Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0565
USN-5278-1: Linux kernel (OEM) vulnerabilities
9 February 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Linux kernel (OEM)
Publisher: Ubuntu
Operating System: Ubuntu
Resolution: Patch/Upgrade
CVE Names: CVE-2022-24122 CVE-2022-23222 CVE-2022-22942
CVE-2022-0382 CVE-2022-0330 CVE-2022-0264
CVE-2021-45480 CVE-2021-45095 CVE-2021-44733
CVE-2021-43975 CVE-2021-39685 CVE-2021-28715
CVE-2021-28714 CVE-2021-28713 CVE-2021-22600
CVE-2021-4197 CVE-2021-4155 CVE-2021-4135
CVE-2021-4083 CVE-2021-4001 CVE-2020-27820
Reference: ASB-2021.0239
ASB-2021.0232
ESB-2022.0486
ESB-2022.0485
Original Bulletin:
https://ubuntu.com/security/notices/USN-5278-1
Comment: CVSS (Max): 8.4* CVE-2021-22600 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: SUSE
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-5278-1: Linux kernel (OEM) vulnerabilities
09 February 2022
Several security issues were fixed in the Linux kernel.
Releases
o Ubuntu 20.04 LTS
Packages
o linux-oem-5.14 - Linux kernel for OEM systems
Details
It was discovered that the rlimit tracking for user namespaces in the Linux
kernel did not properly perform reference counting, leading to a use-after-
free vulnerability. A local attacker could use this to cause a denial of
service or possibly execute arbitrary code. ( CVE-2022-24122 )
It was discovered that the BPF verifier in the Linux kernel did not
properly restrict pointer types in certain situations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. ( CVE-2022-23222 )
Jeremy Cline discovered a use-after-free in the nouveau graphics driver of
the Linux kernel during device removal. A privileged or physically
proximate attacker could use this to cause a denial of service (system
crash). ( CVE-2020-27820 )
It was discovered that the Packet network protocol implementation in the
Linux kernel contained a double-free vulnerability. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. ( CVE-2021-22600 )
Jurgen Gross discovered that the Xen subsystem within the Linux kernel did
not adequately limit the number of events driver domains (unprivileged PV
backends) could send to other guest VMs. An attacker in a driver domain
could use this to cause a denial of service in other guest VMs.
( CVE-2021-28713 )
Jurgen Gross discovered that the Xen network backend driver in the Linux
kernel did not adequately limit the amount of queued packets when a guest
did not process them. An attacker in a guest VM can use this to cause a
denial of service (excessive kernel memory consumption) in the network
backend domain. ( CVE-2021-28714 , CVE-2021-28715 )
Szymon Heidrich discovered that the USB Gadget subsystem in the Linux
kernel did not properly restrict the size of control requests for certain
gadget types, leading to possible out of bounds reads or writes. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. ( CVE-2021-39685 )
It was discovered that the eBPF implementation in the Linux kernel
contained a race condition around read-only maps. A privileged attacker
could use this to modify read-only maps. ( CVE-2021-4001 )
Jann Horn discovered a race condition in the Unix domain socket
implementation in the Linux kernel that could result in a read-after-free.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. ( CVE-2021-4083 )
It was discovered that the simulated networking device driver for the Linux
kernel did not properly initialize memory in certain situations. A local
attacker could use this to expose sensitive information (kernel memory).
( CVE-2021-4135 )
Kirill Tkhai discovered that the XFS file system implementation in the
Linux kernel did not calculate size correctly when pre-allocating space in
some situations. A local attacker could use this to expose sensitive
information. ( CVE-2021-4155 )
Eric Biederman discovered that the cgroup process migration implementation
in the Linux kernel did not perform permission checks correctly in some
situations. A local attacker could possibly use this to gain administrative
privileges. ( CVE-2021-4197 )
Brendan Dolan-Gavitt discovered that the aQuantia AQtion Ethernet device
driver in the Linux kernel did not properly validate meta-data coming from
the device. A local attacker who can control an emulated device can use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. ( CVE-2021-43975 )
It was discovered that the ARM Trusted Execution Environment (TEE)
subsystem in the Linux kernel contained a race condition leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service or possibly execute arbitrary code. ( CVE-2021-44733 )
It was discovered that the Phone Network protocol (PhoNet) implementation
in the Linux kernel did not properly perform reference counting in some
error conditions. A local attacker could possibly use this to cause a
denial of service (memory exhaustion). ( CVE-2021-45095 )
It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel did not properly deallocate memory in
some error conditions. A local attacker could possibly use this to cause a
denial of service (memory exhaustion). ( CVE-2021-45480 )
It was discovered that the BPF subsystem in the Linux kernel did not
properly track pointer types on atomic fetch operations in some situations.
A local attacker could use this to expose sensitive information (kernel
pointer addresses). ( CVE-2022-0264 )
Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in
the Linux kernel did not perform a GPU TLB flush in some situations. A
local attacker could use this to cause a denial of service or possibly
execute arbitrary code. ( CVE-2022-0330 )
It was discovered that the TIPC Protocol implementation in the Linux kernel
did not properly initialize memory in some situations. A local attacker
could use this to expose sensitive information (kernel memory).
( CVE-2022-0382 )
It was discovered that the VMware Virtual GPU driver in the Linux kernel
did not properly handle certain failure conditions, leading to a stale
entry in the file descriptor table. A local attacker could use this to
expose sensitive information or possibly gain administrative privileges.
( CVE-2022-22942 )
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 20.04
o linux-image-5.14.0-1022-oem - 5.14.0-1022.24
o linux-image-oem-20.04d - 5.14.0.1022.19
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References
o CVE-2022-23222
o CVE-2021-22600
o CVE-2021-43975
o CVE-2022-24122
o CVE-2022-0330
o CVE-2021-28713
o CVE-2021-4135
o CVE-2022-0264
o CVE-2021-28715
o CVE-2021-39685
o CVE-2022-0382
o CVE-2021-45480
o CVE-2021-4197
o CVE-2021-4001
o CVE-2021-44733
o CVE-2020-27820
o CVE-2021-4083
o CVE-2021-45095
o CVE-2021-28714
o CVE-2022-22942
o CVE-2021-4155
Related notices
o USN-5265-1 : linux-image-unsigned-5.13.0-28-generic-64k,
linux-modules-extra-5.11.0-1029-gcp, linux-tools-5.13.0-28-lowlatency,
linux-gcp-5.11-headers-5.11.0-1029, linux-oem-20.04c,
linux-tools-5.13.0-1016-oracle, linux-generic,
linux-image-extra-virtual-hwe-20.04,
linux-buildinfo-5.13.0-1016-raspi-nolpae,
linux-image-lowlatency-hwe-20.04-edge,
linux-image-unsigned-5.13.0-28-lowlatency, linux-headers-aws,
linux-tools-5.13.0-1016-raspi, linux-image-lowlatency-hwe-20.04,
linux-cloud-tools-virtual, linux-kvm,
linux-modules-extra-5.11.0-1028-oracle,
linux-modules-extra-5.13.0-1016-oracle, linux-tools-generic-64k-hwe-20.04,
linux-modules-extra-5.13.0-1013-gcp, linux-image-generic-hwe-20.04,
linux-tools-raspi-nolpae, linux-tools-virtual-hwe-20.04,
linux-headers-5.13.0-28, linux-image-oem-20.04c, linux-hwe-5.13-tools-host,
linux-modules-5.13.0-28-lowlatency, linux-buildinfo-5.13.0-1029-oem,
linux-image-unsigned-5.13.0-1013-gcp, linux-image-unsigned-5.13.0-1029-oem,
linux-cloud-tools-azure, linux-aws, linux-image-5.13.0-28-generic-lpae,
linux-image-aws, linux-buildinfo-5.13.0-1011-kvm,
linux-headers-generic-hwe-20.04, linux-buildinfo-5.11.0-1028-aws,
linux-headers-virtual-hwe-20.04, linux-oracle-5.11-headers-5.11.0-1028,
linux-headers-generic-64k-hwe-20.04-edge,
linux-headers-generic-lpae-hwe-20.04, linux-cloud-tools-5.13.0-28,
linux-headers-5.13.0-28-generic, linux-modules-5.11.0-1028-aws,
linux-tools-5.13.0-1029-oem, linux-image-aws-edge,
linux-kvm-tools-5.13.0-1011, linux, linux-headers-gke,
linux-modules-5.11.0-1029-gcp, linux-buildinfo-5.13.0-28-generic-lpae,
linux-tools-virtual-hwe-20.04-edge, linux-headers-generic-64k-hwe-20.04,
linux-oem-5.13, linux-cloud-tools-lowlatency-hwe-20.04-edge,
linux-headers-oracle, linux-modules-extra-aws,
linux-tools-lowlatency-hwe-20.04-edge, linux-image-generic,
linux-headers-5.11.0-1028-aws, linux-headers-generic-64k,
linux-modules-extra-raspi-nolpae, linux-generic-lpae, linux-generic-64k,
linux-lowlatency, linux-tools-generic-64k-hwe-20.04-edge,
linux-headers-5.13.0-28-generic-64k, linux-image-5.11.0-1028-azure,
linux-tools-5.13.0-1011-kvm, linux-tools-raspi, linux-image-raspi,
linux-image-unsigned-5.13.0-28-generic,
linux-image-unsigned-5.13.0-1012-aws, linux-tools-azure,
linux-modules-extra-5.11.0-1028-azure, linux-buildinfo-5.13.0-1016-raspi,
linux-headers-lowlatency, linux-lowlatency-hwe-20.04,
linux-headers-generic-lpae-hwe-20.04-edge, linux-headers-5.13.0-1029-oem,
linux-image-5.13.0-1016-raspi-nolpae, linux-tools-oracle,
linux-headers-kvm, linux-kvm-headers-5.13.0-1011,
linux-oracle-headers-5.13.0-1016, linux-doc,
linux-headers-5.13.0-1016-raspi-nolpae, linux-modules-5.13.0-1012-aws,
linux-cloud-tools-generic-hwe-20.04,
linux-image-unsigned-5.11.0-1028-oracle, linux-raspi-nolpae,
linux-cloud-tools-virtual-hwe-20.04, linux-modules-5.13.0-1016-raspi,
linux-aws-5.11-headers-5.11.0-1028, linux-headers-virtual-hwe-20.04-edge,
linux-headers-generic-lpae, linux-image-unsigned-5.11.0-1029-gcp,
linux-modules-extra-raspi, linux-tools-5.11.0-1029-gcp,
linux-cloud-tools-lowlatency, linux-headers-gcp,
linux-tools-generic-lpae-hwe-20.04-edge,
linux-tools-5.13.0-28-generic-lpae, linux-tools-5.13.0-28-generic-64k,
linux-virtual-hwe-20.04, linux-headers-oem-20.04c,
linux-image-generic-lpae-hwe-20.04-edge, linux-headers-5.13.0-1016-raspi,
linux-aws-headers-5.13.0-1012, linux-hwe-5.13-tools-5.13.0-28,
linux-modules-5.13.0-1011-kvm, linux-generic-hwe-20.04-edge, linux-source,
linux-image-unsigned-5.13.0-1016-oracle,
linux-tools-5.13.0-1016-raspi-nolpae, linux-gcp-5.11,
linux-image-extra-virtual-hwe-20.04-edge, linux-modules-extra-azure,
linux-raspi-tools-5.13.0-1016, linux-cloud-tools-5.13.0-28-lowlatency,
linux-image-generic-64k-hwe-20.04-edge, linux-tools-lowlatency,
linux-image-5.13.0-1016-oracle, linux-tools-aws, linux-tools-virtual,
linux-cloud-tools-generic, linux-azure-5.11-cloud-tools-5.11.0-1028,
linux-cloud-tools-5.13.0-1012-aws, linux-image-5.11.0-1028-oracle,
linux-image-generic-hwe-20.04-edge, linux-gcp,
linux-headers-5.13.0-1013-gcp, linux-image-5.11.0-1029-gcp,
linux-image-5.13.0-1012-aws, linux-aws-edge, linux-headers-5.11.0-1029-gcp,
linux-buildinfo-5.11.0-1028-oracle, linux-buildinfo-5.13.0-28-generic,
linux-raspi, linux-aws-5.13-cloud-tools-5.13.0-1012,
linux-azure-5.11-tools-5.11.0-1028, linux-buildinfo-5.13.0-1016-oracle,
linux-cloud-tools-lowlatency-hwe-20.04, linux-gcp-tools-5.13.0-1013,
linux-modules-5.11.0-1028-oracle, linux-buildinfo-5.13.0-28-generic-64k,
linux-modules-5.13.0-1013-gcp, linux-modules-extra-5.13.0-1016-raspi,
linux-image-extra-virtual, linux-generic-hwe-20.04,
linux-headers-oem-20.04, linux-aws-5.13-headers-5.13.0-1012,
linux-headers-azure, linux-modules-5.13.0-28-generic-64k,
linux-image-unsigned-5.11.0-1028-aws, linux-hwe-5.13,
linux-tools-5.11.0-1028-aws, linux-headers-5.11.0-1028-azure,
linux-modules-extra-5.13.0-28-generic, linux-modules-5.13.0-1016-oracle,
linux-modules-extra-aws-edge, linux-oracle-5.11-tools-5.11.0-1028,
linux-gcp-headers-5.13.0-1013, linux-virtual, linux-libc-dev,
linux-generic-64k-hwe-20.04-edge, linux-hwe-5.13-cloud-tools-common,
linux-image-5.13.0-1011-kvm, linux-lowlatency-hwe-20.04-edge,
linux-tools-generic-hwe-20.04, linux-headers-generic,
linux-cloud-tools-virtual-hwe-20.04-edge,
linux-generic-lpae-hwe-20.04-edge, linux-virtual-hwe-20.04-edge,
linux-crashdump, linux-image-kvm, linux-tools-generic-hwe-20.04-edge,
linux-image-5.13.0-28-lowlatency, linux-modules-5.13.0-28-generic-lpae,
linux-image-oracle, linux-headers-raspi-nolpae,
linux-hwe-5.13-cloud-tools-5.13.0-28, linux-oracle,
linux-tools-5.11.0-1028-azure, linux-cloud-tools-5.11.0-1028-azure,
linux-tools-generic, linux-image-5.13.0-28-generic-64k,
linux-tools-generic-lpae-hwe-20.04, linux-cloud-tools-5.11.0-1028-aws,
linux-tools-kvm, linux-headers-5.13.0-1016-oracle,
linux-buildinfo-5.13.0-28-lowlatency, linux-headers-virtual,
linux-tools-gke, linux-headers-generic-hwe-20.04-edge,
linux-tools-generic-64k, linux-image-virtual-hwe-20.04,
linux-modules-extra-gcp, linux-generic-lpae-hwe-20.04,
linux-buildinfo-5.11.0-1028-azure, linux-headers-5.11.0-1028-oracle,
linux-image-generic-64k, linux-image-unsigned-5.11.0-1028-azure,
linux-tools-5.13.0-1013-gcp, linux-tools-5.11.0-1028-oracle,
linux-aws-5.11-tools-5.11.0-1028, linux-azure-5.11,
linux-headers-5.13.0-1012-aws, linux-oracle-5.11,
linux-tools-lowlatency-hwe-20.04, linux-image-5.13.0-1013-gcp,
linux-headers-lowlatency-hwe-20.04, linux-image-generic-64k-hwe-20.04,
linux-buildinfo-5.13.0-1013-gcp, linux-image-lowlatency,
linux-tools-5.13.0-28-generic, linux-tools-oem-20.04,
linux-buildinfo-5.11.0-1029-gcp, linux-image-raspi-nolpae,
linux-hwe-5.13-headers-5.13.0-28, linux-aws-5.13,
linux-aws-tools-5.13.0-1012, linux-buildinfo-5.13.0-1012-aws,
linux-headers-5.13.0-1011-kvm, linux-hwe-5.13-source-5.13.0,
linux-modules-extra-gke, linux-oem-20.04, linux-image-generic-lpae,
linux-image-virtual-hwe-20.04-edge, linux-tools-gcp,
linux-cloud-tools-common, linux-source-5.13.0,
linux-gcp-5.11-tools-5.11.0-1029, linux-tools-aws-edge, linux-tools-host,
linux-image-gcp, linux-tools-oem-20.04c, linux-azure, linux-image-azure,
linux-image-5.13.0-28-generic, linux-generic-64k-hwe-20.04,
linux-oem-5.13-tools-5.13.0-1029, linux-tools-generic-lpae,
linux-image-generic-lpae-hwe-20.04, linux-headers-5.13.0-28-generic-lpae,
linux-headers-5.13.0-28-lowlatency, linux-oem-5.13-headers-5.13.0-1029,
linux-aws-5.11, linux-cloud-tools-generic-hwe-20.04-edge,
linux-azure-5.11-headers-5.11.0-1028, linux-headers-raspi,
linux-oracle-tools-5.13.0-1016, linux-raspi-headers-5.13.0-1016,
linux-modules-5.13.0-28-generic, linux-aws-5.13-tools-5.13.0-1012,
linux-headers-aws-edge, linux-tools-common, linux-image-5.13.0-1029-oem,
linux-image-virtual, linux-headers-lowlatency-hwe-20.04-edge,
linux-aws-5.11-cloud-tools-5.11.0-1028,
linux-modules-5.13.0-1016-raspi-nolpae, linux-aws-cloud-tools-5.13.0-1012,
linux-cloud-tools-5.13.0-28-generic, linux-modules-extra-5.11.0-1028-aws,
linux-image-5.13.0-1016-raspi,
linux-modules-extra-5.13.0-1016-raspi-nolpae,
linux-modules-extra-5.13.0-1012-aws, linux-modules-5.13.0-1029-oem,
linux-image-gke, linux-tools-5.13.0-28, linux-oem-5.13-tools-host,
linux-image-unsigned-5.13.0-1011-kvm, linux-gke, linux-image-oem-20.04,
linux-tools-5.13.0-1012-aws, linux-modules-5.11.0-1028-azure,
linux-hwe-5.13-tools-common
o USN-5266-1 : linux-tools-5.4.0-1061-gke, linux-modules-extra-gke,
linux-image-unsigned-5.4.0-1061-gke, linux-gke-5.4-tools-5.4.0-1061,
linux-gke-5.4-headers-5.4.0-1061, linux-modules-extra-5.4.0-1061-gke,
linux-gke-tools-5.4.0-1061, linux-gke-headers-5.4.0-1061,
linux-modules-5.4.0-1061-gke, linux-image-5.4.0-1061-gke,
linux-modules-extra-gke-5.4, linux-headers-gke, linux-tools-gke-5.4,
linux-headers-5.4.0-1061-gke, linux-image-gke, linux-tools-gke,
linux-headers-gke-5.4, linux-image-gke-5.4, linux-gke-5.4, linux-gke,
linux-buildinfo-5.4.0-1061-gke
o USN-5207-1 : linux-oem-20.04b, linux-image-oem-20.04-edge,
linux-image-5.10.0-1053-oem, linux-tools-oem-20.04,
linux-headers-oem-20.04, linux-oem-20.04, linux-headers-oem-20.04b,
linux-oem-5.10-headers-5.10.0-1053, linux-oem-20.04-edge,
linux-tools-5.10.0-1053-oem, linux-buildinfo-5.10.0-1053-oem,
linux-oem-5.10-tools-host, linux-headers-oem-20.04-edge,
linux-image-oem-20.04b, linux-tools-oem-20.04b,
linux-modules-5.10.0-1053-oem, linux-oem-5.10, linux-tools-oem-20.04-edge,
linux-image-oem-20.04, linux-oem-5.10-tools-5.10.0-1053,
linux-headers-5.10.0-1053-oem, linux-image-unsigned-5.10.0-1053-oem
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBYgNDn+NLKJtyKPYoAQgXDg/2Jcv/dfCMdxyONTGAPpB3Zi1pKQGyUrbp
hIjs0n3bEuCIf1CidRhBeOXqpCDd3AUsYJSdJxmQ3GL1Ub8TeDWES2g0aLuOje8K
2JvdY0DrfJKjCxihya9ii5yZtDdfGP60Xa6M8rDAZ2uQWiKIcp4xh3xb1SG/Rt5s
YIVADnkOzPznmf4DPJTN14x6c641Slaf+dgeYxvi5ckcEstEvRtqHNuFeKdSsDYr
GJMe+qeBUHGVOlW1y9mhjHtKfs7vVVdABxZ+w8Cidj0Gloi3iA3OZK3YTDU703Lf
CoidlsEhN9ygpBmCTDRAuCKA64TnZ2c/nlq0WQwGLJPQrWgoIveehgW/0omxVovo
w2A3cWFfy4iBiHdrfV28bDGUQQFhoBW/K12DSvA7KBQPSCMXqMa81g76wd/kpPAY
LMhN1Jt0l4P+cxazfLZ++8a4qPLfxF/HwoBP3fPmuNg38iOOc1/a6woQ1hZnvGMQ
VehJvkp35hGdihqB3LayLbIt1tXqlmX608V1sHkbUNAte6MQOcDxiQFvvoRauSaI
K1mbM4mA6ywQrZQBlkTq7SX2bVucM2+J0J19girMC8e+ElfBNPy1mfW4Qm82pezw
mAM9r9BD5Pz2bohyTyI1SyLmoPQieVjGkzcrWLjcUHVHu+N4zgbu0pIZR1Z6ZGex
DTe8EoAlpA==
=8J5t
-----END PGP SIGNATURE-----