[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-4485-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Sep 9 01:26:28 PDT 2020 

Synopsis: USN-4485-1 can now be patched using Ksplice
CVEs: CVE-2018-20669 CVE-2019-19947 CVE-2019-20810 CVE-2020-10732 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-10781 CVE-2020-12655 CVE-2020-12656 CVE-2020-12771 CVE-2020-13974 CVE-2020-15393 CVE-2020-24394

Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-4485-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in AppArmor security module.

A reference count error when setting up a cryptographic socket and later
closing it could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.


* Out-of-bounds access when receiving a malformed GSO packet.

A logic error when receiving a malformed GSO packet could lead to an
out-of-bounds access. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-20669: Privilege escalation in ioctl of i915 driver.

A missing check on user address in an ioctl of i915 driver could let an
user overwrite arbitrary kernel memory. A local attacker could use this
flaw to escalate privileges.


* Information leak in cryptographic subsystems.

A missing zeroing of sensitive data when freeing it in cryptographic
subsystems could lead an information leak. A local attacker could use
this flaw to leak information about running kernel and facilitate an
attack or leak sensitive information.


* Out-of-bounds access in QLogic QEDI 25/40/100Gb iSCSI Initiator driver.

A missing check on user input in QLogic QEDI 25/40/100Gb iSCSI Initiator
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service or escalate privileges.


* CVE-2020-10732: Information leak in corefiles in per-thread info.

When generating a corefile, the per-thread core information is not
properly sanitized, potentially leaking sensitive kernel data into the
filesystem.


* CVE-2020-10766: Information leak using Spectre V4 variant.

A logic error when context switching between multiple processes could
let an attacker disable SSBD mitigation and leak information about
victim process.


* CVE-2020-13974: Integer overflow in virtual terminal keyboard interface.

Improper handling of ASCII key events in the kernel's virtual terminal
driver could lead to an integer overflow on repeated keypresses. This
could potentially result in an unspecified security impact.


* CVE-2020-12655: Denial-of-service when syncing data on XFS filesystem.

On logic error when syncing data on a specially crafted XFS filesystem
could let an attacker cause a denial-of-service.


* CVE-2019-19947: Information leak in CAN Kvaser memory allocations.

Missing clearing of memory allocations could result in an information
leak of kernel heap memory to user-space.


* CVE-2019-20810: Denial-of-service with GO7007 sound card initialization.

A failure to properly deal with errors during initialization could lead
to a memory leak.  This could be exploited for a denial-of-service attack.


* NULL pointer dereference when sending IPv4 data over IPv6 VXLAN over IPSec.

A logic error in the xfrm code could lead to a kernel NULL pointer dereference
when sending IPv4 data over a IPv6 vxlan over ipsec.  This could be exploited
for a denial of service.


* NULL pointer dereference when renaming a folder while deleting it on ext4.

A logic error when renaming a folder while deleting it on ext4 could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* Denial-of-service in ADDI-DATA APCI_1500 COMEDI driver.

A missing check on user input when using ADDI-DATA APCI_1500 COMEDI
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.


* Out-of-bounds access in USB Infinity USB Unlimited Phoenix driver.

A missing check on user input when using USB Infinity USB Unlimited
Phoenix driver could lead to an out-of-bounds access. A local attacker
could use this flaw to cause a denial-of-service.


* Out-of-bounds access when using setsockopt on Amateur Radio AX.25 Level 2 socket.

A missing check on user input when using setsockopt on Amateur Radio
AX.25 Level 2 socket could lead to an out-of-bounds access. A local
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference when receiving packet over a tunnel device.

A logic error when receiving packet over a tunnel device could lead to a
NULL pointer dereference. A remote attacker could use this flaw to cause
a denial-of-service.


* Denial-of-service when using Virtual terminal ioctl.

A logic error when using Virtual terminal ioctl could lead to general
protection fault. A local attacker could use this flaw to cause a
denial-of-service.


* Integer underflow in ioctl of frame buffer devices.

A logic error while computing user input in FBIOPUT_VSCREENINFO ioctl of
frame buffer devices could lead to an integer underflow. A local
attacker could use this flaw to cause a denial-of-service.


* Denial-of-service in Prism2.5/3 USB driver.

A missing check on endpoint type of a plugged USB device could lead to
an invalid memory access. A local attacker could use this flaw and a
malicious USB device to cause a denial-of-service.


* Use-after-free when creating a ANSI/IEEE 802.2 LLC type 2 socket.

A logic error when creating a ANSI/IEEE 802.2 LLC type 2 socket could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* Use-after-free when setting TCP_CONGESTION tcp socket option.

A logic error when setting TCP_CONGESTION tcp socket option and later on
freeing it could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.


* Use-after-free when sending packets over Virtual eXtensible Local Area Network.

A missing check when sending packets over Virtual eXtensible Local Area
Network with ESP transformation offload enabled could lead to a use-
after-free. A local attacker could use this flaw to cause a denial-of-
service.


* NULL pointer dereference when setting ext4 extended attributes.

A missing check when setting ext4 extended attributes could lead to a
NULL pointer dereference. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2020-10781: Denial-of-service using Zram hot_add file sysfs entry.

A wrong permission setting on /sys/class/zram-control/hot_add file could
let an attacker create zram devices nodes and exhaust kernel memory. A
local attacker could use this flaw to cause a denial-of-service.


* CVE-2020-15393: Memory leak when in USB test driver.

A missing free of resources when a USB test device is disconnected could
lead to a memory leak. A physically proximate attacker could use this
flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2020-12771: Deadlock when using Block device as cache.

A locking error when using Block device as cache could lead to a
deadlock. A local attacker could use this flaw to cause a denial-of-
service.


* Note: Oracle will not provide an update for CVE-2020-12656.

The memory leak happens only when loading/unloading the affected module
and loading a kernel module is a privileged operation.


* CVE-2020-24394: Information leak when exporting a filesystem over NFS.

A logic error when exporting a filesystem without ACL support over NFS
could lead to wrong permissions being used for newly created files. An
attacker could use this flaw to leak information stored in this
filesystem.


* Information leak in the AdLib FM cards driver.

A missing zeroing of on stack data in the AdLib FM cards driver could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.


* Use-after-free in Serial ATA and Parallel ATA driver.

A logic error in Serial ATA and Parallel ATA driver could lead to a
use-after-free. A local attacker could use this flaw to cause a denial-
of-service.


* Denial-of-service in the ALSA info subsystem.

A too verbose debug print could be triggered from user space in the ALSA
info subsystem. A local attacker could use this flaw to cause a denial-
of-service.


* CVE-2020-10767: Information leak using Spectre V2 attack due to IBPB being disabled.

A logic error when STIBP is not supported by the hardware makes IBPB
disabled unconditionally by default. A local attacker could use this
flaw to leak information about other processes.


* CVE-2020-10768: Information leak using Spectre V2 gadgets due to incorrect prctl configuration.

A logic error could let a local user enable indirect branch prediction
even if it has been force disabled to mitigate Spectre V2 attacks. A
local attacker could use this flaw to leak information about a victim
process.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-Oracle-Updates mailing list