Red Hat Product Errata RHSA-2023:5621 - Security Advisory
Issued:
2023-10-10
Updated:
2023-10-10

RHSA-2023:5621 - Security Advisory

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)
  • kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation (CVE-2023-32233)
  • kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • kernel-rt: update to the latest RHEL7.9.z26 source tree (BZ#2232239)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time 7 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV 7 x86_64

Fixes

  • BZ - 2196105 - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation
  • BZ - 2220892 - CVE-2023-35001 kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval()
  • BZ - 2225201 - CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails

Red Hat Enterprise Linux for Real Time 7

SRPM
kernel-rt-3.10.0-1160.102.1.rt56.1250.el7.src.rpm SHA-256: 59990745c85e5455f3311ec0a69c4e084ba99e60967ad27c7f752da352065d34
x86_64
kernel-rt-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 5c195c652a64d22d4f8d2bcc4f4f8824b27f0ca7264d51b785b93f07eb40b29b
kernel-rt-debug-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 913693db520a9f4685d74067ef06c6f1e959db6e8bc5994d9dc26c40a69cd2c5
kernel-rt-debug-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 3a06b5c6b8f036325884f753fd2e2ee7114550193e64026ee8c30cddc751857e
kernel-rt-debug-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ea81256f08ff055a40c2369b727ff61dbe4b3c2414a8afdc5f2f897bcc45fc4b
kernel-rt-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 493131583e8e8fe499a88a426ab2c91e33ef0c0542407c4e7d1b65ae23166992
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 956fb3527d2102af60dd70cd2718f9779ac8bf0975f13ca6fdf12c325c9ed524
kernel-rt-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 09a5c995290d6f5ec8233a92ba44ec0b78b255ec4c77c00705a30d6e63eb6a1c
kernel-rt-doc-3.10.0-1160.102.1.rt56.1250.el7.noarch.rpm SHA-256: c1bb641db6fe86f9aae791b9453919b705fa88e5b03a92b6cd430e3cdb618930
kernel-rt-trace-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 27676e4272b6c04467b50ab31eb7e2bd70e015012a6c6f4a75d53fee5a437142
kernel-rt-trace-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ee8892cc0ed77c2faa65263545b84009104d4d42a68025bbca87b6cf76f4d696
kernel-rt-trace-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 512ba249b7c3b73c89b3c735c9ffe57d610982a4526da03370b59e1e5943804c

Red Hat Enterprise Linux for Real Time for NFV 7

SRPM
kernel-rt-3.10.0-1160.102.1.rt56.1250.el7.src.rpm SHA-256: 59990745c85e5455f3311ec0a69c4e084ba99e60967ad27c7f752da352065d34
x86_64
kernel-rt-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 5c195c652a64d22d4f8d2bcc4f4f8824b27f0ca7264d51b785b93f07eb40b29b
kernel-rt-debug-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 913693db520a9f4685d74067ef06c6f1e959db6e8bc5994d9dc26c40a69cd2c5
kernel-rt-debug-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 3a06b5c6b8f036325884f753fd2e2ee7114550193e64026ee8c30cddc751857e
kernel-rt-debug-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ea81256f08ff055a40c2369b727ff61dbe4b3c2414a8afdc5f2f897bcc45fc4b
kernel-rt-debug-kvm-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ec5d4e73dff82bd206baa9717075931b5244809ba7f44140f2b34f297e5b26d4
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: fba5f0895d45ca81040f4e1258b5e492ed19169d19451460b1449b26ec8c13b8
kernel-rt-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 493131583e8e8fe499a88a426ab2c91e33ef0c0542407c4e7d1b65ae23166992
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 956fb3527d2102af60dd70cd2718f9779ac8bf0975f13ca6fdf12c325c9ed524
kernel-rt-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 09a5c995290d6f5ec8233a92ba44ec0b78b255ec4c77c00705a30d6e63eb6a1c
kernel-rt-doc-3.10.0-1160.102.1.rt56.1250.el7.noarch.rpm SHA-256: c1bb641db6fe86f9aae791b9453919b705fa88e5b03a92b6cd430e3cdb618930
kernel-rt-kvm-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 4b3b383c8a63f5ad7fdec5ac1c505556764b28a50eea1287447c4b7a33051a46
kernel-rt-kvm-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ad7c44773e414e2bbfffac0f121a6ecb63dcf97e16c47a2bdc17445d6940a50d
kernel-rt-trace-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 27676e4272b6c04467b50ab31eb7e2bd70e015012a6c6f4a75d53fee5a437142
kernel-rt-trace-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: ee8892cc0ed77c2faa65263545b84009104d4d42a68025bbca87b6cf76f4d696
kernel-rt-trace-devel-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 512ba249b7c3b73c89b3c735c9ffe57d610982a4526da03370b59e1e5943804c
kernel-rt-trace-kvm-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 7091123d4fd0931cbdc4a7e9c6e90edd87ad980be77c22be93b158639b3443fa
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.102.1.rt56.1250.el7.x86_64.rpm SHA-256: 9da6c69d821ce08352016c69f3f9ac816404111cab79b69c39897890ad9d7f4a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.