Important kernel security update: CVE-2017-5754 and other; new kernel 2.6.32-042stab129.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2018-05-14

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2018-028

1. Overview

This update provides a new Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 kernel 2.6.32-042stab129.1 that is a rebase to the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.28.1.el6. The new kernel inherits a number of security fixes from RHEL and also introduces internal security and stability fixes.

2. Security Fixes

  • [Important] An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. NOTE: This update fixes the 32-bit compatibility layer on x86-64 processors, i.e. when 32-bit containers are executed on 64-bit processors. (CVE-2017-5754)

  • [Important] A bug in the 32-bit compatibility layer of the ioctl handling code of the v4l2 video driver in the Linux kernel has been found. A memory protection mechanism ensuring that user-provided buffers always point to a userspace memory were disabled, allowing destination address to be in a kernel space. This flaw could be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace process, leading to privilege escalation. (CVE-2017-13166)

  • [Moderate] The KEYS subsystem in the Linux kernel omitted an access-control check when writing a key to the current task’s default keyring, allowing a local user to bypass security checks to the keyring. This compromises the validity of the keyring for those who rely on it. (CVE-2017-17807)

  • [Moderate] A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410)

  • [Moderate] Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)

  • [Moderate] A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service. (CVE-2018-8897)

  • [Low] net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations. This allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all network namespaces. (CVE-2017-17450)

  • [Low] The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. (CVE-2018-6927)

3. Bug Fixes

  • Host could crash while stopping a container with a running PPTP server. (PSBM-83187)

4. Installing the Update

Install the update with the ‘vzup2date’ utility included in the distribution.