[Security] Virtuozzo ReadyKernel patch 124.0 for Virtuozzo Hybrid Server 7.0, 7.5, Virtuozzo Infrastructure Platform 3.0, and Virtuozzo Hybrid Infrastructure 3.5, 4.0

Issue date: 2021-03-12

Applies to: Virtuozzo Hybrid Infrastructure 3.5, Virtuozzo Hybrid Infrastructure 4.0, Virtuozzo Hybrid Server 7.0, Virtuozzo Hybrid Server 7.5, Virtuozzo Infrastructure Platform 3.0

Virtuozzo Advisory ID: VZA-2021-014

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to all supported kernels of Virtuozzo Hybrid Server, Virtuozzo Infrastructure Platform, and Virtuozzo Hybrid Infrastructure.

2. Security Fixes

  • [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] ip_set: null pointer dereference in ip_set_utest(). It was discovered that an attacker could trigger a kernel crash (null pointer dereference) in ip_set_utest() by running a specially crafted sequence of system calls in a container. (PSBM-122965)

  • [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] ip_set: kernel crash in ip_set_comment_free(). It was discovered that an attacker could trigger a kernel crash (general protection fault) in ip_set_comment_free() by running a specially crafted sequence of system calls in a container. (PSBM-123063)

  • [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] Memory leak in the implementation of unix sockets. It was discovered that the implementation of unix sockets did not free certain data structures if a signal was received while unix_stream_recvmsg() function was running. An unprivileged local attacker could exploit this memory leak to cause a denial of service. (CVE-2021-20265)

  • [Moderate] [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] If a subdirectory of a file system was exported via NFS, an attacker could use READDIRPLUS operation to access other parts of that file system. (CVE-2021-3178)

3. Bug Fixes

  • [3.10.0-957.12.2.vz7.96.21 to 3.10.0-1127.18.2.vz7.163.46] xfrm subsystem of the Linux kernel could accept user-defined templates with invalid protocol numbers, which caused warnings in xfrm_state_fini(). (PSBM-123084)

  • [3.10.0-1127.18.2.vz7.163.46] pcompact would not compact ploop files if the underlying disk partitions had unusual alignment. (PSBM-124496)

4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.