- Issued:
- 2021-08-31
- Updated:
- 2021-08-31
RHSA-2021:3328 - Security Advisory
Synopsis
Important: kernel-rt security and bug fix update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for kernel-rt is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555)
- kernel: race condition for removal of the HCI controller (CVE-2021-32399)
- kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation (CVE-2021-29154)
- kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS (CVE-2021-29650)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- kernel-rt: update to the latest RHEL7.9.z8 source tree (BZ#1982927)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
Affected Products
- Red Hat Enterprise Linux for Real Time 7 x86_64
- Red Hat Enterprise Linux for Real Time for NFV 7 x86_64
Fixes
- BZ - 1945388 - CVE-2021-29650 kernel: lack a full memory barrier upon the assignment of a new table value in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h may lead to DoS
- BZ - 1946684 - CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
- BZ - 1970807 - CVE-2021-32399 kernel: race condition for removal of the HCI controller
- BZ - 1980101 - CVE-2021-22555 kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c
Red Hat Enterprise Linux for Real Time 7
SRPM | |
---|---|
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.src.rpm | SHA-256: 17e2a541f440a5014f1df977729016e403603fff1357dce1167422044cff2bca |
x86_64 | |
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 9ddaa79ed56defbc57a79de3e2bb4f055bd6a5c4e106e0c599d554db189a2758 |
kernel-rt-debug-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 16ed7b965369e6b0bb3a185173c27627364210fce1a5d324771acfa44e52c8c2 |
kernel-rt-debug-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: d5c6d3d835cf278092a8884d9fa6232e3523acc1a47f6afa696f3b3e2862810d |
kernel-rt-debug-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 3aba26ac6396d9208dbd0aa2d1d7294608cd4d6b6db315b25c3ed172457c2cbf |
kernel-rt-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 561c665c20a4b388697a76e67a3015f34163ceada4d51b28f89c870c359f530d |
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: a11d0be00fc15750a6df2454e2735ae036a9836bb45d27b06f60ae5cc18c3697 |
kernel-rt-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: b6f5ef4209329a3683bd371165eade8a509512508a4d8021cde84d10a9200455 |
kernel-rt-doc-3.10.0-1160.41.1.rt56.1181.el7.noarch.rpm | SHA-256: f9278ebbc8d7fbf9cb507ffc789d821151e21686b8edf1f7a03cdc0cd48de63b |
kernel-rt-trace-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: c833a4a6b61ab27ec9aa2f5f35dd6c5bfdf452c20e1615a9edb1a3f6e7ad7b28 |
kernel-rt-trace-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 56b882bd0e9e9b9bbcb6dbbad5b8a0f6ce479527dc7daa433ee30b58860aeafc |
kernel-rt-trace-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: a5b563d879b95f8b9b6a04331c0da6992c7a0552eec6cb1bba3dd0e5f14544e8 |
Red Hat Enterprise Linux for Real Time for NFV 7
SRPM | |
---|---|
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.src.rpm | SHA-256: 17e2a541f440a5014f1df977729016e403603fff1357dce1167422044cff2bca |
x86_64 | |
kernel-rt-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 9ddaa79ed56defbc57a79de3e2bb4f055bd6a5c4e106e0c599d554db189a2758 |
kernel-rt-debug-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 16ed7b965369e6b0bb3a185173c27627364210fce1a5d324771acfa44e52c8c2 |
kernel-rt-debug-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: d5c6d3d835cf278092a8884d9fa6232e3523acc1a47f6afa696f3b3e2862810d |
kernel-rt-debug-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 3aba26ac6396d9208dbd0aa2d1d7294608cd4d6b6db315b25c3ed172457c2cbf |
kernel-rt-debug-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 5b697f0198037465e68b4f23a3b4d39e7c0e70426310090b47b50f40c6289c21 |
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 5828352a65a863d507088b6a1ce7ab8e7cb4dc88568bcba1a72208ce4a1f003c |
kernel-rt-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 561c665c20a4b388697a76e67a3015f34163ceada4d51b28f89c870c359f530d |
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: a11d0be00fc15750a6df2454e2735ae036a9836bb45d27b06f60ae5cc18c3697 |
kernel-rt-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: b6f5ef4209329a3683bd371165eade8a509512508a4d8021cde84d10a9200455 |
kernel-rt-doc-3.10.0-1160.41.1.rt56.1181.el7.noarch.rpm | SHA-256: f9278ebbc8d7fbf9cb507ffc789d821151e21686b8edf1f7a03cdc0cd48de63b |
kernel-rt-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: db17341a7f008f59fa5c339e09053acad9cb703957bc5ff6551428ade7e4ea89 |
kernel-rt-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 703476fa1eda499818ca938cd0d6d1dbf8956e90b99fbb14efeb45c8f21f9cf8 |
kernel-rt-trace-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: c833a4a6b61ab27ec9aa2f5f35dd6c5bfdf452c20e1615a9edb1a3f6e7ad7b28 |
kernel-rt-trace-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 56b882bd0e9e9b9bbcb6dbbad5b8a0f6ce479527dc7daa433ee30b58860aeafc |
kernel-rt-trace-devel-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: a5b563d879b95f8b9b6a04331c0da6992c7a0552eec6cb1bba3dd0e5f14544e8 |
kernel-rt-trace-kvm-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: 1ee27a578313efb2093a276b38bf1c2f427bfcfa6168556f939f4859ce0268ca |
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.41.1.rt56.1181.el7.x86_64.rpm | SHA-256: d5f6d86d146d3544ef1584fce373029943e27f45657f2a53877fa578cde2fa9e |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.