Important: kernel security, bug fix, and enhancement update

Topic

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c (CVE-2022-42896)
• net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)
• cpu: AMD CPUs may transiently execute beyond unconditional direct branch (CVE-2021-26341)
• malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory (CVE-2021-33655)
• possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)
• KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)
• use-after-free in free_pipe_info() could lead to privilege escalation (CVE-2022-1882)
• KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks (CVE-2022-2196)
• netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)
• race condition in xfrm_probe_algs can lead to OOB read/write (CVE-2022-3028)
• out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c (CVE-2022-3435)
• race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)
• memory leak in ipv6_renew_options() (CVE-2022-3524)
• data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)
• data races around sk->sk_prot (CVE-2022-3567)
• memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c (CVE-2022-3619)
• denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry (CVE-2022-3623)
• use-after-free after failed devlink reload in devlink_param_get (CVE-2022-3625)
• USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)
• use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c (CVE-2022-3640)
• Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed (CVE-2022-3707)
• mptcp: NULL pointer dereference in subflow traversal at disconnect time (CVE-2022-4128)
• l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference (CVE-2022-4129)
• igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets (CVE-2022-20141)
• lockdown bypass using IMA (CVE-2022-21505)
• double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c (CVE-2022-28388)
• network backend may cause Linux netfront to use freed SKBs (XSA-405) (CVE-2022-33743)
• unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry (CVE-2022-39188)
• TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning (CVE-2022-39189)
• u8 overflow problem in cfg80211_update_notlisted_nontrans() (CVE-2022-41674)
• use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)
• use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)
• BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c (CVE-2022-42721)
• Denial of service in beacon protection for P2P-device (CVE-2022-42722)
• memory corruption in usbmon driver (CVE-2022-43750)
• NULL pointer dereference in traffic control subsystem (CVE-2022-47929)
• NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)
• use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)
• use-after-free caused by invalid pointer hostname in fs/cifs/connect.c (CVE-2023-1195)
• denial of service in tipc_conn_close (CVE-2023-1382)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
• Red Hat Enterprise Linux Server - AUS 9.2 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
• Red Hat Enterprise Linux for ARM 64 9 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
• Red Hat CodeReady Linux Builder for x86_64 9 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
• Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
• Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le
• Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x
• Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64
• Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
• Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

• BZ - 1946801 - Support cpuset.sched_load_balance by changing default CPUset directory structure
• BZ - 1997177 - ARK-ELN: WARNING: CPU: 2 PID: 516060 at fs/nfsd/nfs4state.c:5884 nfs4_preprocess_stateid_op+0x515/0x540 [nfsd]
• BZ - 2004384 - [aarch64] kernel image signed by MOK key couldn't be loaded via kexec when lockdown is enabled
• BZ - 2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch
• BZ - 2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c
• BZ - 2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c
• BZ - 2089701 - CVE-2022-1882 kernel: use-after-free in free_pipe_info() could lead to privilege escalation
• BZ - 2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva
• BZ - 2104445 - RHEL9.1: in low memory conditions, page_frag_alloc may corrupt the memory.
• BZ - 2106830 - CVE-2022-21505 kernel: lockdown bypass using IMA
• BZ - 2107924 - CVE-2022-33743 kernel: network backend may cause Linux netfront to use freed SKBs (XSA-405)
• BZ - 2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory
• BZ - 2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets
• BZ - 2115631 - [bonding]bonding using link local ipv6 addr as ns_ip6_target can't up
• BZ - 2116442 - kernel: Backport vfork support for time namespaces
• BZ - 2119809 - mlx Fixes for vDPA control virtqueue
• BZ - 2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write
• BZ - 2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue
• BZ - 2123857 - Backport kernel audit enhancements and fixes up to upstream v6.1
• BZ - 2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning
• BZ - 2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry
• BZ - 2130487 - Backport latest fixes from upstream s390x KVM for the RHEL 9.2 kernel
• BZ - 2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse
• BZ - 2133490 - CVE-2022-3435 kernel: out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c
• BZ - 2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()
• BZ - 2134380 - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time
• BZ - 2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c
• BZ - 2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c
• BZ - 2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device
• BZ - 2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference
• BZ - 2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed
• BZ - 2138321 - [Regression] The NFS v4 server won't return failure when failing to set ACLs
• BZ - 2138605 - [Regression] kernel BUG at lib/list_debug.c:26! RIP: 0010:__list_add_valid.cold+0x3a/0x3c
• BZ - 2138866 - NFS server umount a filesystem fails with EBUSY after it's exported and a subdirectory is mounted via NFSv4.0
• BZ - 2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c
• BZ - 2142657 - [RHEL9] fuse readdir cache sometimes corrupted
• BZ - 2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt
• BZ - 2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot
• BZ - 2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get
• BZ - 2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c
• BZ - 2149448 - Link to bridge documentation is broken in kernel source
• BZ - 2149790 - [PATCH] block: Do not reread partition table on exclusively open device
• BZ - 2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()
• BZ - 2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac
• BZ - 2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c
• BZ - 2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver
• BZ - 2152131 - In FIPS mode, the kernel should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16
• BZ - 2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c
• BZ - 2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c
• BZ - 2154879 - [RHEL-9.2] NFS fixes rollup through kernel-v6.2
• BZ - 2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks
• BZ - 2160028 - backport vsock patches for RHEL-9.2
• BZ - 2160443 - [RHEL 9][NFS] Crash in file_has_perm() when dereferencing a NULL file->f_security
• BZ - 2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames
• BZ - 2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry
• BZ - 2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()
• BZ - 2166658 - slow NFSD performance
• BZ - 2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem
• BZ - 2168599 - bnxt_en: revert 778c3af371b3 ("ethernet: Remove vf rate limit check for drivers")
• BZ - 2169017 - [nfsd] kernel BUG at mm/slub.c:385!
• BZ - 2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets
• BZ - 2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close
• BZ - 2179342 - kernel: general protection fault, probably for non-canonical address PREEMPT SMP PT
• RHEL-186 - add support for Jira issues in the kernel changelog

CVEs

• CVE-2021-26341
• CVE-2021-33655
• CVE-2022-1462
• CVE-2022-1789
• CVE-2022-1882
• CVE-2022-2196
• CVE-2022-2663
• CVE-2022-3028
• CVE-2022-3435
• CVE-2022-3522
• CVE-2022-3524
• CVE-2022-3566
• CVE-2022-3567
• CVE-2022-3619
• CVE-2022-3623
• CVE-2022-3625
• CVE-2022-3628
• CVE-2022-3640
• CVE-2022-3707
• CVE-2022-4128
• CVE-2022-4129
• CVE-2022-20141
• CVE-2022-21505
• CVE-2022-28388
• CVE-2022-33743
• CVE-2022-39188
• CVE-2022-39189
• CVE-2022-41674
• CVE-2022-42703
• CVE-2022-42720
• CVE-2022-42721
• CVE-2022-42722
• CVE-2022-42896
• CVE-2022-43750
• CVE-2022-47929
• CVE-2023-0394
• CVE-2023-0461
• CVE-2023-0590
• CVE-2023-1195
• CVE-2023-1382
• CVE-2023-2513

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index