Important: kernel security, bug fix, and enhancement update

トピック

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

説明

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: tun: avoid double free in tun_free_netdev (CVE-2022-4744)
• kernel: net/sched: multiple vulnerabilities (CVE-2023-3609, CVE-2023-3611, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)
• kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)
• kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait (CVE-2021-43975)
• kernel: Rate limit overflow messages in r8152 in intr_callback (CVE-2022-3594)
• kernel: use after free flaw in l2cap_conn_del (CVE-2022-3640)
• kernel: double free in usb_8dev_start_xmit (CVE-2022-28388)
• kernel: vmwgfx: multiple vulnerabilities (CVE-2022-38457, CVE-2022-40133, CVE-2023-33951, CVE-2023-33952)
• hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)
• kernel: Information leak in l2cap_parse_conf_req (CVE-2022-42895)
• kernel: KVM: multiple vulnerabilities (CVE-2022-45869, CVE-2023-4155, CVE-2023-30456)
• kernel: memory leak in ttusb_dec_exit_dvb (CVE-2022-45887)
• kernel: speculative pointer dereference in do_prlimit (CVE-2023-0458)
• kernel: use-after-free due to race condition in qdisc_graft (CVE-2023-0590)
• kernel: x86/mm: Randomize per-cpu entry area (CVE-2023-0597)
• kernel: HID: check empty report_list in hid_validate_values (CVE-2023-1073)
• kernel: sctp: fail if no bound addresses can be used for a given scope (CVE-2023-1074)
• kernel: hid: Use After Free in asus_remove (CVE-2023-1079)
• kernel: use-after-free in drivers/media/rc/ene_ir.c (CVE-2023-1118)
• kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)
• kernel: ovl: fix use after free in struct ovl_aio_req (CVE-2023-1252)
• kernel: denial of service in tipc_conn_close (CVE-2023-1382)
• kernel: Use after free bug in btsdio_remove due to race condition (CVE-2023-1989)
• kernel: Spectre v2 SMT mitigations problem (CVE-2023-1998)
• kernel: ext4: use-after-free in ext4_xattr_set_entry (CVE-2023-2513)
• kernel: fbcon: shift-out-of-bounds in fbcon_set_font (CVE-2023-3161)
• kernel: out-of-bounds access in relay_file_read (CVE-2023-3268)
• kernel: xfrm: NULL pointer dereference in xfrm_update_ae_params (CVE-2023-3772)
• kernel: smsusb: use-after-free caused by do_submit_urb (CVE-2023-4132)
• kernel: Race between task migrating pages and another task calling exit_mmap (CVE-2023-4732)
• Kernel: denial of service in atm_tc_enqueue due to type confusion (CVE-2023-23455)
• kernel: mpls: double free on sysctl allocation failure (CVE-2023-26545)
• kernel: Denial of service issue in az6027 driver (CVE-2023-28328)
• kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow (CVE-2023-28772)
• kernel: blocking operation in dvb_frontend_get_event and wait_event_interruptible (CVE-2023-31084)
• kernel: net: qcom/emac: race condition leading to use-after-free in emac_remove (CVE-2023-33203)
• kernel: saa7134: race condition leading to use-after-free in saa7134_finidev (CVE-2023-35823)
• kernel: dm1105: race condition leading to use-after-free in dm1105_remove.c (CVE-2023-35824)
• kernel: r592: race condition leading to use-after-free in r592_remove (CVE-2023-35825)
• kernel: net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075)
• kernel: use-after-free bug in remove function xgene_hwmon_remove (CVE-2023-1855)
• kernel: Use after free bug in r592_remove (CVE-2023-3141)
• kernel: gfs2: NULL pointer dereference in gfs2_evict_inode (CVE-2023-3212)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.9 Release Notes linked from the References section.

解決策

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

影響を受ける製品

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat CodeReady Linux Builder for x86_64 8 x86_64
• Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
• Red Hat CodeReady Linux Builder for ARM 64 8 aarch64

修正

• BZ - 1975026 - [RHEL-8.5] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x91c/0xe80 [ses]
• BZ - 2024989 - CVE-2021-43975 kernel: out-of-bounds write in hw_atl_utils_fw_rpc_wait() in drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
• BZ - 2037005 - [Azure]2 simultaneous crash kernel requests cause system hang in D2s_v4 size
• BZ - 2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c
• BZ - 2112147 - simultaneous writes to a page on xfs can result in zero-byte data
• BZ - 2133453 - CVE-2022-40133 kernel: vmwgfx: use-after-free in vmw_execbuf_tie_context
• BZ - 2133455 - CVE-2022-38457 kernel: vmwgfx: use-after-free in vmw_cmd_res_check
• BZ - 2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c
• BZ - 2147356 - CVE-2022-42895 kernel: Information leak in l2cap_parse_conf_req in net/bluetooth/l2cap_core.c
• BZ - 2148520 - CVE-2022-45887 kernel: memory leak in ttusb_dec_exit_dvb() in media/usb/ttusb-dec/ttusb_dec.c
• BZ - 2149024 - CVE-2022-3594 kernel: Rate limit overflow messages in r8152 in intr_callback
• BZ - 2151112 - [PATCH] block: Do not reread partition table on exclusively open device
• BZ - 2151317 - CVE-2022-45869 kernel: KVM: x86/mmu: race condition in direct_page_fault()
• BZ - 2156322 - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev
• BZ - 2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()
• BZ - 2165926 - CVE-2023-0597 kernel: x86/mm: Randomize per-cpu entry area
• BZ - 2166567 - The system is reaching to hung state in xfs_reserve_blocks while performing the xfs mounting action
• BZ - 2168332 - CVE-2023-23455 Kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion
• BZ - 2173403 - CVE-2023-1073 kernel: HID: check empty report_list in hid_validate_values()
• BZ - 2173430 - CVE-2023-1074 kernel: sctp: fail if no bound addresses can be used for a given scope
• BZ - 2173434 - CVE-2023-1075 kernel: net/tls: tls_is_tx_ready() checked list_entry
• BZ - 2173444 - CVE-2023-1079 kernel: hid: Use After Free in asus_remove()
• BZ - 2174220 - [RHEL-8.9] IPMI updates and bug fixes
• BZ - 2174400 - CVE-2023-1118 kernel: use-after-free in drivers/media/rc/ene_ir.c due to race condition
• BZ - 2175160 - Backport fix to BPF fib helper
• BZ - 2175322 - Backport kernel audit enhancements and fixes up to upstream v6.3
• BZ - 2175903 - CVE-2023-1206 kernel: hash collisions in the IPv6 connection lookup table
• BZ - 2176140 - CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req
• BZ - 2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close
• BZ - 2177389 - CVE-2023-28328 kernel: Denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c
• BZ - 2178301 - Update drivers/base to match Linux v6.3
• BZ - 2181273 - update cpufreq subsystem to Linux v6.3
• BZ - 2181330 - CVE-2023-28772 kernel: lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow
• BZ - 2182443 - CVE-2023-26545 kernel: mpls: double free on sysctl allocation failure
• BZ - 2183559 - dm: discard IOs on striped or snap LVs can trigger data corruption [RHEL-8.9]
• BZ - 2184578 - CVE-2023-1855 kernel: use-after-free bug in remove function xgene_hwmon_remove
• BZ - 2185945 - CVE-2023-1989 kernel: Use after free bug in btsdio_remove due to race condition
• BZ - 2186948 - macvlan: backports from upstream
• BZ - 2187257 - CVE-2023-1998 kernel: Spectre v2 SMT mitigations problem
• BZ - 2188468 - CVE-2023-30456 kernel: KVM: nVMX: missing consistency checks for CR0 and CR4
• BZ - 2189324 - sctp: backports from upstream
• BZ - 2192667 - CVE-2023-33203 kernel: net: qcom/emac: race condition leading to use-after-free in emac_remove()
• BZ - 2192671 - CVE-2023-31436 kernel: out-of-bounds write in qfq_change_class function
• BZ - 2193097 - CVE-2023-2513 kernel: ext4: use-after-free in ext4_xattr_set_entry()
• BZ - 2193219 - CVE-2023-0458 kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c
• BZ - 2209710 - backport vsock patches for RHEL-8.9
• BZ - 2213139 - CVE-2023-31084 kernel: blocking operation in dvb_frontend_get_event and wait_event_interruptible
• BZ - 2213199 - CVE-2023-3141 kernel: Use after free bug in r592_remove
• BZ - 2213485 - CVE-2023-3161 kernel: fbcon: shift-out-of-bounds in fbcon_set_font()
• BZ - 2213802 - CVE-2023-4155 kernel: KVM: SEV-ES / SEV-SNP VMGEXIT double fetch vulnerability
• BZ - 2214348 - CVE-2023-3212 kernel: gfs2: NULL pointer dereference in gfs2_evict_inode()
• BZ - 2215502 - CVE-2023-3268 kernel: out-of-bounds access in relay_file_read
• BZ - 2215835 - CVE-2023-35823 kernel: saa7134: race condition leading to use-after-free in saa7134_finidev()
• BZ - 2215836 - CVE-2023-35824 kernel: dm1105: race condition leading to use-after-free in dm1105_remove.c()
• BZ - 2215837 - CVE-2023-35825 kernel: r592: race condition leading to use-after-free in r592_remove()
• BZ - 2217658 - NFSv4.0 client hangs when server reboot while client had outstanding lock request to the server
• BZ - 2218195 - CVE-2023-33951 kernel: vmwgfx: race condition leading to information disclosure vulnerability
• BZ - 2218212 - CVE-2023-33952 kernel: vmwgfx: double free within the handling of vmw_buffer_object objects
• BZ - 2218943 - CVE-2023-3772 kernel: xfrm: NULL pointer dereference in xfrm_update_ae_params()
• BZ - 2221707 - CVE-2023-4132 kernel: smsusb: use-after-free caused by do_submit_urb()
• BZ - 2223949 - CVE-2022-40982 hw: Intel: Gather Data Sampling (GDS) side channel vulnerability
• BZ - 2225191 - CVE-2023-3611 kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead
• BZ - 2225201 - CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails
• BZ - 2225511 - CVE-2023-4128 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route
• BZ - 2230213 - Please enable CONFIG_INET_DIAG_DESTROY kernel option
• BZ - 2236982 - CVE-2023-4732 kernel: Race between task migrating pages and another task calling exit_mmap to release those same pages getting invalid opcode BUG in include/linux/swapops.h
• RHEL-340 - backport support for Jira issues in the kernel changelog

CVE

• CVE-2021-43975
• CVE-2022-3594
• CVE-2022-3640
• CVE-2022-4744
• CVE-2022-28388
• CVE-2022-38457
• CVE-2022-40133
• CVE-2022-40982
• CVE-2022-42895
• CVE-2022-45869
• CVE-2022-45887
• CVE-2023-0458
• CVE-2023-0590
• CVE-2023-0597
• CVE-2023-1073
• CVE-2023-1074
• CVE-2023-1075
• CVE-2023-1079
• CVE-2023-1118
• CVE-2023-1206
• CVE-2023-1252
• CVE-2023-1382
• CVE-2023-1855
• CVE-2023-1989
• CVE-2023-1998
• CVE-2023-2513
• CVE-2023-3141
• CVE-2023-3161
• CVE-2023-3212
• CVE-2023-3268
• CVE-2023-3609
• CVE-2023-3611
• CVE-2023-3772
• CVE-2023-4128
• CVE-2023-4132
• CVE-2023-4155
• CVE-2023-4206
• CVE-2023-4207
• CVE-2023-4208
• CVE-2023-4732
• CVE-2023-23455
• CVE-2023-26545
• CVE-2023-28328
• CVE-2023-28772
• CVE-2023-30456
• CVE-2023-31084
• CVE-2023-31436
• CVE-2023-33203
• CVE-2023-33951
• CVE-2023-33952
• CVE-2023-35823
• CVE-2023-35824
• CVE-2023-35825

参考資料

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.9_release_notes/index
• https://access.redhat.com/solutions/7027704