Red Hat Product Errata RHSA-2021:3328 - Security Advisory
Issued:
2021-08-31
Updated:
2021-08-31

RHSA-2021:3328 - Security Advisory

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555)
  • kernel: race condition for removal of the HCI controller (CVE-2021-32399)
  • kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation (CVE-2021-29154)
  • kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • kernel-rt: update to the latest RHEL7.9.z8 source tree (BZ#1982927)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS
  • BZ - 1946684 - CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
  • BZ - 1970807 - CVE-2021-32399 kernel: race condition for removal of the HCI controller
  • BZ - 1980101 - CVE-2021-22555 kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.src.rpm SHA-256: 17e2a541f440a5014f1df977729016e403603fff1357dce1167422044cff2bca
x86_64
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 9ddaa79ed56defbc57a79de3e2bb4f055bd6a5c4e106e0c599d554db189a2758
kernel-rt-debug-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 16ed7b965369e6b0bb3a185173c27627364210fce1a5d324771acfa44e52c8c2
kernel-rt-debug-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: d5c6d3d835cf278092a8884d9fa6232e3523acc1a47f6afa696f3b3e2862810d
kernel-rt-debug-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 3aba26ac6396d9208dbd0aa2d1d7294608cd4d6b6db315b25c3ed172457c2cbf
kernel-rt-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 561c665c20a4b388697a76e67a3015f34163ceada4d51b28f89c870c359f530d
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: a11d0be00fc15750a6df2454e2735ae036a9836bb45d27b06f60ae5cc18c3697
kernel-rt-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: b6f5ef4209329a3683bd371165eade8a509512508a4d8021cde84d10a9200455
kernel-rt-doc-3.10.0-1160.41.1.rt56.1181.el7.noarch.rpm SHA-256: f9278ebbc8d7fbf9cb507ffc789d821151e21686b8edf1f7a03cdc0cd48de63b
kernel-rt-trace-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: c833a4a6b61ab27ec9aa2f5f35dd6c5bfdf452c20e1615a9edb1a3f6e7ad7b28
kernel-rt-trace-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 56b882bd0e9e9b9bbcb6dbbad5b8a0f6ce479527dc7daa433ee30b58860aeafc
kernel-rt-trace-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: a5b563d879b95f8b9b6a04331c0da6992c7a0552eec6cb1bba3dd0e5f14544e8

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.src.rpm SHA-256: 17e2a541f440a5014f1df977729016e403603fff1357dce1167422044cff2bca
x86_64
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 9ddaa79ed56defbc57a79de3e2bb4f055bd6a5c4e106e0c599d554db189a2758
kernel-rt-debug-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 16ed7b965369e6b0bb3a185173c27627364210fce1a5d324771acfa44e52c8c2
kernel-rt-debug-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: d5c6d3d835cf278092a8884d9fa6232e3523acc1a47f6afa696f3b3e2862810d
kernel-rt-debug-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 3aba26ac6396d9208dbd0aa2d1d7294608cd4d6b6db315b25c3ed172457c2cbf
kernel-rt-debug-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 5b697f0198037465e68b4f23a3b4d39e7c0e70426310090b47b50f40c6289c21
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 5828352a65a863d507088b6a1ce7ab8e7cb4dc88568bcba1a72208ce4a1f003c
kernel-rt-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 561c665c20a4b388697a76e67a3015f34163ceada4d51b28f89c870c359f530d
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: a11d0be00fc15750a6df2454e2735ae036a9836bb45d27b06f60ae5cc18c3697
kernel-rt-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: b6f5ef4209329a3683bd371165eade8a509512508a4d8021cde84d10a9200455
kernel-rt-doc-3.10.0-1160.41.1.rt56.1181.el7.noarch.rpm SHA-256: f9278ebbc8d7fbf9cb507ffc789d821151e21686b8edf1f7a03cdc0cd48de63b
kernel-rt-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: db17341a7f008f59fa5c339e09053acad9cb703957bc5ff6551428ade7e4ea89
kernel-rt-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 703476fa1eda499818ca938cd0d6d1dbf8956e90b99fbb14efeb45c8f21f9cf8
kernel-rt-trace-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: c833a4a6b61ab27ec9aa2f5f35dd6c5bfdf452c20e1615a9edb1a3f6e7ad7b28
kernel-rt-trace-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 56b882bd0e9e9b9bbcb6dbbad5b8a0f6ce479527dc7daa433ee30b58860aeafc
kernel-rt-trace-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: a5b563d879b95f8b9b6a04331c0da6992c7a0552eec6cb1bba3dd0e5f14544e8
kernel-rt-trace-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: 1ee27a578313efb2093a276b38bf1c2f427bfcfa6168556f939f4859ce0268ca
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm SHA-256: d5f6d86d146d3544ef1584fce373029943e27f45657f2a53877fa578cde2fa9e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.