Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3¶
Issue date: 2018-01-12
Applies to: Virtuozzo 7.0
Virtuozzo Advisory ID: VZA-2018-004
1. Overview¶
The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.42.0.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.42.0.vz7.20.18 (Virtuozzo 7.0.3).
2. Security Fixes¶
[Important] A vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)
[Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)
[Moderate] The function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system. (CVE-2017-15129)
[Moderate] If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker could cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets. (CVE-2017-18017)
[Moderate] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, could exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)
3. Bug Fixes¶
memcgroup: potential deadlocks and soft lockups. (PSBM-76011)
Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)
The kernel could consider a container stopped before the resources of that container, for example, VEIP addresses, have been released. As a result, the system could fail to restart the container. (PSBM-78078)
Migrating large memory ranges could take a while. With no resched points available, it caused soft lockups in isolate_lru_page(). (PSBM-79273)
Kernel warnings about memory allocation failures in vznetstat. (PSBM-79502)
4. Installing the Update¶
Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.
5. References¶
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-42.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-42.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-42.0-1.vl7/
The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2018-004.json.