[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4324-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Thu Apr 9 00:32:23 PDT 2020
Synopsis: USN-4324-1 can now be patched using Ksplice
CVEs: CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-3016 CVE-2020-8428 CVE-2020-8992
Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4324-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Improved fix for CVE-2019-14896, CVE-2019-14897: Denial-of-service when parsing BSS in Marvell 8xxx Libertas WLAN driver.
A missing check when parsing BSS in Marvell 8xxx Libertas WLAN driver
could lead to buffer overflows. A local attacker could use this flaw to
cause a denial-of-service.
* Deadlock in iSCSI if socket is never read.
If a iSCSI socket connection is created but the receive side is never
read, the system might potentially deadlock while attempting to send the
reply.
* Improved fix for CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.
A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.
* CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
A race condition when performing a paravirtualized TLB flush could
result in stale mappings in a KVM guest potentially allowing processes
access to pages from other processes. A local unprivileged user could
use this flaw to crash the system or potentially, escalate privileges.
* Memory leak when registering network sysfs attributes.
Logic errors when registering network sysfs attributes could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* NULL pointer dereference when using USB Pegasus/Pegasus-II based ethernet device.
A missing check when using USB Pegasus/Pegasus-II based ethernet device
could lead to NULL pointer dereference. A local attacker could use this
flaw to cause a denial-of-service.
* CVE-2020-8428: Use-after-free in filesystem directory handling.
A logic error in filesystem directory handling could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.
* NULL pointer dereference when connecting to CCITT X.25 Packet Layer socket.
A logic error when connecting to CCITT X.25 Packet Layer socket coudl
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
* Use-after-free in TCP Sack code.
A logic error in TCP Sack code could lead to a use-after-free. A remote
attacker could use this flaw to cause a denial-of-service.
* Denial-of-service when getting packets from userspace buffer in TUN driver.
A logic error when getting packets from userspace buffer in TUN driver
could lead to a use-after-free or a deadlock. A local attacker could use
this flaw to cause a denial-of-service.
* NULL pointer dereference when opening USB IR Dongle Serial.
A missing check when opening USB IR Dongle Serial could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when using network extended matches.
A missing check when using network extended matches could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* Use-after-free when releasing resources in userspace cryptographic algorithm.
A locking error when releasing resources in userspace cryptographic
algorithm could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.
* Use-after-free when releasing Intel Resource Director Technology driver.
A logic error when releasing Intel Resource Director Technology driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Out-of-bounds access when setting memory policy for a tmpfs mount.
A logic error when setting memory policy for a tmpfs mount could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Memory leak when unmounting reiser file system.
A missing free of resources when unmounting reiser file system could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.
* Use-after-free when releasing a Bluetooth HCI socket.
A locking error when releasing a Bluetooth HCI socket could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.
* Use-after-free when removing i2c Silicon Labs Si470x FM Radio Receiver.
A logic error when removing i2c Silicon Labs Si470x FM Radio Receiver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* Denial-of-service in TKIP wireless implementation.
A missing check when using TKIP wireless implementation could let a
remote attacker use replay attack to cause a denial-of-service.
* Information leak in Cisco/Aironet 34X/35X/4500/4800 ioctl handling.
A missing zeroing of allocated memory in Cisco/Aironet 34X/35X/4500/4800
ioctl handling could lead to an information leak. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.
* Information leak when using Cisco/Aironet 34X/35X/4500/4800 ioctls.
A missing check on capabilities when using Cisco/Aironet
34X/35X/4500/4800 ioctls could lead to a leak of the WEP key. A local
attacker could use this flaw to leak the WEP key of an associated access
point.
* Denial-of-service when exiting System V IPC.
A locking error when exiting System V IPC could lead to a
denial-of-service. A local attacker could use this flaw to cause a
denial-of-service.
* NULL pointer dereference when handling frame in High-availability Seamless Redundancy driver.
A missing check when handling frame in High-availability Seamless
Redundancy driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.
* Out-of-bounds access when classifying network packets with traffic control index.
A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.
* Memory leak when registering USB Broadcom IEEE802.11n embedded FullMAC WLAN driver.
A missing free of resources when registering USB Broadcom IEEE802.11n
embedded FullMAC WLAN driver fails could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.
* Use-after-free when unregistering cryptographic API 2.
A missing check when unregistering cryptographic API 2 could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.
* Use-after-free when removing LTC2941/LTC2943 Battery Gauge i2c device.
A logic error when removing LTC2941/LTC2943 Battery Gauge i2c device
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* NULL pointer deference when using Benbi IV crypto in device mapper.
A logic error when using Benbi IV crypto in device mapper could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Denial-of-service when committing transaction in btrfs fails.
Failure to properly clean up after an attempt to commit a transaction
fails in the btrfs filesystem could cause a NULL pointer dereference. An
attacker could exploit this bug to cause a denial-of-service.
* Information leak when running a VM in emulation mode (Spectre v1).
A spectre v1-type gadget when running a VM in emulation mode in the KVM
subsystem could allow a user to read privileged kernel memory. An
attacker could exploit this bug to escalate privilege.
* Speculative execution in KVM when reading or writing debug register.
Array access for debug register is missing protection against Spectre
v1-type attack. An attacker with KVM_CAP_DEBUGREGS capability could
exploit this flaw to read kernel memory and possibly escalate privilege.
* Information leak when writing to APIC register in KVM.
Array access when writing to local APIC register in KVM is missing
protection against Spectre v1-type attack. An attacker could exploit
this bug to disclose privileged kernel information.
* Information leak when accessing crash data in Hyper-V guest.
Array access for crash MSR is missing protection against Spectre v1
type attack. An attacker could exploit this bug to leak privileged
kernel information.
* Information leak when accessing IOAPIC register in KVM.
Array access for IOAPIC register is missing protection against Spectre
v1-type attack. An attacker could exploit this bug to read privileged
kernel memory.
* Information leak when reading performance counter in KVM.
Array access for performance counter is missing protections against
Spectre v1-type attack. An attacker could exploit this to read
privileged kernel memory.
* Information leak when reading MCE registers in KVM.
Array access when reading Machine Check Exception register is missing
protection against Spectre v1-type attack. An attacker could exploit this
bug to read privileged kernel memory.
* Denial-of-service when transmitting packet through ALB bond.
Incorrect header offset calculation when transmitting IPX packet through
ALB (Adaptive Load Balancing) bond leads to a use-after-free. An
attacker could exploit this bug to cause a denial-of-service.
* Information leak when accessing performance counter in KVM.
Array access when reading performance counter register in KVM is missing
protection against Spectre v1-type attack. An attacker with privilege to
read performance counter could exploit this bug to read sensitive kernel
memory.
* Denial-of-service when querying WMM status in mwifiex driver.
If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.
* Denial-of-service when scanning for APs in mwifiex driver.
Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.
* Information leak when writing to interrupt controller in KVM.
Array access when writing to PIC device in KVM is missing protection
against Spectre v1-type attack. An attacker could exploit this flaw to
leak privileged kernel memory.
* Invalid memory accesses when using raw sockets with GTP.
A missing check when using raw sockets with GTP could lead to usage of
uninitialized memory. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when using invalid MTU in TCP/IP protocol suite.
A missing check when using invalid MTU in TCP/IP protocol suite could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.
* Memory leak in RPCSEC_GSS server authentication driver.
A wrong expiry time when using RPCSEC_GSS server authentication driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.
* Information leak in KVM MSR index computation using Spectre v1.
A missing check in KVM MSR index computation could lead to an
information leak using Spectre v1 type attack. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.
* NULL pointer dereference in UBI Fastmap driver.
A logic error in UBI Fastmap driver could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.
* Memory leak when setting traffic control index for network scheduler.
A logic error when setting traffic control index for network scheduler
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.
* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.
Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.
* Memory leak when using btrfs ref verify tool.
Missing free of resources when using btrfs ref verify tool fails could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.
* NULL pointer dereference when user modify queue pairs in Infiniband driver.
A logic error when user modify queue pairs in Infiniband driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
* Use-after-free during Network File System readdir.
A logic error when using readdir in Network File System could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.
* Use-after-free when adding and removing tree element in btrfs.
A locking error when adding and removing tree element in btrfs could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.
* Out-of-bounds access when using IPv4 Resource Reservation Protocol.
A logic error when using IPv4 Resource Reservation Protocol could lead
to out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.
* Use-after-free when using NFS with page cache.
A logic error when using NFS with page cache could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-Oracle-Updates
mailing list