X

A Bridge to the Cloud...

Oracle Linux: Errata, CVE and Ksplice Inspector

Simon Coter
Senior Manager, Oracle Linux and Virtualization Product Management

Lately I'm getting in touch with different customers looking for a particular Ksplice fix for their system, so they want to understand if their running system is affected by a particular CVE and if the fix for that CVE is available as a Ksplice patch, as well as a standard patch for the Oracle Linux system or any other Linux distribution supported by Ksplice.

Errata(s) and CVE(s) for Oracle Linux, where to check ?

For Oracle Linux we have standard Errata(s) announced and released; all of them are public available at the following link:

https://linux.oracle.com/pls/apex/f?p=105:21

At the same time if you're looking for a particular CVE and which package/release includes the fix for the same, you can check at:

https://linux.oracle.com/pls/apex/f?p=130:21

Ksplice patches availability, where and how to check ?

Oracle Ksplice provides a way for you to keep your systems secure and highly available by enabling you to update them with the latest kernel and key user-space security and bug fix updates; Oracle Ksplice updates the running operating system without requiring a reboot.

With so many kernel updates released, it can be difficult to keep track and to help out, the Ksplice team has produced the Ksplice Inspector, a web tool to show you the updates Ksplice can apply to your kernel with zero downtime; by following the instructions on the Ksplice Inspector URL, you can then evaluate which Ksplice patches are available for your system.

The same kind of information can also be obtained by executing a command on the system you want to check by Ksplice Inspector:

(uname -s; uname -m; uname -r; uname -v) | \
curl https://api-ksplice.oracle.com/api/1/update-list/ \
-L -H "Accept: text/text" --data-binary @-

To illustrate the power of Oracle Ksplice, I launched a VM running Oracle Linux 7.7 with Unbreakable Enterprise Kernel Release 5 from November 2019, so about 3 months old at time of this writing.
This was the result:

[root@localhost ~]# (uname -s; uname -m; uname -r; uname -v) | \
> curl https://api-ksplice.oracle.com/api/1/update-list/ \
> -L -H "Accept: text/text" --data-binary @-
Your kernel needs the following updates:
Known exploit detection.
Known exploit detection for CVE-2017-7308.
Known exploit detection for CVE-2018-14634.
KPTI enablement for Ksplice.
Known exploit detection for CVE-2018-18445.
KSPLICE enablement for patching KVM Intel module.
CVE-2019-16995: Denial-of-service in HSR networking finalization.
CVE-2019-17053: Permission bypass when creating a IEEE 802.15.4 socket.
CVE-2019-17055: Permission bypass when creating a Modular ISDN socket.
CVE-2019-16994: Denial-of-service when registering an IPv6-in-IPv4 tunnel.
CVE-2019-15213: Denial-of-service when removing a USB DVB device.
CVE-2019-15217: NULL pointer deference when using USB ZR364XX Camera driver.
Kernel hang in block layer during CPU hotplug.
CVE-2019-15219: Denial-of-service in USB 2.0 SVGA dongle driver when using a malicious USB device.
Improved fix to CVE-2018-14625: Kernel information leak when releasing a vsock.
Kernel crash in OCFS2 direct IO cluster allocation.
Missing MDS and Spectre v2 mitigations on EIBRS supported CPUs.
Improved fix to CVE-2019-11135: Side-channel information leak in Intel TSX.
CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
CVE-2019-15807: Denial-of-service when discovering expander in SAS Domain Transport Attributes fails.
CVE-2019-16233: NULL pointer dereference when registering QLogic Fibre Channel driver.
Memory leak when failing to add NFS requests to the I/O queue.
Out-of-bounds stack write in RDS socket when using RDMA.
Memory leak in Mellanox ConnextX HCA Infiniband CX-3 virtual functions.
NULL pointer dereference when mounting a CIFS filesystem with invalid mount option.
CVE-2019-15917: Use-after-free when registering Bluetooth HCI uart device.
Memory corruption in Reliable Datagram Socket send completion.
Oracle ASM device hang during offline.
Network stall during RDMA failover.
Improved fix to CVE-2019-3016: Privilege escalation in KVM guest paravirtualized TLB flushes.
CVE-2019-19332: Denial-of-service in KVM cpuid emulation reporting.
Missing Non Maskable Interrupts on AMD KVM guests.
CVE-2016-5244: Information leak in the RDS network protocol.
CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.
CVE-2019-0155: Privilege escalation in Intel i915 graphics driver.
CVE-2019-0154: Denial-of-service in Intel i915 graphics driver.
IO hang on block multiqueue device waits.
CVE-2019-20054: Denial-of-service in procfs sysctl removal.
Deadlock in Reliable Datagram socket connection.
Denial-of-service in Reliable Datagram Socket send cancellation.
CVE-2020-2732: Privilege escalation in Intel KVM nested emulation.

Try Oracle Ksplice For Free!

If you would like to check out this technology, you can try Ksplice free for 30 days.

Let us know what you think by commenting below or in the Oracle Linux forum on the Oracle Developer Community

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.