[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4094-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Aug 26 03:34:27 PDT 2019 

Synopsis: USN-4094-1 can now be patched using Ksplice
CVEs: CVE-2018-1128 CVE-2018-1129 CVE-2018-13053 CVE-2018-13093 CVE-2018-13096 CVE-2018-13097 CVE-2018-13098 CVE-2018-13099 CVE-2018-13100 CVE-2018-14609 CVE-2018-14610 CVE-2018-14611 CVE-2018-14612 CVE-2018-14614 CVE-2018-14615 CVE-2018-14616 CVE-2018-14617 CVE-2018-14633 CVE-2018-16862 CVE-2018-20169 CVE-2018-20855 CVE-2018-20856 CVE-2018-3620 CVE-2018-3646 CVE-2018-5383 CVE-2018-5391 CVE-2018-5848 CVE-2019-10126 CVE-2019-1125 CVE-2019-12818 CVE-2019-12819 CVE-2019-12984 CVE-2019-13233 CVE-2019-13272 CVE-2019-2101 CVE-2019-3846

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4094-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2018-5391: Remote denial-of-service in IP fragment handling.

A malicious remote user can use a flaw in IP fragment handling to starve
IP processing on the system causing loss of connectivity.


* CVE-2018-13093: NULL-pointer dereference when reusing inodes in xfs.

If an XFS filesystem becomes corrupted, the local inode cache might
attempt to re-allocate in-use inodes. This can result in a deadlock or
NULL-pointer dereference and denial-of-service.


* CVE-2018-20856: Use-after-free in block device core.

A failure to initialize part of a structure in the block device allocation
path can lead to a use-after-free of certain kernel structures, which can
result in a kernel panic.  This could be used to cause a denial of service.


* CVE-2018-20855: Information leak in mlx5 Infiniband driver.

A kernel structure was not fully initialized in the mlx5 driver's user-mode
memory reservation code, which could lead to kernel stack memory being leaked to
userspace.  This flaw could be exploited by a local attacker to leak information
about the running system.


* CVE-2018-14617: Denial-of-service in HFS+ filesystem mounting.

A logic error when mounting an HFS+ filesystem could result in a NULL
pointer dereference and kernel crash.  A local user with the ability to
mount filesystems could use this flaw to crash the system with a
maliciously crafted filesystem image.


* CVE-2018-14609: NULL pointer dereference in BTRFS relocation cleanup.

A missing NULL pointer check could result in a kernel crash when
mounting a corrupted filesystem.  A user with the ability to mount
filesystems could use this flaw to crash the system with a maliciously
crafted image.


* Improved fix to CVE-2018-3620, CVE-2018-3646 for Xen PV guests.

Improperly sized writes to page tables by Xen PV guests can create page table
entries that are temporarily vulnerable to L1TF.


* Improved fix to CVE-2018-3620, CVE-2018-3646 for KVM shadow page tables.

KVM shadow PTEs for MMIO mappings are vulnerable to L1TF attacks from KVM
guests.


* CVE-2018-13099: Use-after-free in F2FS inline inodes.

Missing error checking for F2FS inline inodes could result in a
use-after-free and kernel crash.  A user with the ability to mount
filesystems could use a maliciously crafted filesystem image to crash
the system or potentially, escalate privileges.


* CVE-2019-12984: NULL pointer dereference when deactivating target in NFC subsystem.

A missing check on user input when deactivating target in NFC subsystem
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2019-12818: NULL pointer dereference when registering an NFC device.

A missing check when registering an NFC device could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-3846: Heap overflow when parsing BSS descriptor in Marvell WiFi-Ex driver.

A missing check on user input when parsing BSS descriptor in Marvell
WiFi-Ex driver could let a local attacker cause a heap overflow and a
denial-of-service.


* CVE-2019-10126: Heap overflow when parsing IEs in Marvell WiFi-Ex driver.

A missing check when parsing IEs in Marvell WiFi-Ex driver could lead to
a heap overflow. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-14633: Permission bypass in SCSI authentication request process.

A logic error in SCSI authentication request process could lead to a
buffer overflow. A local attacker could use this flaw to expose SCSI
content without permission.


* CVE-2018-13053: Integer overflow in alarm_timer_nsleep.

The alarm_timer_nsleep function in the kernel timekeeping code does not
check for overflow when adding two time values together, potentially
causing undefined behavior in the kernel.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overflow and undefined
behaviour.  A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-14611: Use-after-free when reading invalid BTRFS chunk.

A failure to validate the type of a BTRFS chunk can result in a
use-after-free. A local user with the ability to mount a crafted BTRFS
filesystem could use this flaw to potentially escalate privileges.


* CVE-2018-14612: NULL pointer dereference when using btrfs image with missing group items.

A missing check when using a crafted btrfs image with an unbalanced
number of chunks and groups could lead to a NULL pointer dereference. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-14610: Denial-of-service due to invalid BTRFS chunk block mappings.

A failure to validate chunk and block mappings during mount of a BTRFS
filesystem can result in a kernel crash. A local user with the ability
to mount a BTRFS filesystem could use this flaw to cause a
denial-of-service.


* CVE-2018-13100: Denial-of-service when mounting a crafted F2FS image with an invalid secs_per_zone.

A missing check when mounting a crafted F2FS image with an invalid
secs_per_zone could lead to a divide by zero error. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2018-13097: Out-of-bounds access in superblock of F2FS filesystem.

A missing check in code handling superblock of F2FS filesystem could
lead to an out-of-bounds access or a divide by zero error. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2018-14614: Out-of-bounds access when removing dirty segment in F2FS filesystem.

A logic error when removing dirty segment in F2FS filesystem could lead
to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2018-13098: Out-of-bounds read when mounting F2FS filesystem.

A failure to correctly validate inodes when mounting an F2FS filesystem can
result in an out-of-bounds read. A local user with the ability to mount an F2FS
filesystem could use this flaw to leak information from the kernel.


* CVE-2018-13096: Out-of-bounds access when mounting F2FS image.

A logic error when mounting a specially crafted F2FS image with an
abnormal bitmap size could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2018-14615: Out-of-bounds access in F2FS inode extra attribute read.

A failure to validate the length of an F2FS inode with an extra attribute can
result in an out-of-bounds memory access. A local user with the ability to
mount an F2FS filesystem could use this flaw to cause a kernel crash or
potentially information disclosure.


* CVE-2018-14616: Denial-of-service in encrypted F2FS block addressing.

A failure to correctly validate a block address when using filesystem
encryption in F2FS can result in a NULL pointer dereference, leading to a
kernel crash. A local user with the ability to mount an F2FS filesystem could
use this flaw to cause a denial-of-service.


* CVE-2018-16862: Potential memory corruption in inode truncation path.

A logic error in the memory manager's inode truncation path can lead to
an inode not being properly cleaned up.  If another file is created with
the same inode, it is possible to read old leftover data, instead of
the expected data, when attempting to read the new file.  This could
cause a system to exhibit unexpected behavior.


* CVE-2019-13272: Privilege escalation via ptrace relationship tracking.

A logic error when recording the ptrace relationship between a privileged
parent and unprivileged child process can result in the ptrace relationship
being incorrectly recorded as privileged. A local user could use this flaw to
escalate privileges or cause a denial-of-service.


* CVE-2019-13233: Use-after-free when accessing LDT entry.

A locking error while accessing LDT entry could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-2101: Privilege escalation in USB Video Class terminal descriptor parsing.

A failure to correctly validate information from userspace can result in a heap
overflow. A local user could use this flaw to cause a kernel crash or
potentially escalate privileges.


* CVE-2018-5383: Information disclosure via incomplete public key validation.

A failure to correct validate elliptic curve parameters during a Diffie-Hellman
key exchange may allow an attacker to recover cryptographic secrets. An
attacker with the ability to intercept a Diffie-Hellman key exchange could use
this flaw to facilitate a further attack


* CVE-2018-1129: Signature check bypass of cephx message.

A wrong computation of message's signature in the cephx authentication
protocol could let an attacker bypass signature check and alter message
payload. Note that any existing ceph client will not be protected
against this CVE and needs to be restarted.


* CVE-2019-12819: Use-after-free during initialization of MDIO bus driver.

A failure to correctly handle device registration failure of the MDIO bus
driver can result in a use-after-free. A local user with the ability to
hot-plug a network device could use this flaw to cause a denial-of-service or
escalate privileges.


* CVE-2018-20169: Missing bound check when reading extra USB descriptors.

A failure to properly check the minimum and maximum size of an extra USB
descriptor in the USB sub-system could lead to reading or writing past
memory bounds.  An attacker with the ability to send specially crafted
extra descriptors from a USB device could use this flaw to escalate
privileges or cause a denial-of-service.


* Note: Oracle will not be providing a zero downtime update for CVE-2018-1128.




* KPTI enablement for Ksplice.




* CVE-2019-1125: Information leak in kernel entry code when swapping GS.

A local attacker could speculatively access percpu data using a user
defined GS and leak information about running kernel to facilitate an
attack.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list