Kernel security update: CVE-2018-5344 and other; Virtuozzo ReadyKernel patch 43.0 for Virtuozzo 7.0.x

Issue date: 2018-02-02

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2018-007

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported Virtuozzo kernels. NOTE: No more patches are planned for kernel 3.10.0-327.18.2.vz7.15.2, support for which ends with this update.

2. Security Fixes

  • [Moderate] It was found that release() operation for the loop devices had insufficient protection for the device structures against the accesses from the concurrent open() operations. A local attacker could use specially arranged concurrent operations with a loop device to cause a denial of service (kernel crash due to a use-after-free error). (CVE-2018-5344)

  • [Moderate] It was discovered that some operations with files in a container could lead to denial of service on the host due to extensive memory consumption. (PSBM-80839)

3. Bug Fixes

  • Docker v17.11 and newer failed to start in containers. Starting from v17.11, Docker checks if all cgroups are mounted and refuses to start if some cgroups are not. Some of Virtuozzo-specific cgroups were visible but not mounted in containers, which prevented Docker from starting properly. (PSBM-80421, PSBM-81033)

  • Kernel crash in mem_cgroup_iter(). (PSBM-81090)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.