Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4304)

High Nessus Plugin ID 119638

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

Description of changes:

[4.14.35-1818.5.4.el7uek]
- RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 28020694] {CVE-2018-5333}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez) [Orabug: 28474853]
- x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez) [Orabug: 28474853]
- x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez) [Orabug: 28474853]
- KVM: x86: Expose CLDEMOTE CPU feature to guest VM (Jingqi Liu) [Orabug: 28938290]
- x86/cpufeatures: Enumerate cldemote instruction (Fenghua Yu) [Orabug: 28938290]
- libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (Fred Herard) [Orabug: 28946206]
- wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 28951267] {CVE-2018-5848}
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956546] {CVE-2018-7755} {CVE-2018-7755}

[4.14.35-1818.5.3.el7uek]
- hugetlbfs: use truncate mutex to prevent pmd sharing race (Mike Kravetz) [Orabug: 28896279]
- xfs: enhance dinode verifier (Eric Sandeen) [Orabug: 28943579] {CVE-2018-10322}
- xfs: move inode fork verifiers to xfs_dinode_verify (Darrick J. Wong) [Orabug: 28943579] {CVE-2018-10322}

[4.14.35-1818.5.2.el7uek]
- rds: crash at rds_ib_inc_copy_to_user+104 due to NULL ptr reference (Venkat Venkatsubra) [Orabug: 28748049]
- kdump/vmcore: support encrypted old memory with SME enabled (Lianbo Jiang) [Orabug: 28796835]
- amd_iommu: remap the device table of IOMMU with the memory encryption mask for kdump (Lianbo Jiang) [Orabug: 28796835]
- kexec: allocate unencrypted control pages for kdump in case SME is enabled (Lianbo Jiang) [Orabug: 28796835]
- x86/ioremap: add a function ioremap_encrypted() to remap kdump old memory (Lianbo Jiang) [Orabug: 28796835]
- net/rds: Fix endless RNR situation (Venkat Venkatsubra) [Orabug: 28857013]
- Btrfs: fix xattr loss after power failure (Filipe Manana) [Orabug: 28893942]
- xen/balloon: Support xend-based toolstack (Boris Ostrovsky) [Orabug: 28901032]
- Btrfs: fix file data corruption after cloning a range and fsync (Filipe Manana) [Orabug: 28905635]
- xen-blkfront: fix kernel panic with negotiate_mq error path (Manjunath Patil)
- cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929755] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710}
- sched/fair: Use a recently used CPU as an idle candidate and the basis for SIS (Mel Gorman) [Orabug: 28940633]
- sched/fair: Move select_task_rq_fair() slow-path into its own function (Brendan Jackman) [Orabug: 28940633]
- certs: Add Oracle's new X509 cert into .builtin_trusted_keys (Eric Snowberg) [Orabug: 28926200]
- net: Allow pernet_operations to be executed in parallel (Kirill Tkhai) [Orabug: 28924205]
- net: Move mutex_unlock() in cleanup_net() up (Kirill Tkhai) [Orabug: 28924205]
- locking/arch, x86: Add __down_read_killable() (Kirill Tkhai) [Orabug: 28924205]
- locking/x86: Use named operands in rwsem.h (Miguel Bernal Marin) [Orabug: 28924205]
- locking/rwsem: Add down_read_killable() (Kirill Tkhai) [Orabug: 28924205]
- net: Introduce net_sem for protection of pernet_list (Kirill Tkhai) [Orabug: 28924205]
- net: Assign net to net_namespace_list in setup_net() (Kirill Tkhai) [Orabug: 28924205]
- net: Cleanup in copy_net_ns() (Kirill Tkhai) [Orabug: 28924205]

[4.14.35-1818.5.1.el7uek]
- Revert 'aarch64: remove duplicate dtb in kernel rpm' (Jack Vogel)

[4.14.35-1818.5.0.el7uek]
- oracleasm: Implement support for QUERY HANDLE operation (Martin K. Petersen) [Orabug: 28887237]
- oracleasm: Honor ASM_IFLAG_FORMAT_NOCHECK flag (Martin K. Petersen) [Orabug: 28887237]
- bpf: 32-bit RSH verification must truncate input before the ALU op (Jann Horn) [Orabug: 28861785] {CVE-2018-18445}
- aarch64: remove duplicate dtb in kernel rpm (Eric Saint-Etienne) [Orabug: 28672035]
- scsi: lpfc: Correct MDS diag and nvmet configuration (James Smart) [Orabug: 28432993]
- uek-rpm: Run 'make olddefconfig' to get latest x86 config values (Victor Erminpour) [Orabug: 28845157]
- hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:447! (Mike Kravetz) [Orabug: 28886647]
- ext4: update i_disksize if direct write past ondisk size (Eryu Guan) [Orabug: 28869428]
- ext4: protect i_disksize update by i_data_sem in direct write path (Eryu Guan) [Orabug: 28869428]
- config: disable xfs online scrub in uek5 (Darrick J. Wong) [Orabug: 28890254]
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko) [Orabug: 28884433] {CVE-2018-1000204}
- random: fix crng_ready() test (Theodore Ts'o) [Orabug: 28863713] {CVE-2018-1108} {CVE-2018-1108}
- proc: do not access cmdline nor environ from file-backed areas (Willy Tarreau) [Orabug: 28863722] {CVE-2018-1120} {CVE-2018-1120}
- vhost: correctly check the iova range when waking virtqueue (Jason Wang) [Orabug: 28892623] {CVE-2018-1118}
- xfs: don't call xfs_da_shrink_inode with NULL bp (Eric Sandeen) [Orabug: 28893785] {CVE-2018-13094}
- ALSA: rawmidi: Change resized buffers atomically (Takashi Iwai) [Orabug: 28893798] {CVE-2018-10902}
- mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings (Andrea Arcangeli) [Orabug: 28899818]

Solution

Update the affected unbreakable enterprise kernel packages.

See Also

https://oss.oracle.com/pipermail/el-errata/2018-December/008330.html

Plugin Details

Severity: High

ID: 119638

File Name: oraclelinux_ELSA-2018-4304.nasl

Version: 1.10

Type: local

Agent: unix

Published: 2018/12/13

Updated: 2020/04/28

Dependencies: 12634, 122878

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.2

Temporal Score: 6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-tools, cpe:/o:oracle:linux:7

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/12/12

Vulnerability Publication Date: 2018/01/11

Exploitable With

Metasploit (Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation)

Reference Information

CVE: CVE-2018-1000204, CVE-2018-10322, CVE-2018-10902, CVE-2018-10940, CVE-2018-1108, CVE-2018-1118, CVE-2018-1120, CVE-2018-13094, CVE-2018-16658, CVE-2018-18445, CVE-2018-18710, CVE-2018-5333, CVE-2018-5848, CVE-2018-7755