- Issued:
- 2024-03-13
- Updated:
- 2024-03-13
RHSA-2024:1306 - Security Advisory
Synopsis
Important: kernel-rt security and bug fix update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
'Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)
- vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)
- use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)
- nfp: use-after-free in area_cache_get() (CVE-2022-3545)
- NULL pointer dereference in can_rcv_filter (CVE-2023-2166)
- Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)
- UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)
- out-of-bounds access in relay_file_read (CVE-2023-3268)
- vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)
- Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)
- net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)
- fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)
- Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue ()
- use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)
- use after free in unix_stream_sendpage (CVE-2023-4622)
- bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)
- A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list (CVE-2023-5717)
- ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)
- use-after-free in IPv4 IGMP (CVE-2023-6932)
- GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546,ZDI-CAN-20527)
- refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)
Bug Fix(es):
- fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1107)
- out-of-bounds access in relay_file_read (JIRA:RHEL-1749)
- vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18085)
- NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19524)
- update RT source tree to the latest RHEL-9.0.z Batch 15 (JIRA:RHEL-21555)
- Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-9285)
- A heap out-of-bounds write (JIRA:RHEL-18011)
- Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19398)
- A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19534)
- Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (JIRA:RHEL-8980)
- various flaws (JIRA:RHEL-16150)
- refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20311)
- use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-20502)
- ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22095)
- use-after-free in smb2_is_status_io_timeout() (JIRA:RHEL-15171)
- use-after-free in IPv4 IGMP (JIRA:RHEL-21658)
- memcg does not limit the number of POSIX file locks allowing memory exhaustion (JIRA:RHEL-8996)
- GSM multiplexing race condition leads to privilege escalation (JIRA:RHEL-19968)
- NULL pointer dereference in vmw_cmd_dx_define_query (JIRA:RHEL-22751)
- kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier
(JIRA:RHEL-26381)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
Fixes
- BZ - 2049700 - CVE-2022-0480 kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion
- BZ - 2133452 - CVE-2022-38096 kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query
- BZ - 2154178 - CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout()
- BZ - 2161310 - CVE-2022-3545 kernel: nfp: use-after-free in area_cache_get()
- BZ - 2187813 - CVE-2023-2166 kernel: NULL pointer dereference in can_rcv_filter
- BZ - 2187931 - CVE-2023-2176 kernel: Slab-out-of-bound read in compare_netdev_and_ip
- BZ - 2213260 - CVE-2023-3390 kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests
- BZ - 2215502 - CVE-2023-3268 kernel: out-of-bounds access in relay_file_read
- BZ - 2219268 - CVE-2023-4459 kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup()
- BZ - 2223949 - CVE-2022-40982 hw: Intel: Gather Data Sampling (GDS) side channel vulnerability
- BZ - 2225201 - CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails
- BZ - 2230042 - CVE-2023-38409 kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment
- BZ - 2230094 - kernel: Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue
- BZ - 2231800 - CVE-2023-40283 kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c
- BZ - 2237760 - CVE-2023-4622 kernel: use after free in unix_stream_sendpage
- BZ - 2240249 - CVE-2023-2163 kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe
- BZ - 2246945 - CVE-2023-5717 kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list
- BZ - 2253908 - CVE-2024-0646 kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination
- BZ - 2255283 - CVE-2023-6932 kernel: use-after-free in IPv4 IGMP
- BZ - 2255498 - CVE-2023-6546 kernel: GSM multiplexing race condition leads to privilege escalation
- BZ - 2256279 - CVE-2023-7192 kernel: refcount leak in ctnetlink_create_conntrack()
- BZ - 2267695 - CVE-2024-26602 kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier
CVEs
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0
| SRPM | |
|---|---|
| kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.src.rpm | SHA-256: ab757fe7efb1de532e2875cbda80c239072cab3a66ba40ace86684676dca63a2 |
| x86_64 | |
| kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 0bf7b260634677ff392e76ab13b344e303020536b8a285c2c78c21ad84c2d34b |
| kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 0bf7b260634677ff392e76ab13b344e303020536b8a285c2c78c21ad84c2d34b |
| kernel-rt-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 3ba5fd9d977da6404279b8b16236b7126667c9dd98101d8b7445c8c3c689e5f2 |
| kernel-rt-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 3ba5fd9d977da6404279b8b16236b7126667c9dd98101d8b7445c8c3c689e5f2 |
| kernel-rt-debug-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: f98bc9f8ddff748d6fe26f07e582a44c76f3b725587a11492796b907b3d954ca |
| kernel-rt-debug-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: f98bc9f8ddff748d6fe26f07e582a44c76f3b725587a11492796b907b3d954ca |
| kernel-rt-debug-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 0aec2474ff4ebe8bdf0ab08e76ec787f37ddf7d0d1920005ec5383655d4d48f5 |
| kernel-rt-debug-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 0aec2474ff4ebe8bdf0ab08e76ec787f37ddf7d0d1920005ec5383655d4d48f5 |
| kernel-rt-debug-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 96bbe17a3faad3c94587bf12e08b38d0d0c3a17870710f2f6718092ac281ea5c |
| kernel-rt-debug-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 96bbe17a3faad3c94587bf12e08b38d0d0c3a17870710f2f6718092ac281ea5c |
| kernel-rt-debug-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 220e6e605cd9710d5c5d4c54b74b93807a628d2e39977fba5d2365922f448333 |
| kernel-rt-debug-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 220e6e605cd9710d5c5d4c54b74b93807a628d2e39977fba5d2365922f448333 |
| kernel-rt-debug-kvm-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a512118b435ea934c05792a382b2b1643b491cf67c3f564d8e99938a17de52af |
| kernel-rt-debug-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 186e19378014a3f482151576c8fa040db0af2671d5f1bdfc553f38baf5bc94b6 |
| kernel-rt-debug-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 186e19378014a3f482151576c8fa040db0af2671d5f1bdfc553f38baf5bc94b6 |
| kernel-rt-debug-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: b2a8ba4191e6da5a4416e488cefe5589101128ad48f18bc7ffb929e0820b24a4 |
| kernel-rt-debug-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: b2a8ba4191e6da5a4416e488cefe5589101128ad48f18bc7ffb929e0820b24a4 |
| kernel-rt-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a684b3497db95332b2e7c638f7fd7e95a6b86bec34b5d289166a056b3deca2b7 |
| kernel-rt-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a684b3497db95332b2e7c638f7fd7e95a6b86bec34b5d289166a056b3deca2b7 |
| kernel-rt-debuginfo-common-x86_64-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a7435bab9ec320bb81e01a21a29306e235806c20b29968105b876b81274aa590 |
| kernel-rt-debuginfo-common-x86_64-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a7435bab9ec320bb81e01a21a29306e235806c20b29968105b876b81274aa590 |
| kernel-rt-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 24116b5f013d0a539347ad5de347e2ec0acf2697b84c7b21c72af85d460711aa |
| kernel-rt-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 24116b5f013d0a539347ad5de347e2ec0acf2697b84c7b21c72af85d460711aa |
| kernel-rt-kvm-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: a0118e2cbb1cf5ef109d64a7ac96d2b4b4171597a3534ccfb26b0e3ca3aafe35 |
| kernel-rt-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 62142f51b545febbda8551b90c8f6ccc5f1d91759d129a9e65285c07603a00a3 |
| kernel-rt-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 62142f51b545febbda8551b90c8f6ccc5f1d91759d129a9e65285c07603a00a3 |
| kernel-rt-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 88b0de0dd63441f7965fafba21b99a201607690e48ff66dbb505704ba461699b |
| kernel-rt-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm | SHA-256: 88b0de0dd63441f7965fafba21b99a201607690e48ff66dbb505704ba461699b |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
