[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4324-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Apr 9 00:32:23 PDT 2020 

Synopsis: USN-4324-1 can now be patched using Ksplice
CVEs: CVE-2019-14895 CVE-2019-14896 CVE-2019-14897 CVE-2019-3016 CVE-2020-8428 CVE-2020-8992

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4324-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for CVE-2019-14896, CVE-2019-14897: Denial-of-service when parsing BSS in Marvell 8xxx Libertas WLAN driver.

A missing check when parsing BSS in Marvell 8xxx Libertas WLAN driver
could lead to buffer overflows. A local attacker could use this flaw to
cause a denial-of-service.


* Deadlock in iSCSI if socket is never read.

If a iSCSI socket connection is created but the receive side is never
read, the system might potentially deadlock while attempting to send the
reply.


* Improved fix for CVE-2019-14895: Denial-of-service when receiving Country WLAN element in Marvell WiFi-Ex driver.

A logic error when receiving Country WLAN element in Marvell WiFi-Ex
driver could lead to an invalid memory access. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.

A race condition when performing a paravirtualized TLB flush could
result in stale mappings in a KVM guest potentially allowing processes
access to pages from other processes.  A local unprivileged user could
use this flaw to crash the system or potentially, escalate privileges.


* Memory leak when registering network sysfs attributes.

Logic errors when registering network sysfs attributes could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* NULL pointer dereference when using USB Pegasus/Pegasus-II based ethernet device.

A missing check when using USB Pegasus/Pegasus-II based ethernet device
could lead to NULL pointer dereference. A local attacker could use this
flaw to cause a denial-of-service.


* CVE-2020-8428: Use-after-free in filesystem directory handling.

A logic error in filesystem directory handling could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* NULL pointer dereference when connecting to CCITT X.25 Packet Layer socket.

A logic error when connecting to CCITT X.25 Packet Layer socket coudl
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use-after-free in TCP Sack code.

A logic error in TCP Sack code could lead to a use-after-free. A remote
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service when getting packets from userspace buffer in TUN driver.

A logic error when getting packets from userspace buffer in TUN driver
could lead to a use-after-free or a deadlock. A local attacker could use
this flaw to cause a denial-of-service.


* NULL pointer dereference when opening USB IR Dongle Serial.

A missing check when opening USB IR Dongle Serial could lead to a NULL
pointer dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when using network extended matches.

A missing check when using network extended matches could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Use-after-free when releasing resources in userspace cryptographic algorithm.

A locking error when releasing resources in userspace cryptographic
algorithm could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Use-after-free when releasing Intel Resource Director Technology driver.

A logic error when releasing Intel Resource Director Technology driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Out-of-bounds access when setting memory policy for a tmpfs mount.

A logic error when setting memory policy for a tmpfs mount could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Memory leak when unmounting reiser file system.

A missing free of resources when unmounting reiser file system could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* Use-after-free when releasing a Bluetooth HCI socket.

A locking error when releasing a Bluetooth HCI socket could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Use-after-free when removing i2c Silicon Labs Si470x FM Radio Receiver.

A logic error when removing i2c Silicon Labs Si470x FM Radio Receiver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in TKIP wireless implementation.

A missing check when using TKIP wireless implementation could let a
remote attacker use replay attack to cause a denial-of-service.


* Information leak in Cisco/Aironet 34X/35X/4500/4800 ioctl handling.

A missing zeroing of allocated memory in Cisco/Aironet 34X/35X/4500/4800
ioctl handling could lead to an information leak. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.


* Information leak when using Cisco/Aironet 34X/35X/4500/4800 ioctls.

A missing check on capabilities when using Cisco/Aironet
34X/35X/4500/4800 ioctls could lead to a leak of the WEP key. A local
attacker could use this flaw to leak the WEP key of an associated access
point.


* Denial-of-service when exiting System V IPC.

A locking error when exiting System V IPC could lead to a
denial-of-service. A local attacker could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when handling frame in High-availability Seamless Redundancy driver.

A missing check when handling frame in High-availability Seamless
Redundancy driver could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.


* Out-of-bounds access when classifying network packets with traffic control index.

A logic error when classifying network packets with traffic control
index could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Memory leak when registering USB Broadcom IEEE802.11n embedded FullMAC WLAN driver.

A missing free of resources when registering USB Broadcom IEEE802.11n
embedded FullMAC WLAN driver fails could lead to a memory leak. A local
attacker could use this flaw to exhaust kernel memory and cause a
denial-of-service.


* Use-after-free when unregistering cryptographic API 2.

A missing check when unregistering cryptographic API 2 could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Use-after-free when removing LTC2941/LTC2943 Battery Gauge i2c device.

A logic error when removing LTC2941/LTC2943 Battery Gauge i2c device
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.


* NULL pointer deference when using Benbi IV crypto in device mapper.

A logic error when using Benbi IV crypto in device mapper could lead to
a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service when committing transaction in btrfs fails.

Failure to properly clean up after an attempt to commit a transaction
fails in the btrfs filesystem could cause a NULL pointer dereference. An
attacker could exploit this bug to cause a denial-of-service.


* Information leak when running a VM in emulation mode (Spectre v1).

A spectre v1-type gadget when running a VM in emulation mode in the KVM
subsystem could allow a user to read privileged kernel memory. An
attacker could exploit this bug to escalate privilege.


* Speculative execution in KVM when reading or writing debug register.

Array access for debug register is missing protection against Spectre
v1-type attack. An attacker with KVM_CAP_DEBUGREGS capability could
exploit this flaw to read kernel memory and possibly escalate privilege.


* Information leak when writing to APIC register in KVM.

Array access when writing to local APIC register in KVM is missing
protection against Spectre v1-type attack. An attacker could exploit
this bug to disclose privileged kernel information.


* Information leak when accessing crash data in Hyper-V guest.

Array access for crash MSR is missing protection against Spectre v1
type attack. An attacker could exploit this bug to leak privileged
kernel information.


* Information leak when accessing IOAPIC register in KVM.

Array access for IOAPIC register is missing protection against Spectre
v1-type attack. An attacker could exploit this bug to read privileged
kernel memory.


* Information leak when reading performance counter in KVM.

Array access for performance counter is missing protections against
Spectre v1-type attack. An attacker could exploit this to read
privileged kernel memory.


* Information leak when reading MCE registers in KVM.

Array access when reading Machine Check Exception register is missing
protection against Spectre v1-type attack. An attacker could exploit this
bug to read privileged kernel memory.


* Denial-of-service when transmitting packet through ALB bond.

Incorrect header offset calculation when transmitting IPX packet through
ALB (Adaptive Load Balancing) bond leads to a use-after-free. An
attacker could exploit this bug to cause a denial-of-service.


* Information leak when accessing performance counter in KVM.

Array access when reading performance counter register in KVM is missing
protection against Spectre v1-type attack. An attacker with privilege to
read performance counter could exploit this bug to read sensitive kernel
memory.


* Denial-of-service when querying WMM status in mwifiex driver.

If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.


* Denial-of-service when scanning for APs in mwifiex driver.

Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.


* Information leak when writing to interrupt controller in KVM.

Array access when writing to PIC device in KVM is missing protection
against Spectre v1-type attack. An attacker could exploit this flaw to
leak privileged kernel memory.


* Invalid memory accesses when using raw sockets with GTP.

A missing check when using raw sockets with GTP could lead to usage of
uninitialized memory. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when using invalid MTU in TCP/IP protocol suite.

A missing check when using invalid MTU in TCP/IP protocol suite could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Memory leak in RPCSEC_GSS server authentication driver.

A wrong expiry time when using RPCSEC_GSS server authentication driver
could lead to a memory leak. A local attacker could use this flaw to
exhaust kernel memory and cause a denial-of-service.


* Information leak in KVM MSR index computation using Spectre v1.

A missing check in KVM MSR index computation could lead to an
information leak using Spectre v1 type attack. A local attacker could
use this flaw to leak information about running kernel and facilitate an
attack.


* NULL pointer dereference in UBI Fastmap driver.

A logic error in UBI Fastmap driver could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a denial-of-
service.


* Memory leak when setting traffic control index for network scheduler.

A logic error when setting traffic control index for network scheduler
fails could lead to a memory leak. A local attacker could use this flaw
to exhaust kernel memory and cause a denial-of-service.


* CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.

Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.


* Memory leak when using btrfs ref verify tool.

Missing free of resources when using btrfs ref verify tool fails could
lead to a memory leak. A local attacker could use this flaw to exhaust
kernel memory and cause a denial-of-service.


* NULL pointer dereference when user modify queue pairs in Infiniband driver.

A logic error when user modify queue pairs in Infiniband driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Use-after-free during Network File System readdir.

A logic error when using readdir in Network File System could lead to a
memory leak. A local attacker could use this flaw to exhaust kernel
memory and cause a denial-of-service.


* Use-after-free when adding and removing tree element in btrfs.

A locking error when adding and removing tree element in btrfs could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Out-of-bounds access when using IPv4 Resource Reservation Protocol.

A logic error when using IPv4 Resource Reservation Protocol could lead
to out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.


* Use-after-free when using NFS with page cache.

A logic error when using NFS with page cache could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list