Red Hat Product Errata RHSA-2024:1306 - Security Advisory
Issued:
2024-03-13
Updated:
2024-03-13

RHSA-2024:1306 - Security Advisory

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

'Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

  • memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)
  • vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)
  • use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)
  • nfp: use-after-free in area_cache_get() (CVE-2022-3545)
  • NULL pointer dereference in can_rcv_filter (CVE-2023-2166)
  • Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)
  • UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)
  • out-of-bounds access in relay_file_read (CVE-2023-3268)
  • vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)
  • Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)
  • net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)
  • fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)
  • Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue ()
  • use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)
  • use after free in unix_stream_sendpage (CVE-2023-4622)
  • bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)
  • A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list (CVE-2023-5717)
  • ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)
  • use-after-free in IPv4 IGMP (CVE-2023-6932)
  • GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546,ZDI-CAN-20527)
  • refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

  • fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1107)
  • out-of-bounds access in relay_file_read (JIRA:RHEL-1749)
  • vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18085)
  • NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19524)
  • update RT source tree to the latest RHEL-9.0.z Batch 15 (JIRA:RHEL-21555)
  • Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-9285)
  • A heap out-of-bounds write (JIRA:RHEL-18011)
  • Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19398)
  • A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19534)
  • Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (JIRA:RHEL-8980)
  • various flaws (JIRA:RHEL-16150)
  • refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20311)
  • use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (JIRA:RHEL-20502)
  • ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22095)
  • use-after-free in smb2_is_status_io_timeout() (JIRA:RHEL-15171)
  • use-after-free in IPv4 IGMP (JIRA:RHEL-21658)
  • memcg does not limit the number of POSIX file locks allowing memory exhaustion (JIRA:RHEL-8996)
  • GSM multiplexing race condition leads to privilege escalation (JIRA:RHEL-19968)
  • NULL pointer dereference in vmw_cmd_dx_define_query (JIRA:RHEL-22751)
  • kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier

(JIRA:RHEL-26381)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.0 x86_64
  • Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.0 x86_64

Fixes

  • BZ - 2049700 - CVE-2022-0480 kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion
  • BZ - 2133452 - CVE-2022-38096 kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query
  • BZ - 2154178 - CVE-2023-1192 kernel: use-after-free in smb2_is_status_io_timeout()
  • BZ - 2161310 - CVE-2022-3545 kernel: nfp: use-after-free in area_cache_get()
  • BZ - 2187813 - CVE-2023-2166 kernel: NULL pointer dereference in can_rcv_filter
  • BZ - 2187931 - CVE-2023-2176 kernel: Slab-out-of-bound read in compare_netdev_and_ip
  • BZ - 2213260 - CVE-2023-3390 kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests
  • BZ - 2215502 - CVE-2023-3268 kernel: out-of-bounds access in relay_file_read
  • BZ - 2219268 - CVE-2023-4459 kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup()
  • BZ - 2223949 - CVE-2022-40982 hw: Intel: Gather Data Sampling (GDS) side channel vulnerability
  • BZ - 2225201 - CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails
  • BZ - 2230042 - CVE-2023-38409 kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment
  • BZ - 2230094 - kernel: Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue
  • BZ - 2231800 - CVE-2023-40283 kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c
  • BZ - 2237760 - CVE-2023-4622 kernel: use after free in unix_stream_sendpage
  • BZ - 2240249 - CVE-2023-2163 kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe
  • BZ - 2246945 - CVE-2023-5717 kernel: A heap out-of-bounds write when function perf_read_group is called and sibling_list is smaller than its child's sibling_list
  • BZ - 2253908 - CVE-2024-0646 kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination
  • BZ - 2255283 - CVE-2023-6932 kernel: use-after-free in IPv4 IGMP
  • BZ - 2255498 - CVE-2023-6546 kernel: GSM multiplexing race condition leads to privilege escalation
  • BZ - 2256279 - CVE-2023-7192 kernel: refcount leak in ctnetlink_create_conntrack()
  • BZ - 2267695 - CVE-2024-26602 kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier

Red Hat Enterprise Linux for Real Time for x86_64 - 4 years of updates 9.0

SRPM
kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.src.rpm SHA-256: ab757fe7efb1de532e2875cbda80c239072cab3a66ba40ace86684676dca63a2
x86_64
kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 0bf7b260634677ff392e76ab13b344e303020536b8a285c2c78c21ad84c2d34b
kernel-rt-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 3ba5fd9d977da6404279b8b16236b7126667c9dd98101d8b7445c8c3c689e5f2
kernel-rt-debug-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: f98bc9f8ddff748d6fe26f07e582a44c76f3b725587a11492796b907b3d954ca
kernel-rt-debug-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 0aec2474ff4ebe8bdf0ab08e76ec787f37ddf7d0d1920005ec5383655d4d48f5
kernel-rt-debug-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 96bbe17a3faad3c94587bf12e08b38d0d0c3a17870710f2f6718092ac281ea5c
kernel-rt-debug-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 220e6e605cd9710d5c5d4c54b74b93807a628d2e39977fba5d2365922f448333
kernel-rt-debug-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 186e19378014a3f482151576c8fa040db0af2671d5f1bdfc553f38baf5bc94b6
kernel-rt-debug-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: b2a8ba4191e6da5a4416e488cefe5589101128ad48f18bc7ffb929e0820b24a4
kernel-rt-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a684b3497db95332b2e7c638f7fd7e95a6b86bec34b5d289166a056b3deca2b7
kernel-rt-debuginfo-common-x86_64-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a7435bab9ec320bb81e01a21a29306e235806c20b29968105b876b81274aa590
kernel-rt-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 24116b5f013d0a539347ad5de347e2ec0acf2697b84c7b21c72af85d460711aa
kernel-rt-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 62142f51b545febbda8551b90c8f6ccc5f1d91759d129a9e65285c07603a00a3
kernel-rt-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 88b0de0dd63441f7965fafba21b99a201607690e48ff66dbb505704ba461699b

Red Hat Enterprise Linux for Real Time for NFV for x86_64 - 4 years of updates 9.0

SRPM
kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.src.rpm SHA-256: ab757fe7efb1de532e2875cbda80c239072cab3a66ba40ace86684676dca63a2
x86_64
kernel-rt-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 0bf7b260634677ff392e76ab13b344e303020536b8a285c2c78c21ad84c2d34b
kernel-rt-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 3ba5fd9d977da6404279b8b16236b7126667c9dd98101d8b7445c8c3c689e5f2
kernel-rt-debug-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: f98bc9f8ddff748d6fe26f07e582a44c76f3b725587a11492796b907b3d954ca
kernel-rt-debug-core-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 0aec2474ff4ebe8bdf0ab08e76ec787f37ddf7d0d1920005ec5383655d4d48f5
kernel-rt-debug-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 96bbe17a3faad3c94587bf12e08b38d0d0c3a17870710f2f6718092ac281ea5c
kernel-rt-debug-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 220e6e605cd9710d5c5d4c54b74b93807a628d2e39977fba5d2365922f448333
kernel-rt-debug-kvm-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a512118b435ea934c05792a382b2b1643b491cf67c3f564d8e99938a17de52af
kernel-rt-debug-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 186e19378014a3f482151576c8fa040db0af2671d5f1bdfc553f38baf5bc94b6
kernel-rt-debug-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: b2a8ba4191e6da5a4416e488cefe5589101128ad48f18bc7ffb929e0820b24a4
kernel-rt-debuginfo-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a684b3497db95332b2e7c638f7fd7e95a6b86bec34b5d289166a056b3deca2b7
kernel-rt-debuginfo-common-x86_64-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a7435bab9ec320bb81e01a21a29306e235806c20b29968105b876b81274aa590
kernel-rt-devel-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 24116b5f013d0a539347ad5de347e2ec0acf2697b84c7b21c72af85d460711aa
kernel-rt-kvm-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: a0118e2cbb1cf5ef109d64a7ac96d2b4b4171597a3534ccfb26b0e3ca3aafe35
kernel-rt-modules-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 62142f51b545febbda8551b90c8f6ccc5f1d91759d129a9e65285c07603a00a3
kernel-rt-modules-extra-5.14.0-70.93.1.rt21.165.el9_0.x86_64.rpm SHA-256: 88b0de0dd63441f7965fafba21b99a201607690e48ff66dbb505704ba461699b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.