With so many kernel updates released, it can be difficult to keep track. At Oracle, we monitor kernels on a daily basis and provide bug and security updates administrators can apply without a system reboot. To help out, the Ksplice team has produced the Ksplice Inspector, a web tool to show you the updates Ksplice can apply to your kernel with zero downtime.
The Ksplice Inspector is freely available to everyone. If you're running any Ksplice supported kernel, whether it is Oracle's Unbreakable Enterprise Kernel, a Red Hat compatible kernel with RHEL or CentOS, or the kernel of one of our supported desktop distributions, visit https://www.ksplice.com/inspector and follow the instructions and you'll see a list of all the available Ksplice updates for your kernel.
If you are more comfortable in a terminal or don't have a browser handy, we've got you covered: you can get the same information calling our API through the command line. Just run the following command:
(uname -s; uname -m; uname -r; uname -v) | \ curl https://uptrack.api.ksplice.com/api/1/update-list/ \ -L -H "Accept: text/text" --data-binary @-
To illustrate the power of Oracle Ksplice, I launched a VM running Oracle Linux 7.4 with Unbreakable Enterprise Kernel from January 2018, so about 6 months old at time of this writing.
This was the result:
Your kernel needs the following updates: KAISER/KPTI enablement for Ksplice. Improve the interface to freeze tasks. Additional indirect branch speculation improvements for CVE-2017-5715. CVE-2017-17712: Information leak in raw IPV4 socket sendmsg(). CVE-2017-15115: Use-after-free in SCTP peel off operation inside network namespace. CVE-2017-14140: ASLR bypass due to insufficient permissions checks in move_pages. CVE-2017-12193: Denial-of-service in generic associative array implementation. CVE-2017-0861: Use-after-free in ALSA sound subsystem. CVE-2017-8824: Privileges escalation when calling connect() system call on a DCCP socket. Denial-of-service in Huge TLB mappings during process exit. Secure-boot protections bypass in /dev/mem mmap(). Kernel crash in Broadcom NetXtreme-C/E firmware responses. Denial-of-service when setting up NVMe Physical Region Page entries. CVE-2017-16649: Divide by zero when binding a network USB device. Missing Spectre v1 reporting. System crash in Broadwell microcode updates. Missing Spectre V2 protections on AMD systems. Missing IBRS protection for KVM guests. Spectre v2 hardening on context switch. Spectre v2 bypass in 32-bit compatibility system calls. Kernel crash in interrupt exit with KPTI. Kernel hang in QLogic mailbox handling. Kernel crash in KVM guest user mode return. Kernel hang in the SCSI stack when changing device state. CVE-2017-17052: Denial-of-service due to incorrect reference counting in fork. Weakness when checking the keys in the XTS crypto algorithm. CVE-2018-7492: Denial-of-service when setting options for RDS over Infiniband socket. CVE-2017-7518: Privilege escalation in KVM emulation subsystem. Information leak when setting crypto key using RNG algorithm. Deadlock while queuing messages before remote node is up using RDS protocol. NULL pointer dereference when using bind system call on RDS over Infiniband socket. CVE-2017-14051: Denial-of-service in qla2xxx sysfs handler. Denial-of-service in SCSI Lower Level Drivers (LLD) infrastructure. Denial-of-service when creating session in QLogic HBA Driver. CVE-2017-16646: Denial-of-service when using DiBcom DiB0700 USB DVB devices. CVE-2017-15537: Information disclosure in FPU restoration after signal. Kernel panic in HyperV guest-to-host transport. Memory leak when closing VMware VMXNET3 ethernet device. Memory corruption in IP packet redirection. NULL pointer dereference in Hyper-V transport driver on allocation failure. CVE-2018-1068: Privilege escalation in bridging interface. Data-loss when writing to XFS filesystem. Denial-of-service when following symlink in ext4 filesystem. Denial-of-service during NFS server migration. Denial-of-service during RDS socket operation. Denial-of-service when querying ethernet statistics. Denial-of-service in Hyper-V utilities driver. Denial-of-service in Broadcom NetXtreme-C/E network adapter. Denial-of-service when configuring SR-IOV virtual function. NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver. Kernel panic during asynchronous event registration in LSI Logic MegaRAID SAS driver. Kernel crash during PCI hotplug of Emulex LightPulse FibreChannel driver. Kernel crash during Emulex LightPulse FibreChannel I/O. NULL pointer dereference during Emulex LightPulse FibreChannel removal. Hard lockup in Emulex LightPulse FibreChannel driver. Deadlock during abort command in QLogic QLA2XXX driver. Kernel crash when creating RDS-over-IPv6 sockets. CVE-2017-12146: Privilege escalation using a sysfs entry from platform driver. CVE-2017-17558: Buffer overrun in USB core via integer overflow. CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing. CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check. CVE-2018-1000199: Denial-of-service in hardware breakpoints. CVE-2018-8897: Denial-of-service in KVM breakpoint handling. CVE-2018-1087: KVM guest breakpoint privilege escalation. CVE-2017-15129: Use-after-free in network namespace when getting namespace ids. CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets. CVE-2017-7294: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU. CVE-2017-15299: Denial-of-service in uninstantiated key configuration. CVE-2017-16994: Information leak when using mincore system call. CVE-2017-17449: Missing permission check in netlink monitoring. CVE-2017-17448: Unprivileged access to netlink namespace creation. CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint. Denial-of-service of KVM L1 nested hypervisor when exiting L2 guest. Improved CPU feature detection on microcode updates. Kernel crash in interrupt exit with KPTI. CVE-2018-3639: Speculative Store Bypass information leak. Device Mapper encrypted target Support big-endian plain64 IV. CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump. CVE-2017-1000410: Information leak in Bluetooth L2CAP messages. CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem. CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver. CVE-2018-10675: Use-after-free in get_mempolicy due to incorrect reference counting. Denial-of-service in NFS dentry invalidation. CVE-2017-18203: Denial-of-service during device mapper destruction. CVE-2018-6927: Integer overflow when re queuing a futex. CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver. CVE-2018-5333: NULL pointer dereference when freeing resources in Reliable Datagram Sockets driver. CVE-2018-3665: Information leak in floating point registers.
Once you've seen all the updates available for your kernel, you can quickly patch them all with Ksplice. If you're an Oracle Linux Premier Support customer, access to Ksplice is included with your subscription and available through the Unbreakable Linux Network. As Oracle Linux Premier support is included in all Oracle Cloud Infrastructure subscriptions, Oracle Cloud customers can benefit from improved security and reduced outages through Oracle Ksplice from day one.
If you're running Red Hat Enterprise Linux and you would like to check out this technology, you can try Ksplice free for 30 days.
Let us know what you think by commenting below or in the Oracle Linux forum on the Oracle Developer Community