RedHat: RHSA-2022-1988:01 Important: kernel security, bug fix,
Summary
The kernel packages contain the Linux kernel, the core of any Linux
operating system.
Security Fix(es):
* kernel: fget: check that the fd still exists after getting a ref to it
(CVE-2021-4083)
* kernel: avoid cyclic entity chains due to malformed USB descriptors(CVE-2020-0404)
* kernel: speculation on incompletely validated data on IBM Power9
(CVE-2020-4788)
* kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
(CVE-2020-13974)
* kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a
use-after-free (CVE-2021-0941)
* kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
(CVE-2021-3612)
* kernel: reading /proc/sysvipc/shm does not scale with large shared memory
segment counts (CVE-2021-3669)
* kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
(CVE-2021-3743)
* kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
(CVE-2021-3744)
* kernel: possible use-after-free in bluetooth module (CVE-2021-3752)
* kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg
limits and DoS attacks (CVE-2021-3759)
* kernel: DoS in ccp_run_aes_gcm_cmd() function (CVE-2021-3764)
* kernel: sctp: Invalid chunks may be used to remotely remove existing
associations (CVE-2021-3772)
* kernel: lack of port sanity checking in natd and netfilter leads to
exploit of OpenVPN clients (CVE-2021-3773)
* kernel: possible leak or coruption of data residing on hugetlbfs
(CVE-2021-4002)
* kernel: security regression for CVE-2018-13405 (CVE-2021-4037)
* kernel: Buffer overwrite in decode_nfs_fh function (CVE-2021-4157)
* kernel: cgroup: Use open-time creds and namespace for migration perm
checks (CVE-2021-4197)
* kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
(CVE-2021-4203)
* kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed
packets replies (CVE-2021-20322)
* kernel: arm: SIGPAGE information disclosure vulnerability
(CVE-2021-21781)
* hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715 (CVE-2021-26401)
* kernel: Local privilege escalation due to incorrect BPF JIT branch
displacement computation (CVE-2021-29154)
* kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
(CVE-2021-37159)
* kernel: eBPF multiplication integer overflow in
prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to
out-of-bounds write (CVE-2021-41864)
* kernel: Heap buffer overflow in firedtv driver (CVE-2021-42739)
* kernel: ppc: kvm: allows a malicious KVM guest to crash the host
(CVE-2021-43056)
* kernel: an array-index-out-bounds in detach_capi_ctr in
drivers/isdn/capi/kcapi.c (CVE-2021-43389)
* kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c
allows an attacker to cause DoS via crafted USB device (CVE-2021-43976)
* kernel: use-after-free in the TEE subsystem (CVE-2021-44733)
* kernel: information leak in the IPv6 implementation (CVE-2021-45485)
* kernel: information leak in the IPv4 implementation (CVE-2021-45486)
* hw: cpu: intel: Branch History Injection (BHI) (CVE-2022-0001)
* hw: cpu: intel: Intra-Mode BTI (CVE-2022-0002)
* kernel: Local denial of service in bond_ipsec_add_sa (CVE-2022-0286)
* kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
(CVE-2022-0322)
* kernel: FUSE allows UAF reads of write() buffers, allowing theft of
(partial) /etc/shadow hashes (CVE-2022-1011)
* kernel: use-after-free in nouveau kernel module (CVE-2020-27820)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.6 Release Notes linked from the References section.
Summary
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
References
https://access.redhat.com/security/cve/CVE-2020-0404 https://access.redhat.com/security/cve/CVE-2020-4788 https://access.redhat.com/security/cve/CVE-2020-13974 https://access.redhat.com/security/cve/CVE-2020-27820 https://access.redhat.com/security/cve/CVE-2021-0941 https://access.redhat.com/security/cve/CVE-2021-3612 https://access.redhat.com/security/cve/CVE-2021-3669 https://access.redhat.com/security/cve/CVE-2021-3743 https://access.redhat.com/security/cve/CVE-2021-3744 https://access.redhat.com/security/cve/CVE-2021-3752 https://access.redhat.com/security/cve/CVE-2021-3759 https://access.redhat.com/security/cve/CVE-2021-3764 https://access.redhat.com/security/cve/CVE-2021-3772 https://access.redhat.com/security/cve/CVE-2021-3773 https://access.redhat.com/security/cve/CVE-2021-4002 https://access.redhat.com/security/cve/CVE-2021-4037 https://access.redhat.com/security/cve/CVE-2021-4083 https://access.redhat.com/security/cve/CVE-2021-4157 https://access.redhat.com/security/cve/CVE-2021-4197 https://access.redhat.com/security/cve/CVE-2021-4203 https://access.redhat.com/security/cve/CVE-2021-20322 https://access.redhat.com/security/cve/CVE-2021-21781 https://access.redhat.com/security/cve/CVE-2021-26401 https://access.redhat.com/security/cve/CVE-2021-29154 https://access.redhat.com/security/cve/CVE-2021-37159 https://access.redhat.com/security/cve/CVE-2021-41864 https://access.redhat.com/security/cve/CVE-2021-42739 https://access.redhat.com/security/cve/CVE-2021-43056 https://access.redhat.com/security/cve/CVE-2021-43389 https://access.redhat.com/security/cve/CVE-2021-43976 https://access.redhat.com/security/cve/CVE-2021-44733 https://access.redhat.com/security/cve/CVE-2021-45485 https://access.redhat.com/security/cve/CVE-2021-45486 https://access.redhat.com/security/cve/CVE-2022-0001 https://access.redhat.com/security/cve/CVE-2022-0002 https://access.redhat.com/security/cve/CVE-2022-0286 https://access.redhat.com/security/cve/CVE-2022-0322 https://access.redhat.com/security/cve/CVE-2022-1011 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/
Package List
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
kernel-4.18.0-372.9.1.el8.src.rpm
aarch64:
bpftool-4.18.0-372.9.1.el8.aarch64.rpm
bpftool-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-4.18.0-372.9.1.el8.aarch64.rpm
kernel-core-4.18.0-372.9.1.el8.aarch64.rpm
kernel-cross-headers-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-core-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-devel-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-modules-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-modules-extra-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-372.9.1.el8.aarch64.rpm
kernel-devel-4.18.0-372.9.1.el8.aarch64.rpm
kernel-headers-4.18.0-372.9.1.el8.aarch64.rpm
kernel-modules-4.18.0-372.9.1.el8.aarch64.rpm
kernel-modules-extra-4.18.0-372.9.1.el8.aarch64.rpm
kernel-tools-4.18.0-372.9.1.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-tools-libs-4.18.0-372.9.1.el8.aarch64.rpm
perf-4.18.0-372.9.1.el8.aarch64.rpm
perf-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
python3-perf-4.18.0-372.9.1.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
noarch:
kernel-abi-stablelists-4.18.0-372.9.1.el8.noarch.rpm
kernel-doc-4.18.0-372.9.1.el8.noarch.rpm
ppc64le:
bpftool-4.18.0-372.9.1.el8.ppc64le.rpm
bpftool-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-core-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-cross-headers-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-core-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-devel-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-modules-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-modules-extra-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-devel-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-headers-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-modules-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-modules-extra-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-tools-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-tools-libs-4.18.0-372.9.1.el8.ppc64le.rpm
perf-4.18.0-372.9.1.el8.ppc64le.rpm
perf-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
python3-perf-4.18.0-372.9.1.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
s390x:
bpftool-4.18.0-372.9.1.el8.s390x.rpm
bpftool-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
kernel-4.18.0-372.9.1.el8.s390x.rpm
kernel-core-4.18.0-372.9.1.el8.s390x.rpm
kernel-cross-headers-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-core-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-devel-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-modules-4.18.0-372.9.1.el8.s390x.rpm
kernel-debug-modules-extra-4.18.0-372.9.1.el8.s390x.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
kernel-debuginfo-common-s390x-4.18.0-372.9.1.el8.s390x.rpm
kernel-devel-4.18.0-372.9.1.el8.s390x.rpm
kernel-headers-4.18.0-372.9.1.el8.s390x.rpm
kernel-modules-4.18.0-372.9.1.el8.s390x.rpm
kernel-modules-extra-4.18.0-372.9.1.el8.s390x.rpm
kernel-tools-4.18.0-372.9.1.el8.s390x.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-core-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-devel-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-modules-4.18.0-372.9.1.el8.s390x.rpm
kernel-zfcpdump-modules-extra-4.18.0-372.9.1.el8.s390x.rpm
perf-4.18.0-372.9.1.el8.s390x.rpm
perf-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
python3-perf-4.18.0-372.9.1.el8.s390x.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.s390x.rpm
x86_64:
bpftool-4.18.0-372.9.1.el8.x86_64.rpm
bpftool-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-4.18.0-372.9.1.el8.x86_64.rpm
kernel-core-4.18.0-372.9.1.el8.x86_64.rpm
kernel-cross-headers-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-core-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-devel-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-modules-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-modules-extra-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-372.9.1.el8.x86_64.rpm
kernel-devel-4.18.0-372.9.1.el8.x86_64.rpm
kernel-headers-4.18.0-372.9.1.el8.x86_64.rpm
kernel-modules-4.18.0-372.9.1.el8.x86_64.rpm
kernel-modules-extra-4.18.0-372.9.1.el8.x86_64.rpm
kernel-tools-4.18.0-372.9.1.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-tools-libs-4.18.0-372.9.1.el8.x86_64.rpm
perf-4.18.0-372.9.1.el8.x86_64.rpm
perf-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
python3-perf-4.18.0-372.9.1.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 8):
aarch64:
bpftool-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-debuginfo-common-aarch64-4.18.0-372.9.1.el8.aarch64.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
kernel-tools-libs-devel-4.18.0-372.9.1.el8.aarch64.rpm
perf-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.aarch64.rpm
ppc64le:
bpftool-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-debuginfo-common-ppc64le-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
kernel-tools-libs-devel-4.18.0-372.9.1.el8.ppc64le.rpm
perf-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.ppc64le.rpm
x86_64:
bpftool-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debug-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-debuginfo-common-x86_64-4.18.0-372.9.1.el8.x86_64.rpm
kernel-tools-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
kernel-tools-libs-devel-4.18.0-372.9.1.el8.x86_64.rpm
perf-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
python3-perf-debuginfo-4.18.0-372.9.1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for kernel is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Bugs Fixed
1888433 - CVE-2020-4788 kernel: speculation on incompletely validated data on IBM Power9
1901726 - CVE-2020-27820 kernel: use-after-free in nouveau kernel module
1919791 - CVE-2020-0404 kernel: avoid cyclic entity chains due to malformed USB descriptors1946684 - CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
1951739 - CVE-2021-42739 kernel: Heap buffer overflow in firedtv driver
1957375 - [RFE] x86, tsc: Add kcmdline args for skipping tsc calibration sequences
1974079 - CVE-2021-3612 kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
1981950 - CVE-2021-21781 kernel: arm: SIGPAGE information disclosure vulnerability
1983894 - Hostnetwork pod to service backed by hostnetwork on the same node is not working with OVN Kubernetes
1985353 - CVE-2021-37159 kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
1986473 - CVE-2021-3669 kernel: reading /proc/sysvipc/shm does not scale with large shared memory segment counts
1994390 - FIPS: deadlock between PID 1 and "modprobe crypto-jitterentropy_rng" at boot, preventing system to boot
1997338 - block: update to upstream v5.14
1997467 - CVE-2021-3764 kernel: DoS in ccp_run_aes_gcm_cmd() function
1997961 - CVE-2021-3743 kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
1999544 - CVE-2021-3752 kernel: possible use-after-free in bluetooth module
1999675 - CVE-2021-3759 kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks
2000627 - CVE-2021-3744 kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
2000694 - CVE-2021-3772 kernel: sctp: Invalid chunks may be used to remotely remove existing associations
2004949 - CVE-2021-3773 kernel: lack of port sanity checking in natd and netfilter leads to exploit of OpenVPN clients
2009312 - Incorrect system time reported by the cpu guest statistics (PPC only).
2009521 - XFS: sync to upstream v5.11
2010463 - CVE-2021-41864 kernel: eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write
2011104 - statfs reports wrong free space for small quotas
2013180 - CVE-2021-43389 kernel: an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
2014230 - CVE-2021-20322 kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
2015525 - SCTP peel-off with SELinux and containers in OCP
2015755 - zram: zram leak with warning when running zram02.sh in ltp
2016169 - CVE-2020-13974 kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
2017073 - CVE-2021-43056 kernel: ppc: kvm: allows a malicious KVM guest to crash the host
2017796 - ceph omnibus backport for RHEL-8.6.0
2018205 - CVE-2021-0941 kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a use-after-free
2022814 - Rebase the input and HID stack in 8.6 to v5.15
2025003 - CVE-2021-43976 kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device
2025726 - CVE-2021-4002 kernel: possible leak or coruption of data residing on hugetlbfs
2027239 - CVE-2021-4037 kernel: security regression for CVE-2018-13405
2029923 - CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
2030476 - Kernel 4.18.0-348.2.1 secpath_cache memory leak involving strongswan tunnel
2030747 - CVE-2021-44733 kernel: use-after-free in the TEE subsystem
2031200 - rename(2) fails on subfolder mounts when the share path has a trailing slash
2034342 - CVE-2021-4157 kernel: Buffer overwrite in decode_nfs_fh function
2035652 - CVE-2021-4197 kernel: cgroup: Use open-time creds and namespace for migration perm checks
2036934 - CVE-2021-4203 kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
2037019 - CVE-2022-0286 kernel: Local denial of service in bond_ipsec_add_sa
2039911 - CVE-2021-45485 kernel: information leak in the IPv6 implementation
2039914 - CVE-2021-45486 kernel: information leak in the IPv4 implementation
2042798 - [RHEL8.6][sfc] General sfc driver update
2042822 - CVE-2022-0322 kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
2043453 - [RHEL8.6 wireless] stack & drivers general update to v5.16+
2046021 - kernel 4.18.0-358.el8 async dirops causes write errors with namespace restricted caps
2048251 - Selinux is not allowing SCTP connection setup between inter pod communication in enforcing mode
2061700 - CVE-2021-26401 hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715
2061712 - CVE-2022-0001 hw: cpu: intel: Branch History Injection (BHI)
2061721 - CVE-2022-0002 hw: cpu: intel: Intra-Mode BTI
2064855 - CVE-2022-1011 kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes