Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.6 and 7.0.6 HF3¶
Issue date: 2019-06-03
Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5
Virtuozzo Advisory ID: VZA-2019-045
The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) and 3.10.0-693.11.6.vz7.40.4 (Virtuozzo 7.0.6 HF3). NOTE: No more patches are planned for kernel 3.10.0-693.1.1.vz7.37.30, support for which ends with this update.
2. Security Fixes¶
[Important] A use-after-free vulnerability was found in the way KVM implements its device control API. When a device is created via kvm_ioctl_create_device(), it holds a reference to a VM object. This reference is transferred to file descriptor table of the caller. If such file descriptor was closed, reference count to the VM object could become zero, which could lead to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-6974)
[Important] A use-after-free vulnerability was found in the way KVM emulates a preemption timer for L2 guests when nested virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)
[Moderate] It was discovered that a certain sequence of operations related to IPv4 routing could trigger a kernel memory leak. An attacker could potentially exploit that from a container to cause a denial of service. (PSBM-94535)
3. Bug Fixes¶
It was discovered that inode tables created during online resize of an ext4 filesystem were not zeroed after that. This could potentially result in lower performance of the file system. (PSBM-93988)
ploop: kernel crash in ploop_congested(). (PSBM-94270)
ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)
4. Installing the Update¶
Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.
The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-045.json.