[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2022-9479)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2022-9479 can now be patched using Ksplice CVEs:
CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-3772 CVE-2021-4135
CVE-2021-4197 CVE-2021-43976 CVE-2021-45469 CVE-2021-45480 CVE-2022-0487
CVE-2022-1011 CVE-2022-1048 CVE-2022-1195 CVE-2022-1353 CVE-2022-20008
CVE-2022-20136 CVE-2022-20154 CVE-2022-20166 CVE-2022-21504 CVE-2022-23036
CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041
CVE-2022-23042 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25375
CVE-2022-26490 CVE-2022-27223 CVE-2022-27950 CVE-2022-28356

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9479.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9479.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Note: Oracle has determined that CVE-2022-27223 is not applicable.

The kernel is not affected by CVE-2022-27223 since the code under
consideration is not compiled.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 and XSA-391.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 and XSA-391 are scored
CVSSv3 6.2 and are present in the Xen hypervisor subsystem. The CVEs
allow guest to call some interrupts with high frequency to potentially
cause a denial-of-service.

Hosts that don't use the Xen hypervisor subsystem are not affected by
this issue.

Oracle has determined that patching CVE-2021-28711, CVE-2021-28712,
CVE-2021-28713 and XSA-391 on a running system would not be safe and
recommends a reboot if the Xen hypervisor subsystem is used.


* Note: Oracle has determined that CVE-2021-45469 is not applicable.

An inadequate error handling flaw in Flash-Friendly File System could
lead to an out-of-bounds memory access when an inode has an invalid last
xattr entry. A local user could use this flaw for code execution or
denial-of-service.

The kernel is not affected by CVE-2021-45469 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2022-26490 is not applicable.

A missing error check in connectivity event handling of the ST21NFCA
NFC driver could result in a buffer overflow. A local user could use
this flaw to cause a denial-of-service or execute arbitrary code.

The kernel is not affected by CVE-2022-26490 since the code under
consideration is not compiled.


* CVE-2021-4135: Information disclosure in Simulated Networking Device.

Improper memory initialization in the eBPF for the Simulated Networking
Device Driver in certain situations could allow unauthorized access to
sensitive information. A local user could use this flaw for information
disclosure.


* Note: Oracle has determined that CVE-2022-24959 is not applicable.

The kernel is not affected by CVE-2022-24959 since the code under
consideration is not compiled.


* CVE-2021-45480: Denial-of-service in Reliable Datagram Socket.

A memory leak flaw in code cleanup of the Reliable Datagram Socket
protocol implementation in TCP could happen in some error condition
situations due to improper memory deallocation. A local user could
use this flaw to cause a denial-of-service.


* Note: Oracle has determined that CVE-2022-25258 is not applicable.

The USB Gadget subsystem fails to correctly validate os descriptors
passed to it. Malicious data passed to the system might exploit this to
cause a NULL-pointer dereference and denial-of-service.

The kernel is not affected by CVE-2022-25258 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2022-0487 is not applicable.

Oracle has determined that CVE-2022-0487 is not applicable to this
architecture/distribution. Applying the patch results in no changes to
the generated object files.


* CVE-2022-20008: Information disclosure in MMC/SD subsystem.

Improper errors handling in MMC/SD subsystem when reading from SD cards
could allow reading of kernel heap memory. A local user could use this
flaw for information disclosure.


* CVE-2021-43976: Malicious Marvell mwifiex USB device causes DoS.

Incorrect handling of packet buffers received from a Marvell mwifiex USB
device could result in a kernel assertion failure. A malicious device
might exploit this to crash the kernel.


* Out-of-bounds accesses in ASIX AX88179/178A USB 3.0/2.0 to Gigabit Ethernet.

Missing sanity checks in receive data path of ASIX AX88179/178A USB
3.0/2.0 to Gigabit Ethernet could result in out-of-bounds accesses.
A local, privileged user could use this flaw to cause a denial of
service or information disclosure.


* Use-after-free in User-space I/O driver support for HID subsystem.

A flaw in the User-space I/O driver support for HID subsystem could
happen when destroying HID device and result in use-after-free. A local
user could use this flaw for a denial-of-service or code execution.


* CVE-2021-3772: Denial-of-service in SCTP Protocol.

Improper verification of connection tags in SCTP Protocol could allow
a remote attacker to kill existing SCTP associations by sending packets
with spoofed IP addresses. A remote attacker could use this flaw to
cause a denial-of-service.


* CVE-2022-21504: Use-after-free in Linux File System support due to bad reference counting.

A reference counting flaw in Linux File System support when closing
a file could result in a use-after-free. A local user could use this
flaw for denial-of-service or code execution.

Orabug: 33413846


* CVE-2022-1011: Use-after-free in FUSE file system.

A logic flaw in FUSE file system when writing to the file system device
could result in a use-after-free. A local user could use this flaw to
cause a denial-of-service or code execution.


* Denial-of-service in SELinux due to a race condition.

A locking flaw in SELinux when computing object context SELinux IDs
could lead to a race condition and a file system mount failure. A local
user could use this flaw for a denial-of-service.


* CVE-2022-1353: Information disclosure in PF_KEY sockets.

A logic flaw in PF_KEY sockets during SKB buffer allocation and
initialization could result in improper memory initialization. A local,
unprivileged user could use this flaw for denial-of-service or
information disclosure.

Orabug: 34135343


* Note: Oracle will not provide a zero-downtime update for XSA-396, CVE-2022-23040, CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039, CVE-2022-23041, and CVE-2022-23042.

Oracle has determined that patching XSA-396 (CVE-2022-23040,
CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23041, and CVE-2022-23042) would not be safe and recommends
a reboot if Xen PV frontend devices are used with an untrusted PV
backend.

Hosts without any Xen frontend driver loaded are not affected by this
issue.

According to our audits, our customers are not affected by this
issue.


* Note: Oracle has determined that CVE-2022-25375, CVE-2022-20136 are not applicable.

The USB Gadget subsystem fails to validate the size of a received
RNDIS_MSG_SET command, potentially allowing for a buffer overrun. A
malicious user might exploit this to leak sensitive information from the
kernel.

The kernel is not affected by CVE-2022-25375, CVE-2022-20136 since the code
under consideration is not compiled.


* Note: Oracle has determined that CVE-2022-24958 is not applicable.

A bad error handling in configuration writing of the USB Gadget file
system could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service or execute arbitrary code.

The kernel is not affected by CVE-2022-24958 since the code under
consideration is not compiled.


* CVE-2022-1048: Code execution in Advanced Linux Sound Architecture framework.

A race condition due to a missing locking in the Advanced Linux Sound
Architecture framework could result in a use-after-free. A local user
could use this flaw to cause a denial-of-service or execute arbitrary
code.

Orabug: 34007905


* Note: Oracle has determined that CVE-2022-28356 is not applicable.

A reference counting flaw in socket binding of the 802.2 LLC type 2
driver could happen in some error conditions. A local user could use
this flaw to cause a denial-of-service.

The kernel is not affected by CVE-2022-28356 since the code under
consideration is not compiled.


* Note: Oracle has determined that CVE-2022-1195 is not applicable.

The kernel is not affected by CVE-2022-1195 since the code under
consideration is not compiled.


* CVE-2022-27950: Denial-of-service in Human Interface Devices.

A flaw in initialization of the Human Interface Devices could result in
memory leaks. A local user could use this flaw to cause a denial of
service.


* CVE-2022-20154: Privilege escalation in Stream Control Transmission Protocol.

A race condition flaw in Stream Control Transmission Protocol when
freeing an endpoint could lead to a use-after-free. A local user could
use this flaw for privilege escalation.


* CVE-2022-20166: Privilege escalation in Common Architecture Topology Code support.

A flaw in Common Architecture Topology Code support when writing
formatted strings could allow bypassing security restrictions. A local
user could use this flaw for privilege escalation.


* CVE-2021-4197: Privilege Escalation in Control Groups.

A flaw in Control Groups could result in incorrect permission checks in
some situations. A local user could use this flaw to cause a denial of
service or escalate their privileges.

Orabug: 33846003

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.