[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-5515-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Fri Jul 29 10:23:55 UTC 2022
Synopsis: USN-5515-1 can now be patched using Ksplice
CVEs: CVE-2021-4197 CVE-2022-1011 CVE-2022-1198 CVE-2022-1353 CVE-2022-1516 CVE-2022-2153 CVE-2022-2380 CVE-2022-28388 CVE-2022-28389
Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-5515-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-28388: Denial-of-service in the 8 Devices USB2CAN interface.
A flaw in error handling of the 8 Devices USB2CAN interface when sending
data to a device could lead to a double-free. A local user could use
this flaw to cause a denial-of-service.
* CVE-2022-28389: Double-free in Microchip CAN BUS Analyzer interface.
A flaw in error handling of Microchip CAN BUS Analyzer interface could
lead to a double-free. A local user could use this flaw to cause
a denial-of-service or code execution.
* CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem.
An incorrect initialization of Security Association data structures by the
PF_KEYv2 socket subsystem could leak previous values stored in that kernel
memory. A local, unprivileged user can use this to gain access to kernel memory
and cause a denial-of-service or leak kernel information.
* CVE-2022-1198: Use-after-free in Serial port 6PACK driver.
A logic flaw in the Serial port 6PACK driver when closing the device
could lead to a use-after-free. A local user could use this flaw for
denial-of-service or code execution.
* CVE-2022-1516: Denial-of-service in X.25 network protocol.
A flaw in the X.25 network protocol when handling link layer events
could result in NULL pointer dereference. A local user could use this
flaw for a denial-of-service.
* CVE-2022-2153: Denial-of-service in Kernel-based Virtual Machine.
A logic flaw in Kernel-based Virtual Machine in some cases when KVM
initializes a vCPU without creating APIC could result in NULL pointer
dereference. A local user could use this flaw for a denial-of-service.
* CVE-2021-4197: Privilege escalation in Control Groups.
A flaw in permission checks of Control Groups subsystem could allow
an unprivileged write to the file handler. A local user could use this
flaw for a denial-of-service or privilege escalation.
* CVE-2022-1011: Use-after-free in FUSE file system.
A logic flaw in FUSE file system when writing to the file system device
could result in a use-after-free. A local user could use this flaw to
cause a denial-of-service or code execution.
* Out-of-bounds write access in Atheros 802.11abg PCI/PCI-E driver.
A missing sanity check in Atheros 802.11abg PCI/PCI-E driver when
converting RF5111 specific data could result in out-of-bounds write
access. A local user could use this flaw for denial-of-service or code
execution.
* CVE-2022-2380: Denial-of-service in Silicon Motion SM712 Framebuffer driver.
A flaw in the Silicon Motion SM712 Framebuffer driver when reading from
the framebuffer could result in a system crash. A local user could use
this flaw for a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-Oracle-Updates
mailing list