Issued:
2018-10-30
Updated:
2018-10-30

RHSA-2018:2948 - Security Advisory

Synopsis

Important: kernel-alt security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es):

  • An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639, aarch64)
  • A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390)
  • A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391)

Space precludes documenting all of the security fixes in this advisory. See the descriptions of the remaining security fixes in the related Knowledge Article:

https://access.redhat.com/articles/3658021

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639; Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390 and CVE-2018-5391; Qualys Research Labs for reporting CVE-2018-1120; David Rientjes (Google) for reporting CVE-2018-1000200; and Wen Xu for reporting CVE-2018-1092, CVE-2018-1094, and CVE-2018-1095. The CVE-2018-14619 issue was discovered by Florian Weimer (Red Hat) and Ondrej Mosnacek (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for ARM 64 7 aarch64
  • Red Hat Enterprise Linux for Power 9 7 ppc64le
  • Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

  • BZ - 1516257 - CVE-2017-16648 kernel: Use-after-free in drivers/media/dvb-core/dvb_frontend.c
  • BZ - 1528312 - CVE-2017-17805 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service
  • BZ - 1528323 - CVE-2017-17806 kernel: HMAC implementation does not validate that the underlying cryptographic hash algorithm is unkeyed allowing local attackers to cause denial-of-service
  • BZ - 1533909 - CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
  • BZ - 1539508 - CVE-2017-18075 kernel: Mishandled freeing of instances in pcrypt.c can allow a local user to cause a denial of service
  • BZ - 1539706 - CVE-2018-5750 kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
  • BZ - 1541846 - CVE-2018-1000026 kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet
  • BZ - 1547824 - CVE-2018-1065 kernel: netfilter: xtables NULL pointer dereference in ip6_tables.c:ip6t_do_table() leading to a crash
  • BZ - 1548412 - CVE-2017-13166 kernel: v4l2: disabled memory access protection mechanism allowing privilege escalation
  • BZ - 1550142 - CVE-2018-7566 kernel: race condition in snd_seq_write() may lead to UAF or OOB-access
  • BZ - 1551051 - CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
  • BZ - 1551565 - CVE-2017-18208 kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service
  • BZ - 1552048 - CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
  • BZ - 1553361 - CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c
  • BZ - 1560777 - CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image
  • BZ - 1560788 - CVE-2018-1094 kernel: NULL pointer dereference in ext4/xattr.c:ext4_xattr_inode_hash() causes crash with crafted ext4 image
  • BZ - 1560793 - CVE-2018-1095 kernel: out-of-bound access in fs/posix_acl.c:get_acl() causes crash with crafted ext4 image
  • BZ - 1566890 - CVE-2018-3639 hw: cpu: speculative store bypass
  • BZ - 1568744 - CVE-2018-1000200 kernel: NULL pointer dereference on OOM kill of large mlocked process
  • BZ - 1571062 - CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space
  • BZ - 1571623 - CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service
  • BZ - 1573699 - CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
  • BZ - 1575472 - CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
  • BZ - 1577408 - CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
  • BZ - 1583210 - CVE-2018-11506 kernel: Stack-based buffer overflow in drivers/scsi/sr_ioctl.c allows denial of service or other unspecified impact
  • BZ - 1589324 - CVE-2018-1000204 kernel: Infoleak caused by incorrect handling of the SG_IO ioctl
  • BZ - 1590215 - CVE-2018-12232 kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor
  • BZ - 1590799 - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption
  • BZ - 1596795 - CVE-2018-10877 kernel: out-of-bound access in ext4_ext_drop_refs function with a crafted ext4 image
  • BZ - 1596802 - CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image
  • BZ - 1596806 - CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file
  • BZ - 1596812 - CVE-2018-10880 kernel: stack-out-of-bounds write in ext4_update_inline_data function
  • BZ - 1596828 - CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image
  • BZ - 1596842 - CVE-2018-10882 kernel: stack-out-of-bounds write infs/jbd2/transaction.c
  • BZ - 1596846 - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
  • BZ - 1599161 - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
  • BZ - 1601704 - CVE-2018-5390 kernel: TCP segments with random offsets allow a remote denial of service (SegmentSmack)
  • BZ - 1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack)
  • BZ - 1610958 - CVE-2017-18344 kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c
  • BZ - 1622004 - CVE-2018-14619 kernel: crash (possible privesc) in kernel crypto api.
  • BZ - 1623067 - CVE-2018-9363 kernel: Buffer overflow in hidp_process_report
  • BZ - 1629636 - CVE-2018-14641 kernel: a bug in ip_frag_reasm() can cause a crash in ip_do_fragment()

CVEs

References

Red Hat Enterprise Linux for ARM 64 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
aarch64
kernel-4.14.0-115.el7a.aarch64.rpm SHA-256: 7d61724c5ed7577b7b69c1ac470a9faba031e4c162335a91b67a43d85e106799
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-debug-4.14.0-115.el7a.aarch64.rpm SHA-256: f69faeee9130d568be1262a037339b810ee9827fc49fd8a05280a4862657c9cf
kernel-debug-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 1287ca2ff68980df3b1623e32b3d2d813d2807118e50fa489e59913cf87a4635
kernel-debug-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 1287ca2ff68980df3b1623e32b3d2d813d2807118e50fa489e59913cf87a4635
kernel-debug-devel-4.14.0-115.el7a.aarch64.rpm SHA-256: 792039cac77de61b36ffa30cbefbe7a9622fc51fdaa15242c4a6cdd521f58420
kernel-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 28589cd1622eef8a82d55aefeccb63e8c1bbaab762f328a7d75ca1112bc976b1
kernel-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 28589cd1622eef8a82d55aefeccb63e8c1bbaab762f328a7d75ca1112bc976b1
kernel-debuginfo-common-aarch64-4.14.0-115.el7a.aarch64.rpm SHA-256: 69b20e0ade4656c4f5c65d427c8d7c114755dd2ac9471d5877a35527f14e3228
kernel-debuginfo-common-aarch64-4.14.0-115.el7a.aarch64.rpm SHA-256: 69b20e0ade4656c4f5c65d427c8d7c114755dd2ac9471d5877a35527f14e3228
kernel-devel-4.14.0-115.el7a.aarch64.rpm SHA-256: 8c33b2d273e5d60da560fd3ecbaee39b17cd791667199909caf9b05b895620cc
kernel-doc-4.14.0-115.el7a.noarch.rpm SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-doc-4.14.0-115.el7a.noarch.rpm SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.aarch64.rpm SHA-256: e9f1f734b33e76e312e953d7654a15c4a2482e76d187b03f4475bb63a2a1b43b
kernel-tools-4.14.0-115.el7a.aarch64.rpm SHA-256: 53b8058103599be854866efd1cc40b9dccd0d6b22b76ddc311a84a505cb13d91
kernel-tools-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: de6050bf1c9e8c5c69d0c7c2214ffcb262fc1318ad94da53ceca117e5e2a3a9c
kernel-tools-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: de6050bf1c9e8c5c69d0c7c2214ffcb262fc1318ad94da53ceca117e5e2a3a9c
kernel-tools-libs-4.14.0-115.el7a.aarch64.rpm SHA-256: 5e843554a594f037fc3629e2a2f67038ea45330e6fd865943b95fb7085860092
kernel-tools-libs-devel-4.14.0-115.el7a.aarch64.rpm SHA-256: db2cca5f36112d0a0fc636c45340b17ae5b52fbc3b3eed96ec150150bc424cfe
perf-4.14.0-115.el7a.aarch64.rpm SHA-256: 41c23613dad1bd327b68d9b0461f0e07536637085d055368d21283a28c3c7415
perf-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 1d5b66e00290b43c15e55ee390dc566e73dd85fa01f62f57a1f476c80fecf8c3
perf-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 1d5b66e00290b43c15e55ee390dc566e73dd85fa01f62f57a1f476c80fecf8c3
python-perf-4.14.0-115.el7a.aarch64.rpm SHA-256: c3b86f22f1ea39cbb0eed3eaa5041523912f35d9263cb1cbeef99c658271ce1a
python-perf-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 4115b3bd1a9aee5e3d7745f854815e78ee39ef9173f90c80e4d3929ae7f2c1e5
python-perf-debuginfo-4.14.0-115.el7a.aarch64.rpm SHA-256: 4115b3bd1a9aee5e3d7745f854815e78ee39ef9173f90c80e4d3929ae7f2c1e5

Red Hat Enterprise Linux for Power 9 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
ppc64le
kernel-4.14.0-115.el7a.ppc64le.rpm SHA-256: ffc914a516eea04f812c89c7f1c97c28120a14badf7155dcbbfe9426cde3607a
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-bootwrapper-4.14.0-115.el7a.ppc64le.rpm SHA-256: ad12f5ad6b24592b052a1df41975c1e5342d82337cc9e90f0f1837f5891fadea
kernel-debug-4.14.0-115.el7a.ppc64le.rpm SHA-256: edbe8b8a20579526024b035aed1efc287833dd855b44943bcd522b2ff8ba63d5
kernel-debug-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 7abf48accd53996bc84b17c34ad3a72806fc75ffeb4bb2fc157f80af2181d3da
kernel-debug-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 7abf48accd53996bc84b17c34ad3a72806fc75ffeb4bb2fc157f80af2181d3da
kernel-debug-devel-4.14.0-115.el7a.ppc64le.rpm SHA-256: 32444af4d82505e00da204ddd32c67a61c2b577bd3e09ea181f569b575d42a7e
kernel-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 51a511faace78f88b407f15e5e4d600cab7f7202e64c5e02acad931f81029d22
kernel-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 51a511faace78f88b407f15e5e4d600cab7f7202e64c5e02acad931f81029d22
kernel-debuginfo-common-ppc64le-4.14.0-115.el7a.ppc64le.rpm SHA-256: 2232e0f348b7ecde59c115364b4eeee9170fe58fd5a84ef8b8c7838ea1f6da26
kernel-debuginfo-common-ppc64le-4.14.0-115.el7a.ppc64le.rpm SHA-256: 2232e0f348b7ecde59c115364b4eeee9170fe58fd5a84ef8b8c7838ea1f6da26
kernel-devel-4.14.0-115.el7a.ppc64le.rpm SHA-256: aa9dd7b4b4d16e79b49b43210f3cc50936138196ebfaea77e27496197c650407
kernel-doc-4.14.0-115.el7a.noarch.rpm SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.ppc64le.rpm SHA-256: 0127a88ef29a7cf1627df83321e3f5eeef9d43f3573d528e6be5f26882c4fd6d
kernel-tools-4.14.0-115.el7a.ppc64le.rpm SHA-256: 21c822087857c7143da8c823f1fee3a8dd65d53f51c51a51b5e38bacec0892cd
kernel-tools-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: be9c443cc299d94802b3c8bbd28ccf0e7b3d19686904e2b070f399f3c07cb8e6
kernel-tools-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: be9c443cc299d94802b3c8bbd28ccf0e7b3d19686904e2b070f399f3c07cb8e6
kernel-tools-libs-4.14.0-115.el7a.ppc64le.rpm SHA-256: caae1e9b852215e4ceed1bc34f2cee1f4312457c5eafb3649a2fbc769bffbe65
kernel-tools-libs-devel-4.14.0-115.el7a.ppc64le.rpm SHA-256: 8c786c6965ea2feae490e78118ba4afb1fc6deaaeeb90705a5f2c1a6f8a1ca75
perf-4.14.0-115.el7a.ppc64le.rpm SHA-256: bd9bb67ae59e3671a2efab4228f19f0017418eeab2671ff184f3ed8872939149
perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: c41a7f93e6eef59e3e862671bb2e0e926c0b7fc70db06f3f056cc74bd018ad12
perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: c41a7f93e6eef59e3e862671bb2e0e926c0b7fc70db06f3f056cc74bd018ad12
python-perf-4.14.0-115.el7a.ppc64le.rpm SHA-256: 4e75530e6d4302eab2dcb1ec5de249bff3bee162e7828aac783373913ff380e7
python-perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 2120f66a60ceb2e208333f9f712ac743cb45321a4b83e99880650a052cb9798d
python-perf-debuginfo-4.14.0-115.el7a.ppc64le.rpm SHA-256: 2120f66a60ceb2e208333f9f712ac743cb45321a4b83e99880650a052cb9798d

Red Hat Enterprise Linux for IBM System z (Structure A) 7

SRPM
kernel-alt-4.14.0-115.el7a.src.rpm SHA-256: c3f79f9d90afff87036cfc2df62e0b29c53fbcf85618a1923848bd59c90029e9
s390x
kernel-4.14.0-115.el7a.s390x.rpm SHA-256: 2121aeb49fecd59975c736bbe5aeb173b34dec44148284936cd7657a6f86a30d
kernel-abi-whitelists-4.14.0-115.el7a.noarch.rpm SHA-256: c0218db091e219163cd292d3e5f0ae0d5016095f206196e374e94cbe0bbd1ee4
kernel-debug-4.14.0-115.el7a.s390x.rpm SHA-256: 42ad59c322eb004316337439d6f89f9a2f5e3a889347de90db5d852ad6498e09
kernel-debug-debuginfo-4.14.0-115.el7a.s390x.rpm SHA-256: 4ec2deed135023a29b88648fec585c5835e4ac4be7b3dab08da1f8952050b615
kernel-debug-devel-4.14.0-115.el7a.s390x.rpm SHA-256: 374360ccb68411bbdff295338ef2e0847e4cfeb26360ac8bd4dadf5e30a1f239
kernel-debuginfo-4.14.0-115.el7a.s390x.rpm SHA-256: 64bcad9420a80c60fc16202cca34a34f79a688cdbbaf81f564fa8da5e24a69ce
kernel-debuginfo-common-s390x-4.14.0-115.el7a.s390x.rpm SHA-256: eb390269408f079a8f7f0c771c25f8796e932ecf3c2cebce9c1c24e467593241
kernel-devel-4.14.0-115.el7a.s390x.rpm SHA-256: 335addb674e595eee8c533ab316e8899ec3d6d7567a98792effa45e3855f8e23
kernel-doc-4.14.0-115.el7a.noarch.rpm SHA-256: d4f2237c039aa6266c52e23432781268ff1631bf3ebb9bce034f98a4c78fac11
kernel-headers-4.14.0-115.el7a.s390x.rpm SHA-256: 47208293787bbdabad495ead6bc7ffb5255596ee1b9fb5f06d811910157d8d0d
kernel-kdump-4.14.0-115.el7a.s390x.rpm SHA-256: 5e32ffbf60811b29a24679469e16eea284199d1c1cf2bb1e22c7e8374627c428
kernel-kdump-debuginfo-4.14.0-115.el7a.s390x.rpm SHA-256: 5784c667f6696ad1ed75227d85e18f26484efba4be61f12c9d7de501b7e89cce
kernel-kdump-devel-4.14.0-115.el7a.s390x.rpm SHA-256: 66443a53b396f557eee39c55c150d9ba17741c967fc3144515a54c41a38e0915
perf-4.14.0-115.el7a.s390x.rpm SHA-256: a0dd014c465a0dff9a99c39a3d4510a9a144e8707aba5e3af5069cf472ca348d
perf-debuginfo-4.14.0-115.el7a.s390x.rpm SHA-256: 734519c0773ebffb0b20e6a2ec83dad792435faec092ee9d3139390b91864a43
python-perf-4.14.0-115.el7a.s390x.rpm SHA-256: f87ee67f83098dc8c7ac506fc459b2a73dfada2b7cf8a72e4de22f054b453c34
python-perf-debuginfo-4.14.0-115.el7a.s390x.rpm SHA-256: 861db4fa9ea482ce14b209baa743492ee982d816397c7cda39ab6c04e507e799

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.