Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3

Issue date: 2018-01-12

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-004

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.42.0.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.42.0.vz7.20.18 (Virtuozzo 7.0.3).

2. Security Fixes

  • [Important] A vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)

  • [Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)

  • [Moderate] The function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system. (CVE-2017-15129)

  • [Moderate] If the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker could cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets. (CVE-2017-18017)

  • [Moderate] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, could exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)

3. Bug Fixes

  • memcgroup: potential deadlocks and soft lockups. (PSBM-76011)

  • Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)

  • The kernel could consider a container stopped before the resources of that container, for example, VEIP addresses, have been released. As a result, the system could fail to restart the container. (PSBM-78078)

  • Migrating large memory ranges could take a while. With no resched points available, it caused soft lockups in isolate_lru_page(). (PSBM-79273)

  • Kernel warnings about memory allocation failures in vznetstat. (PSBM-79502)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.