Important kernel security update: Virtuozzo ReadyKernel patch 90.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0). NOTE: No more patches are planned for the kernel 3.10.0-693.21.1.vz7.46.7, support for which ends with this update.

2. Security Fixes¶

• [Important] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] Page cache side channel attacks via mincore(). It was discovered that a local attacker could exploit mincore() system call to obtain information about memory pages of the running applications from the page cache even if the contents of these memory pages were not available to the attacker. (CVE-2019-5489)

• [Moderate] [3.10.0-693.21.1.vz7.46.7 to 3.10.0-957.12.2.vz7.96.21] infiniband: use-after-free in ucma_leave_multicast(). It was found that ucma_leave_multicast() function from ‘rdma_ucm’ module could try to access a certain data structure after the structure had been freed. This allows an attacker to induce kernel memory corruption, leading to a system crash or other unspecified impact. (CVE-2018-14734)

3. Installing the Update¶

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

4. References¶

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14734

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-5489

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-90.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-90.0-1.vl7/

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-085.json.