Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.2 for Virtuozzo 7.0.4 and 7.0.4 HF3

Issue date: 2017-12-11

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-109

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3)

2. Security Fixes

  • [Important] dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)

  • [Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

  • [Important] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)

3. Bug Fixes

  • memcgroup: potential deadlocks and soft lockups. (PSBM-76011)

  • Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.