[Ksplice][Ubuntu-22.10-Updates] New Ksplice updates for Ubuntu 22.10 Kinetic (USN-6079-1)

[Oracle Ksplice]

Synopsis: USN-6079-1 can now be patched using Ksplice
CVEs: CVE-2022-27672 CVE-2022-36280 CVE-2022-3707 CVE-2022-4129 CVE-2022-4842 CVE-2022-48423 CVE-2022-48424 CVE-2023-0210 CVE-2023-0394 CVE-2023-0458 CVE-2023-0459 CVE-2023-1073 CVE-2023-1074 CVE-2023-1075 CVE-2023-1078 CVE-2023-1118 CVE-2023-1513 CVE-2023-1652 CVE-2023-21102 CVE-2023-21106 CVE-2023-2162 CVE-2023-23454 CVE-2023-23455 CVE-2023-26544 CVE-2023-3161 CVE-2023-32269 CVE-2023-3358 CVE-2023-33951

Systems running Ubuntu 22.10 Kinetic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6079-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 22.10
Kinetic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2023-1118: Use-after-free in ENE eHome Receiver/Transceiver driver.

A logic error in the ENE integrated infrared receiver/transceiver leads
to a use-after-free. A local user can use this flaw to cause
denial-of-service or escalate privileges.


* CVE-2022-36280: Out-of-bounds access in vmwgfs driver during cursor snoop.

A failure to validate cursor size data during a snoop operation can
lead to an out-of-bounds memory access.  A malicious local user could
exploit this flaw to escalate their privileges, or to cause a
denial-of-service.


* CVE-2022-48424, CVE-2022-48423: Out-of-bounds memory access in NTFS3.

Missing sanity checks in NTFS3 while parsing the MFT or while
enumerating extended attributes from an NTFS3 volume may lead to an
out-of-bounds memory access. An attacker with physical access to an
NTFS3 volume attached to the system may use this flaw for a
denial-of-service or arbitrary code execution.


* CVE-2023-23455: Denial-of-service in ATM Virtual Circuit queue operation.

A logic error during a queue operation in the sch_atm driver can result
in an invalid pointer access.  This flaw could be exploited by a local
attacker to cause a denial-of-service.


* CVE-2023-23454: Denial-of-service in CBQ packet scheduling.

When dropping a packet in Class-Based Queueing (CBQ) packet scheduling
algorithm, invalid data may be read. A local user can use this to cause
denial-of-service.


* CVE-2023-0210: Out-of-bounds memory access in SMB3 server support.

Improper buffer size parameter validation in SMB3 when processing
NTLMv2 authentication requests may lead to a heap-based buffer overflow.
An unauthenticated remote user could use this flaw for a
denial-of-service.


* CVE-2022-3707: Double-free in Intel GVT-g graphics driver.

Incorrect error handling in the Intel GVT-g graphics driver can lead to a
double free. This can allow a local user to cause denial-of-service.


* CVE-2023-0394: Denial-of-service during IPv6 raw frame processing.

An arithmetic error when processing certain IPv6 header information can
lead to a NULL pointer dereference.  A malicious local user could
exploit this flaw to cause a denial-of-service.


* CVE-2023-0458: Information leak in system calls to get and set resource limits.

A flaw in the do_prlimit() function, which is invoked by a number of system
calls to get and set resource limits, could be used to leak kernel memory
as part of a side-channel attack (such as MDS).


* CVE-2022-4842: Denial-of-service in NTFS3.

A flaw in NTFS3 when trying to punch a hole in a sparse or compressed
file could lead to a NULL pointer dereference. A local user could use
this flaw for a denial-of-service.


* CVE-2023-1075: Information disclosure in Transport Layer Security support.

A type confusion error in TLS support when checking for list emptiness
in tls_is_tx_ready() may lead to a read to an unauthorized memory
location. A local attacker could use this flaw to expose sensitive
information from the kernel.


* CVE-2023-1652: User-after-free in NFS server support for NFS version 4.

A logic flaw in NFS server support for NFS version 4 could result in a
user-after-free. A local user could use this flaw to cause denial-of-service or
leak sensitive kernel information.


* CVE-2022-4129: Denial-of-service in Layer 2 Tunneling Protocol (L2TP).

Incorrect locking in the Layer 2 Tunneling Protocol (L2TP) can lead to a race
condition and NULL pointer dereference. A local user could use this to crash the
system leading to denial-of-service.


* CVE-2023-1073: Memory Corruption in HID subsystem.

An error in the human interface device (HID) subsystem during insertion
of a USB device can trigger memory corruption. This can allow a local
user to cause denial-of-service or escalate privileges.


* CVE-2023-1074: Memory Leak in Stream Control Transmission Protocol.

A flaw in the Stream Control Transmission Protocol (sctp) can allow a
local user to start a malicious networking service that leaks kernel
memory. This could allow the user to starve resources leading to a
denial-of-service.


* CVE-2023-32269: Use-after-free in Netrom Sockets.

A race condition in netrom when calling accept on an already connected
socket can lead to a use-after-free. A local user could use this flaw to
cause a denial of service or elevate privileges on the system.


* CVE-2023-2162: Use-after-free during iSCSI login.

A logic error in the iSCSI login path can result in a use-after-free
error.  This flaw could be exploited by a local attacker to cause
a denial-of-service or to aid in another type of attack.


* CVE-2023-1078: Out-of-bounds memory access in Reliable Datagram Sockets.

A type confusion in RDS protocol when sending messages can lead to an
out-of-bounds memory access. A local attacker can use this flaw for a
denial-of-service or arbitrary code execution.


* CVE-2022-27672: Information disclosure due to Cross-Thread Return Address Predictions.

When SMT (simultaneous multithreading) is enabled, certain AMD processors
may speculative execute instructions using a target from the sibling thread.
This can potentially lead to information disclosure.


* CVE-2023-1513: Information leak in KVM ioctl.

Incomplete initialization of structure returned to user during KVM's
KVM_GET_DEBUGREGS ioctl can lead to information leak. This can allow a local
user to access privileged data.


* CVE-2023-0459: Information leak during userspace access.

Improper handling of user-provided pointers can result in a kernel
information leak.  This flaw could be exploited by an attacker to leak
sensitive information and to aid in other types of attacks.


* CVE-2023-26544: Denial-of-service when parsing MFT of NTFS.

A missing check when parsing MFT (Master File Table) of NTFS filesystems
could lead to an out-of-bounds access. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2023-3358: Denial-of-service when using Intel Integrated Sensor Hub.

A missing check after allocating memory when using Intel Integrated
Sensor Hub could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2023-3161: Denial-of-service when setting font size.

A missing check when setting font size when using framebuffer could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* Note: Oracle has determined that CVE-2023-21106 is not applicable.

The kernel is not affected by CVE-2023-21106 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2023-21102 is not applicable.

The kernel is not affected by CVE-2023-21102 since the code under
consideration is not compiled.


* Note: Oracle will not provide a zero-downtime update for CVE-2023-33951.

CVE-2023-33951 is a use-after-free due to a race condition in the vmwgfx
driver. This flaw allows a local privileged user to disclose
kernel information.

Oracle has determined that applying the kernel mitigation for this
vulnerability on a running system would not be safe and recommends
unloading 'vmwgfx' kernel module.

Note that an attacker must first obtain the ability to execute
high-privileged code on the target system in order to exploit this
vulnerability.


* Resource leak in kernel oops handler.

A missing restriction on the number of times the kernel can oops before
crashing may lead to a leak of kernel resource such as reference counts,
locks or memory allocations. An attacker could abuse the oops handler to
cause a denial-of-service or execute arbitrary code.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.