Important: kernel security, bug fix, and enhancement update

Synopsis

Important: kernel security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: use-after-free in sound/core/timer.c (CVE-2019-19807)
  
• kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c (CVE-2017-18551)
  
• kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free (CVE-2018-20836)
  
• kernel: out of bounds write in i2c driver leads to local escalation of privilege (CVE-2019-9454)
  
• kernel: use after free due to race condition in the video driver leads to local privilege escalation (CVE-2019-9458)
  

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:

https://access.redhat.com/articles/5442421

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

• Red Hat Enterprise Linux Workstation 7 x86_64

Fixes

• BZ - 1448750 - BUG: unable to handle kernel paging request at 0; IP: [<ffffffffc05ae76b>] nfsd4_cb_done+0x2b/0x310 [nfsd]
• BZ - 1699402 - smallfile caused kernel Cephfs crash in RHOCS (OpenShift-on-Ceph)
• BZ - 1707796 - CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
• BZ - 1718176 - CVE-2019-12614 kernel: null pointer dereference in dlpar_parse_cc_property in arch/powerrc/platforms/pseries/dlpar.c causing denial of service
• BZ - 1724345 - mkfs.xfs hangs issuing discards
• BZ - 1745528 - CVE-2019-15217 kernel: null pointer dereference in drivers/media/usb/zr364xx/zr364xx.c driver
• BZ - 1747216 - CVE-2019-15807 kernel: Memory leak in drivers/scsi/libsas/sas_expander.c
• BZ - 1757368 - CVE-2017-18551 kernel: out of bounds write in function i2c_smbus_xfer_emulated in drivers/i2c/i2c-core-smbus.c
• BZ - 1758242 - CVE-2019-17053 kernel: unprivileged users able to create RAW sockets in AF_IEEE802154 network protocol
• BZ - 1758248 - CVE-2019-17055 kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol
• BZ - 1759681 - CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c
• BZ - 1760100 - CVE-2019-15917 kernel: use-after-free in drivers/bluetooth/hci_ldisc.c
• BZ - 1760310 - CVE-2019-16231 kernel: null-pointer dereference in drivers/net/fjes/fjes_main.c
• BZ - 1760420 - CVE-2019-16233 kernel: null pointer dereference in drivers/scsi/qla2xxx/qla_os.c
• BZ - 1774988 - CVE-2019-19046 kernel: Denial Of Service in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c
• BZ - 1775015 - CVE-2019-19063 kernel: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow for a DoS
• BZ - 1775021 - CVE-2019-19062 kernel: memory leak in the crypto_report() function in crypto/crypto_user_base.c allows for DoS
• BZ - 1775042 - CVE-2019-19059 kernel: Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c allows for a DoS
• BZ - 1775047 - CVE-2019-19058 kernel: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c allows for a DoS
• BZ - 1775074 - CVE-2019-19055 kernel: memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c allows DoS
• BZ - 1777239 - Unable to exclude files from auditing
• BZ - 1777418 - CVE-2019-18808 kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c
• BZ - 1779594 - CVE-2019-19332 Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid
• BZ - 1781679 - CVE-2019-19447 kernel: mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c
• BZ - 1783434 - CVE-2019-19523 kernel: use-after-free caused by a malicious USB device in the drivers/usb/misc/adutux.c driver
• BZ - 1783459 - CVE-2019-19524 kernel: a malicious USB device in the drivers/input/ff-memless.c leads to use-after-free
• BZ - 1783518 - CVE-2019-19530 kernel: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver
• BZ - 1783540 - CVE-2019-19534 kernel: information leak bug caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver
• BZ - 1783554 - Fix copy_file_range return value in case of same-file copy on NFS
• BZ - 1783561 - CVE-2019-19537 kernel: race condition caused by a malicious USB device in the USB character device driver layer
• BZ - 1786078 - CVE-2019-19807 kernel: use-after-free in sound/core/timer.c
• BZ - 1786160 - CVE-2019-19767 kernel: use-after-free in __ext4_expand_extra_isize and ext4_xattr_set_entry related to fs/ext4/inode.c and fs/ext4/super.c
• BZ - 1790063 - CVE-2019-20054 kernel: Null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c
• BZ - 1791954 - CVE-2019-20095 kernel: memory leak in mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c
• BZ - 1802555 - CVE-2020-8649 kernel: invalid read location in vgacon_invert_region function in drivers/video/console/vgacon.c
• BZ - 1802563 - CVE-2020-8647 kernel: out-of-bounds read in in vc_do_resize function in drivers/tty/vt/vt.c
• BZ - 1805135 - CVE-2020-2732 Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources
• BZ - 1809833 - CVE-2020-1749 kernel: some ipv6 protocols not encrypted over ipsec tunnel
• BZ - 1810685 - CVE-2020-9383 kernel: out-of-bounds read in set_fdc in drivers/block/floppy.c
• BZ - 1817141 - CVE-2020-10690 kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open
• BZ - 1817718 - CVE-2020-10942 kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field
• BZ - 1818818 - CVE-2019-9454 kernel: out of bounds write in i2c driver leads to local escalation of privilege
• BZ - 1819377 - CVE-2019-9458 kernel: use after free due to race condition in the video driver leads to local privilege escalation
• BZ - 1822077 - CVE-2020-12826 kernel: possible to send arbitrary signals to a privileged (suidroot) parent process
• BZ - 1824059 - CVE-2019-20636 kernel: out-of-bounds write via crafted keycode table
• BZ - 1824270 - CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic [rhel-7]
• BZ - 1824918 - CVE-2020-11565 kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c
• BZ - 1829662 - kernel BUG at fs/fscache/operation.c:70! FS-Cache: 4 == 5 is false - current state is FSCACHE_OP_ST_COMPLETE but should be FSCACHE_OP_CANCELLED in fscache_enqueue_operation
• BZ - 1831399 - CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps
• BZ - 1832332 - "[sig-network] Services should be rejected when no endpoints exist" test fails frequently on RHEL7 nodes
• BZ - 1834845 - CVE-2020-12770 kernel: sg_write function lacks an sg_remove_request call in a certain failure case
• BZ - 1835127 - CVE-2020-10742 kernel: NFS client crash due to index buffer overflow during Direct IO write causing kernel panic
• BZ - 1839634 - CVE-2020-10751 kernel: SELinux netlink permission check bypass
• BZ - 1845326 - libaio is returning duplicate events
• BZ - 1850716 - CVE-2020-14305 kernel: memory corruption in Voice over IP nf_conntrack_h423 module

CVEs

• CVE-2017-18551
• CVE-2018-20836
• CVE-2019-9454
• CVE-2019-9458
• CVE-2019-12614
• CVE-2019-15217
• CVE-2019-15807
• CVE-2019-15917
• CVE-2019-16231
• CVE-2019-16233
• CVE-2019-16994
• CVE-2019-17053
• CVE-2019-17055
• CVE-2019-18808
• CVE-2019-19046
• CVE-2019-19055
• CVE-2019-19058
• CVE-2019-19059
• CVE-2019-19062
• CVE-2019-19063
• CVE-2019-19332
• CVE-2019-19447
• CVE-2019-19523
• CVE-2019-19524
• CVE-2019-19530
• CVE-2019-19534
• CVE-2019-19537
• CVE-2019-19767
• CVE-2019-19807
• CVE-2019-20054
• CVE-2019-20095
• CVE-2019-20636
• CVE-2020-1749
• CVE-2020-2732
• CVE-2020-8647
• CVE-2020-8649
• CVE-2020-9383
• CVE-2020-10690
• CVE-2020-10732
• CVE-2020-10742
• CVE-2020-10751
• CVE-2020-10942
• CVE-2020-11565
• CVE-2020-12770
• CVE-2020-12826
• CVE-2020-14305

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index
• https://access.redhat.com/articles/5442421