[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4115-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Tue Sep 24 00:10:59 PDT 2019 

Synopsis: USN-4115-1 can now be patched using Ksplice
CVEs: CVE-2018-19985 CVE-2018-20784 CVE-2019-0136 CVE-2019-10124 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-11486 CVE-2019-11487 CVE-2019-11599 CVE-2019-11810 CVE-2019-12382 CVE-2019-13631 CVE-2019-14283 CVE-2019-14284 CVE-2019-15090 CVE-2019-15211 CVE-2019-15212 CVE-2019-15213 CVE-2019-15214 CVE-2019-15215 CVE-2019-15216 CVE-2019-15218 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-3701 CVE-2019-3819 CVE-2019-3900 CVE-2019-5489 CVE-2019-9506

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4115-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver.

A missing length check in the hso_probe can lead to an out-of-bounds
memory access.  This could cause a system to exhibit unexpected
behavior.


* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations.  This could be exploited to cause a denial of
service attack.


* CVE-2019-3701: Denial-of-service in CAN controller.

Missing sanity checking in the Controller Area Network driver can allow
a malicious user to write arbitrary bits into the CAN device's I/O
memory, resulting in a system crash and denial-of-service.


* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.


* CVE-2019-10124: Denial-of-service when soft offlining a transparent huge page.

A refcount error when soft offlining a transparent huge page could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2019-11810: Denial-of-service in LSI Logic MegaRAID probing.

A logic error in the LSI Logic MegaRAID device probing could result in a
NULL pointer dereference and kernel crash under specific conditions.


* CVE-2019-11486: Denial-of-service in Siemens R3964 line discipline drivers.

Multiple race conditions in the r3964 line discipline driver could lead to
various conditions that could be exploited to cause a denial-of-service.

This update disables the r3964 line discipline driver.


* CVE-2019-5489: Information leak in the mincore() syscall implementation.

Missing checks in the mincore() syscall could let a local attacker
observes page cache access patterns on other process in the system and
lead to an information leak.


* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.

Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors.  A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.


* CVE-2019-12382: Denial-of-service in DRM firmware loading.

Incorrect error handling could result in a NULL pointer dereference and
crash when loading firmware under low memory conditions.


* CVE-2019-11487: Invalid memory access when overflowing pages refcount.

A reference count issue could let an attacker overflow the reference count
for a page and lead to an invalid memory accesses. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2019-11599: Information leak in the coredump implementation.

A locking error in the coredump implementation could let an attacker
leak sensitive information or cause a denial-of-service.


* CVE-2019-14284: Denial-of-service in floppy disk formatting.

A division by zero in the setup_format_params function for the floppy
disk driver could result in a kernel crash.  A local user with access to
the floppy disk device could use this flaw to crash the system.


* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.


* CVE-2019-15212: Denial-of-service plugging in malicious USB device.

Unsynchronized access to global variable in the rio500 driver leads to
memory leak and kernel crash. A malicious USB device could trigger this
vulnerability to cause a denial-of-service.


* CVE-2019-15214: Use-after-free when connecting ALSA cards.

A race condition when connecting an ALSA sound device could result in
prematurely freeing associated data structures. A malicious device might
exploit this to cause a denial-of-service or memory corruption.


* CVE-2019-15213: Denial-of-service when removing a USB DVB device.

A use-after-free when releasing a USB DVB device could lead to a kernel
crash. An attacker could exploit this to cause a denial-of-service by
plugging in a malicious USB device.


* CVE-2019-15215: Denial-of-service when disconnecting CPiA2 USB camera.

A use-after-free vulnerability in the V4L2 interface for CPiA2 USB
camera allows a malicious USB device to crash the kernel. An attacker
could exploit this to cause a denial-of-service.


* CVE-2019-15216: Use-after-free when removing a USB Yurex device.

A logic error when removing a USB Yurex device could lead to a
use-after-free. A local attacker could use this flaw to cause a
denial-of-service.


* Invalid memory access when using AES-GMAC for IEEE 802.11 driver.

Use of on-stack variables when using AES-GMAC for IEEE 802.11 driver
could lead to an invalid memory access or a kernel assert. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2019-0136: Denial-of-service in Intel(R) wifi driver.

Insufficient access control in the Intel(R) PROSet/Wireless WiFi driver
may allow an unauthenticated user in the same network to cause a
denial-of-service.


* CVE-2019-15090: Kernel information leak in QLogic iSCSI driver.

Incorrectly copying kernel memory to log message in QLogic iSCSI driver
could leak privileged information to userspace. A local attacker could
exploit this to escalate privilege.


* CVE-2019-15218: Denial-of-service during initialiation in smsusb device.

A null-pointer dereference in the smsusb driver initialization path
leads to a general protection fault. A local user with physical access
could exploit this to cause a denial-of-service by plugging in a
maliciously crafted USB device.


* CVE-2019-15221: Out-of-bounds write in Line6 POD USB audio interface driver.

The driver for Line6 POD USB audio interfaces allocates a buffer based
on the usb_maxpacket value reported by the device itself. A malicious
device could report a value of zero to cause an out-of-bounds write,
potentially resulting in memory corruption.


* CVE-2018-20784: Denial-of-service in task scheduling.

A logic in the kernel task scheduler could result in an infinite loop
under high load conditions.  A local, unprivileged user could use this
flaw to cause a denial of service.


* CVE-2019-9506: Information disclosure when transmitting over bluetooth.

The Bluetooth BR/EDR specification permits sufficiently low encryption key
length and does not prevent an attacker from influencing the key length
negotiation. This allows practical brute-force attacks (aka "KNOB") that can
decrypt traffic and inject arbitrary ciphertext without the victim noticing.

This is the fix in kernel to disallow arbitrarily short encryption key.
However, the actual bug is in the protocol so we encourage customers to
also upgrade the firmware on their bluetooth device.


* Note: Oracle will not provide zero-downtime update for CVE-2019-15292.

The vulnerability only affects module unloading, which is a privileged
operation.


* Note: Oracle will not provide zero-downtime update for CVE-2019-15220.

The vulnerability is in firmware loading which is a privileged
operation. This also requires user interaction and physical access to
the system.


* Note: Oracle will not provide a zero-downtime update for CVE-2019-15211.




* Note: Oracle will not provide a zero-downtime update for CVE-2019-10638.




* Note: Oracle will not provide a zero-downtime update for CVE-2019-10639.




* Note: Oracle will not provide a zero-downtime update for CVE-2019-3900.



SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list