Important kernel security update: Virtuozzo ReadyKernel patch 91.0 for Virtuozzo 7.0 and Virtuozzo Infrastructure Platform 2.5, 3.0¶
Issue date: 2019-11-13
Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5, Virtuozzo Infrastructure Platform 3.0
Virtuozzo Advisory ID: VZA-2019-086
1. Overview¶
The cumulative Virtuozzo ReadyKernel patch was updated with security fixes. The patch applies to the kernels 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8), 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1), 3.10.0-862.20.2.vz7.73.24 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-862.20.2.vz7.73.29 (Virtuozzo 7.0.9 and Virtuozzo Infrastructure Platform 2.5), 3.10.0-957.10.1.vz7.85.17 (Virtuozzo 7.0.10), 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1), 3.10.0-957.12.2.vz7.96.21 (Virtuozzo 7.0.11 and Virtuozzo Infrastructure Platform 3.0).
2. Security Fixes¶
[Important] [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] Potential kernel crash in __tcp_retransmit_skb(). It was discovered that a local unprivileged attacker could use a specially crafted sequence of system calls to trigger either a kernel crash in __tcp_retransmit_skb() or use-after-free conditions, which could result in privilege escalation. (CVE-2019-15239)
[Important] [3.10.0-693.21.1.vz7.48.2 to 3.10.0-957.12.2.vz7.96.21] KVM: Out-of-bounds memory access via MMIO ring buffer. An issue was found in the implementation of the coalesced MMIO write operation in KVM. The indices used to access an MMIO ring buffer could be supplied by a user-space process in the host system. An attacker with access to /dev/kvm could use this flaw to trigger out-of-bounds memory access and crash the host kernel or, potentially, escalate their privileges. (CVE-2019-14821)
3. Installing the Update¶
Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.
4. References¶
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.29-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-85.17-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-86.2-91.0-1.vl7/
https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-96.21-91.0-1.vl7/
The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-086.json.