Red Hat Product Errata RHSA-2018:2948 - Security Advisory

Issued:: 2018-10-30
Updated:: 2018-10-30

RHSA-2018:2948 - Security Advisory

Overview
Updated Packages

Synopsis

Important: kernel-alt security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es):

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, aarch64)
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390)
A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:

https://access.redhat.com/articles/3658021

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200; and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

Red Hat Enterprise Linux for ARM 64 7 aarch64
Red Hat Enterprise Linux for Power 9 7 ppc64le
Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

BZ - 1516257 - CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c
BZ - 1528312 - CVE-2017-17805 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service
BZ - 1528323 - CVE-2017-17806 kernel: HMAC implementation does not validate that the underlying cryptographic hash algorithm is unkeyed allowing local attackers to cause denial-of-service
BZ - 1533909 - CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
BZ - 1539508 - CVE-2017-18075 kernel: Mishandled freeing of instances in pcrypt.c can allow a local user to cause a denial of service
BZ - 1539706 - CVE-2018-5750 kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
BZ - 1541846 - CVE-2018-1000026 kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet
BZ - 1547824 - CVE-2018-1065 kernel: netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash
BZ - 1548412 - CVE-2017-13166 kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation
BZ - 1550142 - CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
BZ - 1551051 - CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
BZ - 1551565 - CVE-2017-18208 kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service
BZ - 1552048 - CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
BZ - 1553361 - CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
BZ - 1560777 - CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
BZ - 1560788 - CVE-2018-1094 kernel: NULL pointer dereference in ext4/xattr.c:ext4_xattr_inode_hash() causes crash with crafted ext4 image
BZ - 1560793 - CVE-2018-1095 kernel: out-of-bound access in fs/posix_acl.c:get_acl() causes crash with crafted ext4 image
BZ - 1566890 - CVE-2018-3639 hw: cpu: speculative store bypass
BZ - 1568744 - CVE-2018-1000200 kernel: NULL pointer dereference on OOM kill of large mlocked process
BZ - 1571062 - CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
BZ - 1571623 - CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service
BZ - 1573699 - CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
BZ - 1575472 - CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
BZ - 1577408 - CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
BZ - 1583210 - CVE-2018-11506 kernel: Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact
BZ - 1589324 - CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO ioctl
BZ - 1590215 - CVE-2018-12232 kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor
BZ - 1590799 - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
BZ - 1596795 - CVE-2018-10877 kernel: out-of-bound access in ext4_ext_drop_refs function with a crafted ext4 image
BZ - 1596802 - CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
BZ - 1596806 - CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file
BZ - 1596812 - CVE-2018-10880 kernel: stack-out-of-bounds write in ext4_update_inline_data function
BZ - 1596828 - CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
BZ - 1596842 - CVE-2018-10882 kernel: stack-out-of-bounds write infs/jbd2/transaction.c
BZ - 1596846 - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
BZ - 1599161 - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
BZ - 1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack)
BZ - 1610958 - CVE-2017-18344 kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c
BZ - 1622004 - CVE-2018-14619 kernel: crash (possible privesc) in kernel crypto api.
BZ - 1623067 - CVE-2018-9363 kernel: Buffer overflow in hidp_process_report
BZ - 1629636 - CVE-2018-14641 kernel: a bug in ip_frag_reasm() can cause a crash in ip_do_fragment()

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for ARM 64 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm	SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
aarch64
kernel-4.14.0-115.el7a.aarch64.rpm	SHA-256: 7d61724c5ed7577b7b69c1ac470a9faba031e4c162335a91b67a43d85e106799
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm	SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-debug-4.14.0-115.el7a.aarch64.rpm	SHA-256: f69faeee9130d568be1262a037339b810ee9827fc49fd8a05280a4862657c9cf
kernel-debug-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 1287ca2ff68980df3b1623e32b3d2d813d2807118e50fa489e59913cf87a4635
kernel-debug-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 1287ca2ff68980df3b1623e32b3d2d813d2807118e50fa489e59913cf87a4635
kernel-debug-devel-4.14.0-115.el7a.aarch64.rpm	SHA-256: 792039cac77de61b36ffa30cbefbe7a9622fc51fdaa15242c4a6cdd521f58420
kernel-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 28589cd1622eef8a82d55aefeccb63e8c1bbaab762f328a7d75ca1112bc976b1
kernel-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 28589cd1622eef8a82d55aefeccb63e8c1bbaab762f328a7d75ca1112bc976b1
kernel-debuginfo-common-aarch64-4.14.0-115.el7a.aarch64.rpm	SHA-256: 69b20e0ade4656c4f5c65d427c8d7c114755dd2ac9471d5877a35527f14e3228
kernel-debuginfo-common-aarch64-4.14.0-115.el7a.aarch64.rpm	SHA-256: 69b20e0ade4656c4f5c65d427c8d7c114755dd2ac9471d5877a35527f14e3228
kernel-devel-4.14.0-115.el7a.aarch64.rpm	SHA-256: 8c33b2d273e5d60da560fd3ecbaee39b17cd791667199909caf9b05b895620cc
kernel-doc-4.14.0-115.el7a.noarch.rpm	SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-doc-4.14.0-115.el7a.noarch.rpm	SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.aarch64.rpm	SHA-256: e9f1f734b33e76e312e953d7654a15c4a2482e76d187b03f4475bb63a2a1b43b
kernel-tools-4.14.0-115.el7a.aarch64.rpm	SHA-256: 53b8058103599be854866efd1cc40b9dccd0d6b22b76ddc311a84a505cb13d91
kernel-tools-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: de6050bf1c9e8c5c69d0c7c2214ffcb262fc1318ad94da53ceca117e5e2a3a9c
kernel-tools-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: de6050bf1c9e8c5c69d0c7c2214ffcb262fc1318ad94da53ceca117e5e2a3a9c
kernel-tools-libs-4.14.0-115.el7a.aarch64.rpm	SHA-256: 5e843554a594f037fc3629e2a2f67038ea45330e6fd865943b95fb7085860092
kernel-tools-libs-devel-4.14.0-115.el7a.aarch64.rpm	SHA-256: db2cca5f36112d0a0fc636c45340b17ae5b52fbc3b3eed96ec150150bc424cfe
perf-4.14.0-115.el7a.aarch64.rpm	SHA-256: 41c23613dad1bd327b68d9b0461f0e07536637085d055368d21283a28c3c7415
perf-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 1d5b66e00290b43c15e55ee390dc566e73dd85fa01f62f57a1f476c80fecf8c3
perf-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 1d5b66e00290b43c15e55ee390dc566e73dd85fa01f62f57a1f476c80fecf8c3
python-perf-4.14.0-115.el7a.aarch64.rpm	SHA-256: c3b86f22f1ea39cbb0eed3eaa5041523912f35d9263cb1cbeef99c658271ce1a
python-perf-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 4115b3bd1a9aee5e3d7745f854815e78ee39ef9173f90c80e4d3929ae7f2c1e5
python-perf-debuginfo-4.14.0-115.el7a.aarch64.rpm	SHA-256: 4115b3bd1a9aee5e3d7745f854815e78ee39ef9173f90c80e4d3929ae7f2c1e5

Red Hat Enterprise Linux for Power 9 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm	SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
ppc64le
kernel-4.14.0-115.el7a.ppc64le.rpm	SHA-256: ffc914a516eea04f812c89c7f1c97c28120a14badf7155dcbbfe9426cde3607a
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm	SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-bootwrapper-4.14.0-115.el7a.ppc64le.rpm	SHA-256: ad12f5ad6b24592b052a1df41975c1e5342d82337cc9e90f0f1837f5891fadea
kernel-debug-4.14.0-115.el7a.ppc64le.rpm	SHA-256: edbe8b8a20579526024b035aed1efc287833dd855b44943bcd522b2ff8ba63d5
kernel-debug-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 7abf48accd53996bc84b17c34ad3a72806fc75ffeb4bb2fc157f80af2181d3da
kernel-debug-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 7abf48accd53996bc84b17c34ad3a72806fc75ffeb4bb2fc157f80af2181d3da
kernel-debug-devel-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 32444af4d82505e00da204ddd32c67a61c2b577bd3e09ea181f569b575d42a7e
kernel-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 51a511faace78f88b407f15e5e4d600cab7f7202e64c5e02acad931f81029d22
kernel-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 51a511faace78f88b407f15e5e4d600cab7f7202e64c5e02acad931f81029d22
kernel-debuginfo-common-ppc64le-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 2232e0f348b7ecde59c115364b4eeee9170fe58fd5a84ef8b8c7838ea1f6da26
kernel-debuginfo-common-ppc64le-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 2232e0f348b7ecde59c115364b4eeee9170fe58fd5a84ef8b8c7838ea1f6da26
kernel-devel-4.14.0-115.el7a.ppc64le.rpm	SHA-256: aa9dd7b4b4d16e79b49b43210f3cc50936138196ebfaea77e27496197c650407
kernel-doc-4.14.0-115.el7a.noarch.rpm	SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 0127a88ef29a7cf1627df83321e3f5eeef9d43f3573d528e6be5f26882c4fd6d
kernel-tools-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 21c822087857c7143da8c823f1fee3a8dd65d53f51c51a51b5e38bacec0892cd
kernel-tools-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: be9c443cc299d94802b3c8bbd28ccf0e7b3d19686904e2b070f399f3c07cb8e6
kernel-tools-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: be9c443cc299d94802b3c8bbd28ccf0e7b3d19686904e2b070f399f3c07cb8e6
kernel-tools-libs-4.14.0-115.el7a.ppc64le.rpm	SHA-256: caae1e9b852215e4ceed1bc34f2cee1f4312457c5eafb3649a2fbc769bffbe65
kernel-tools-libs-devel-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 8c786c6965ea2feae490e78118ba4afb1fc6deaaeeb90705a5f2c1a6f8a1ca75
perf-4.14.0-115.el7a.ppc64le.rpm	SHA-256: bd9bb67ae59e3671a2efab4228f19f0017418eeab2671ff184f3ed8872939149
perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: c41a7f93e6eef59e3e862671bb2e0e926c0b7fc70db06f3f056cc74bd018ad12
perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: c41a7f93e6eef59e3e862671bb2e0e926c0b7fc70db06f3f056cc74bd018ad12
python-perf-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 4e75530e6d4302eab2dcb1ec5de249bff3bee162e7828aac783373913ff380e7
python-perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 2120f66a60ceb2e208333f9f712ac743cb45321a4b83e99880650a052cb9798d
python-perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm	SHA-256: 2120f66a60ceb2e208333f9f712ac743cb45321a4b83e99880650a052cb9798d

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm	SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
s390x
kernel-4.14.0-115.el7a.s390x.rpm	SHA-256: 2121aeb49fecd59975c736bbe5aeb173b34dec44148284936cd7657a6f86a30d
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm	SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-debug-4.14.0-115.el7a.s390x.rpm	SHA-256: 42ad59c322eb004316337439d6f89f9a2f5e3a889347de90db5d852ad6498e09
kernel-debug-debuginfo-4.14.0-115.el7a.s390x.rpm	SHA-256: 4ec2deed135023a29b88648fec585c5835e4ac4be7b3dab08da1f8952050b615
kernel-debug-devel-4.14.0-115.el7a.s390x.rpm	SHA-256: 374360ccb68411bbdff295338ef2e0847e4cfeb26360ac8bd4dadf5e30a1f239
kernel-debuginfo-4.14.0-115.el7a.s390x.rpm	SHA-256: 64bcad9420a80c60fc16202cca34a34f79a688cdbbaf81f564fa8da5e24a69ce
kernel-debuginfo-common-s390x-4.14.0-115.el7a.s390x.rpm	SHA-256: eb390269408f079a8f7f0c771c25f8796e932ecf3c2cebce9c1c24e467593241
kernel-devel-4.14.0-115.el7a.s390x.rpm	SHA-256: 335addb674e595eee8c533ab316e8899ec3d6d7567a98792effa45e3855f8e23
kernel-doc-4.14.0-115.el7a.noarch.rpm	SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.s390x.rpm	SHA-256: 47208293787bbdabad495ead6bc7ffb5255596ee1b9fb5f06d811910157d8d0d
kernel-kdump-4.14.0-115.el7a.s390x.rpm	SHA-256: 5e32ffbf60811b29a24679469e16eea284199d1c1cf2bb1e22c7e8374627c428
kernel-kdump-debuginfo-4.14.0-115.el7a.s390x.rpm	SHA-256: 5784c667f6696ad1ed75227d85e18f26484efba4be61f12c9d7de501b7e89cce
kernel-kdump-devel-4.14.0-115.el7a.s390x.rpm	SHA-256: 66443a53b396f557eee39c55c150d9ba17741c967fc3144515a54c41a38e0915
perf-4.14.0-115.el7a.s390x.rpm	SHA-256: a0dd014c465a0dff9a99c39a3d4510a9a144e8707aba5e3af5069cf472ca348d
perf-debuginfo-4.14.0-115.el7a.s390x.rpm	SHA-256: 734519c0773ebffb0b20e6a2ec83dad792435faec092ee9d3139390b91864a43
python-perf-4.14.0-115.el7a.s390x.rpm	SHA-256: f87ee67f83098dc8c7ac506fc459b2a73dfada2b7cf8a72e4de22f054b453c34
python-perf-debuginfo-4.14.0-115.el7a.s390x.rpm	SHA-256: 861db4fa9ea482ce14b209baa743492ee982d816397c7cda39ab6c04e507e799

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories