[Ksplice][Ubuntu-22.04-Updates] New Ksplice updates for Ubuntu 22.04 Jammy (USN-7288-1)
Oracle Ksplice
gregory.herrero at oracle.com
Fri Mar 14 17:23:54 UTC 2025
Synopsis: USN-7288-1 can now be patched using Ksplice
CVEs: CVE-2024-40953 CVE-2024-50036 CVE-2024-50076 CVE-2024-50110 CVE-2024-50115 CVE-2024-50142 CVE-2024-50151 CVE-2024-50171 CVE-2024-50195 CVE-2024-50208 CVE-2024-50210 CVE-2024-50218 CVE-2024-50244 CVE-2024-50245 CVE-2024-50247 CVE-2024-50249 CVE-2024-50251 CVE-2024-50265 CVE-2024-50268 CVE-2024-50273 CVE-2024-50278 CVE-2024-50279 CVE-2024-50301 CVE-2024-53104
Systems running Ubuntu 22.04 Jammy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-7288-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 22.04
Jammy install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2024-50036: Privilege escalation in Networking driver.
A logic error when using the Networking driver could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges.
* CVE-2024-50076: Information leak in virtual terminal driver.
A missing initialization of allocated memory when getting font
information in the virtual console driver could lead to use of
uninitialized memory. A local attacker could use this flaw to
extract sensitive information.
* CVE-2024-50110: Information leak in Transformation user configuration interface driver.
A logic error when dumping information in the Transformation user
configuration interface driver could lead to use of uninitialized
memory. A local attacker could use this flaw to extract sensitive
information.
* CVE-2024-50115: Privilege escalation in KVM SVM driver.
A missing check when retrieving nested guest pages in the KVM SVM driver
could lead to an out-of-bounds memory access. A local attacker could use
this flaw to escalate privileges.
* CVE-2024-50142: Denial-of-service in transformation user configuration interface.
A logic error when using the transformation user configuration interface
could lead to an integer overflow. A local attacker could use this flaw
to cause a denial-of-service.
* CVE-2024-50151: Privilege escalation in SMB3 and CIFS driver.
A missing check when using the SMB3 and CIFS driver could lead to an
out-of-bounds memory access. A local attacker could use this flaw to
escalate privileges.
* CVE-2024-50195, CVE-2024-50210: Denial-of-service in dynamic POSIX clock driver.
A missing check when using the dynamic POSIX clock driver could lead to
invalid time being set. A local attacker could use this flaw to cause a
denial-of-service or other types of attacks (since other kernel parts or
drivers may depend on the set time).
* CVE-2024-50208: Privilege escalation in Broadcom Netxtreme HCA driver.
A logic error when using the Broadcom Netxtreme HCA driver could lead to
an out-of-bounds memory access. A local attacker could use this flaw to
escalate privileges.
* CVE-2024-50218: Denial-of-service in OCFS2 file system driver.
A missing check when using the OCFS2 file system driver could lead to a
kernel assertion failure. A local attacker could use this flaw to cause
a denial-of-service.
* CVE-2024-50244: Denial-of-service in NTFS file system.
A missing check in the NTFS file system could lead to accessing an
uninitialized bitmap during replay process. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2024-50247: Privilege escalation in NTFS file system.
A logic error in the NTFS file system could lead to an out-of-bounds
memory access. A local attacker could use this flaw to escalate privileges.
* CVE-2024-50249: Denial-of-service in ACPI subsystem.
A locking error in the Advanced Configuration and Power
Interface (ACPI) subsystem could lead to instability in
CPU performance scaling and power management functionality
during high-performance workloads or when switching power
states. A local attacker could potentially use this flaw
to cause a denial-of-service.
* CVE-2024-50251: Denial-of-service in Network packet filtering framework (Netfilter) driver.
A missing check when using the Network packet filtering framework
(Netfilter) driver could lead to a kernel assertion failure. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2024-50265: Denial-of-service in OCFS2 filesystem driver.
A logic error when setting extended attributes in the OCFS2 filesystem
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2024-50268: Information leak in UCSI driver for Cypress CCGx controllers.
A missing check in the USB Type-C Connector System Software Interface
driver for Cypress CCGx controllers could lead to an out-of-bounds
memory access. A local attacker with access to debugfs could use this
flaw to extract sensitive information.
* CVE-2024-50273: Denial-of-service in Btrfs filesystem driver.
A logic error when handling delayed reference counting in the Btrfs
filesystem driver could lead to a use-after-free. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2024-50278, CVE-2024-50279: Privilege escalation in Multiple Device Cache Target driver.
Logic errors when manipulating cache in the Multiple Device Cache Target
driver could lead to an out-of-bounds memory access. A local attacker
could use this flaw to escalate privileges.
* CVE-2024-50301: Privilege escalation in Keyring subsystem.
A missing check when checking if a key can be used in the Keyring
subsystem could lead to an out-of-bounds memory access. A local attacker
could use this flaw to escalate privileges.
* CVE-2024-53104: Code execution in USB Video Class (UVC) driver.
A missing check when using the USB Video Class (UVC) driver could lead
to an out-of-bounds memory write. A local attacker could use this flaw
to execute arbitrary code in kernel mode.
* Note: Oracle has determined that CVE-2024-40953 is not applicable.
Missing atomicity barriers in the KVM driver when using a variable to
fetch a vCPU could potentially lead to an out-of-bounds memory access.
Oracle has determined that the kernel is not affected by this vulnerability.
* Note: Oracle has determined that CVE-2024-50171 is not applicable.
A logic error in the Broadcom System Port Ethernet MAC driver could
potentially lead to a memory leak when mapping DMA buffers.
The kernel is not affected by this vulnerability since the code
under consideration is not compiled.
* Note: Oracle has determined that CVE-2024-50245 is not applicable.
A locking error in the NTFS file system could potentially lead to a deadlock.
Oracle has determined that the kernel is not affected by this vulnerability.
* Note: Oracle has determined some CVEs are not applicable.
The kernel is not affected by the following CVEs
since the code under consideration is not compiled.
CVE-2024-41066, CVE-2024-50103, CVE-2024-50168, CVE-2024-50193,
CVE-2024-50196, CVE-2024-50269, CVE-2024-50292, CVE-2024-50295,
CVE-2024-50296
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-22.04-updates
mailing list