[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2022-9477)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Jun 21 09:41:21 UTC 2022 

Synopsis: ELSA-2022-9477 can now be patched using Ksplice
CVEs: CVE-2021-3772 CVE-2021-4197 CVE-2022-0487 CVE-2022-1048 CVE-2022-1353 CVE-2022-1419 CVE-2022-28390

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9477.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9477.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem.

An incorrect initialization of Security Association data structures by the
PF_KEYv2 socket subsystem could leak previous values stored in that kernel
memory. A local, unprivileged user can use this to gain access to kernel memory
and cause a denial-of-service or leak kernel information.


* CVE-2021-3772: Denial-of-service in the SCTP Network subsystem.

A flaw in the SCTP networking subsystem may allow an attacker to cause
denial-of-service by killing existing SCTP associations.


* CVE-2022-28390: Code execution in EMS CPC-USB/ARM7 CAN/USB interface.

A double-free flaw in data transmission path of EMS CPC-USB/ARM7 CAN/USB
interface could result in memory leaks and data corruption. A local user
could use this flaw for a denial-of-service or code execution.


* CVE-2022-1419: Information disclosure in Virtual Graphics Memory Manager.

A race condition flaw in Virtual Graphics Memory Manager when creating
a DRM GEM instance could result in use-after-free. A local user could
use this flaw for information disclosure.

Orabug: 34111756


* CVE-2022-0487: Use-after-free in Realtek USB Memstick Card Interface Driver.

A use-after-free flaw in the Realtek USB Memstick Card Interface driver can
lead to a race condition. This could allow a local user to cause
denial-of-service or leak internal kernel information.

Orabug: 34132125


* CVE-2022-1048: Code execution in Advanced Linux Sound Architecture framework.

A race condition due to a missing locking in the Advanced Linux Sound
Architecture framework could result in a use-after-free. A local user
could use this flaw to cause a denial-of-service or execute arbitrary
code.

Orabug: 34007906


* CVE-2021-4197: Privilege escalation in Control Groups.

A flaw in permission checks of Control Groups subsystem could allow
an unprivileged write to the file handler. A local user could use this
flaw for a denial-of-service or privilege escalation.


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list