-write. A local user can use this to cause denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the Ksplice-Ubuntu-22.04-updates mailing list