Headline
CVE-2022-29901: oss-security - Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jul 2022 16:36:10 +0000 From: Xen.org security team <security@…org> To: xen-announce@…ts.xen.org, xen-devel@…ts.xen.org, xen-users@…ts.xen.org, oss-security@…ts.openwall.com CC: Xen.org security team <security-team-members@…org> Subject: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900)
- Retbleed - arbitrary speculative code execution with return instructions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407
Retbleed - arbitrary speculative code execution with return instructions
ISSUE DESCRIPTION
Researchers at ETH Zurich have discovered Retbleed, allowing for arbitrary speculative execution in a victim context.
For more details, see: https://comsec.ethz.ch/retbleed
ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for Intel.
Despite the similar preconditions, these are very different microarchitectural behaviours between vendors.
On AMD CPUs, Retbleed is one specific instance of a more general microarchitectural behaviour called Branch Type Confusion. AMD have assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type Confusion).
For more details, see: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
On Intel CPUs, Retbleed is not a new vulnerability; it is only applicable to software which did not follow Intel’s original Spectre-v2 guidance. Intel are using the ETH Zurich allocated CVE-2022-29901.
For more details, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html
ARM have indicated existing guidance on Spectre-v2 is sufficient.
IMPACT
An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.
VULNERABLE SYSTEMS
Systems running all versions of Xen are affected.
Whether a CPU is potentially vulnerable depends on its microarchitecture. Consult your hardware vendor.
For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults in XSA-254 and follow-on fixes. Therefore, the Xen Security Team believes there are no further changes necessary on these CPUs. Administrators who deviated from the default mitigations are potentially affected and should re-evaluate their threat model.
For AMD, CPUs from the Zen2 microarchitecture and earlier are potentially vulnerable. Zen3 and later CPUs are not believed to be vulnerable.
The patches for Xen implement the IBPB-at-entry mitigation. This depends on the IBPB microcode distributed by AMD in 2018 as part of the original Spectre/Meltdown work. Consult your dom0 OS vendor.
In addition to IBPB, “cross thread” safety is necessary. On Zen2 CPUs, Xen uses STIBP by default. On Zen1 CPUs, SMT needs disabling either in the firmware, or by passing `smt=0` on Xen’s command line. On Fam15h CPUs, Cluster Multi-Threading needs disabling in firmware.
Due to performance concerns, dom0 is excluded from IBPB-on-entry protections by default. This is because PV dom0 is trusted in most deployments. If your threat model model doesn’t allow for dom0 to be treated specially, boot with `spec-ctrl=ibpb-entry` which will cause IBPB-on-entry protections to be applied to dom0 too.
MITIGATION
There are no mitigations.
RESOLUTION
Applying the appropriate attached patch resolves this issue.
Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches.
For the 4.15 and 4.16 branches in particular, these patches depend on:
- x86/spec-ctrl: Only adjust MSR_SPEC_CTRL for idle with legacy IBRS
- x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint
- xen/cmdline: Extend parse_boolean() to signal a name match
- x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives
which have been recently backported.
xsa407/xsa407-?.patch xen-unstable xsa407/xsa407-4.16-*.patch Xen 4.16.x xsa407/xsa407-4.15-*.patch Xen 4.15.x xsa407/xsa407-4.14-*.patch Xen 4.14.x xsa407/xsa407-4.13-*.patch Xen 4.13.x
$ sha256sum xsa407* xsa407*/* 0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1 xsa407.meta 8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc xsa407/xsa407-1.patch 5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f xsa407/xsa407-2.patch 1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013 xsa407/xsa407-3.patch 8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e xsa407/xsa407-4.13-01.patch fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946 xsa407/xsa407-4.13-02.patch 9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27 xsa407/xsa407-4.13-03.patch 1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd xsa407/xsa407-4.13-04.patch 016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008 xsa407/xsa407-4.13-05.patch cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a xsa407/xsa407-4.13-06.patch 46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93 xsa407/xsa407-4.13-07.patch cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a xsa407/xsa407-4.13-08.patch 55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc xsa407/xsa407-4.13-09.patch f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f xsa407/xsa407-4.13-10.patch aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191 xsa407/xsa407-4.13-11.patch e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf xsa407/xsa407-4.13-12.patch 59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927 xsa407/xsa407-4.13-13.patch ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0 xsa407/xsa407-4.13-14.patch d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1 xsa407/xsa407-4.13-15.patch af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f xsa407/xsa407-4.13-16.patch 8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501 xsa407/xsa407-4.13-17.patch 1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9 xsa407/xsa407-4.13-18.patch a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde xsa407/xsa407-4.13-19.patch cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a xsa407/xsa407-4.13-20.patch 0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c xsa407/xsa407-4.13-21.patch fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4 xsa407/xsa407-4.14-01.patch e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2 xsa407/xsa407-4.14-02.patch 69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf xsa407/xsa407-4.14-03.patch 47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759 xsa407/xsa407-4.14-04.patch 14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8 xsa407/xsa407-4.14-05.patch cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1 xsa407/xsa407-4.14-06.patch 85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a xsa407/xsa407-4.14-07.patch 0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82 xsa407/xsa407-4.14-08.patch 1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd xsa407/xsa407-4.14-09.patch 4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d xsa407/xsa407-4.14-10.patch 074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55 xsa407/xsa407-4.14-11.patch e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949 xsa407/xsa407-4.14-12.patch 61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a xsa407/xsa407-4.15-1.patch cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1 xsa407/xsa407-4.15-2.patch 03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511 xsa407/xsa407-4.15-3.patch ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600 xsa407/xsa407-4.15-4.patch aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a xsa407/xsa407-4.15-5.patch 55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64 xsa407/xsa407-4.15-6.patch a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17 xsa407/xsa407-4.15-7.patch ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab xsa407/xsa407-4.15-8.patch 3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe xsa407/xsa407-4.16-1.patch b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522 xsa407/xsa407-4.16-2.patch 825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76 xsa407/xsa407-4.16-3.patch 402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860 xsa407/xsa407-4.16-4.patch ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf xsa407/xsa407-4.16-5.patch 4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e xsa407/xsa407-4.16-6.patch 1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7 xsa407/xsa407-4.16-7.patch d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de xsa407/xsa407-4.16-8.patch c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c xsa407/xsa407-4.patch eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4 xsa407/xsa407-5.patch aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72 xsa407/xsa407-6.patch cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6 xsa407/xsa407-7.patch cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3 xsa407/xsa407-8.patch $
NOTE CONCERNING LACK OF EMBARGO
The disclosers did not authorise us to predisclose. -----BEGIN PGP SIGNATURE-----
iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1 87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc= =CEa6 -----END PGP SIGNATURE-----
Download attachment "xsa407.meta" of type "application/octet-stream" (1366 bytes)
Download attachment "xsa407/xsa407-1.patch" of type "application/octet-stream" (5521 bytes)
Download attachment "xsa407/xsa407-2.patch" of type "application/octet-stream" (3502 bytes)
Download attachment "xsa407/xsa407-3.patch" of type "application/octet-stream" (3626 bytes)
Download attachment "xsa407/xsa407-4.13-01.patch" of type "application/octet-stream" (5069 bytes)
Download attachment "xsa407/xsa407-4.13-02.patch" of type "application/octet-stream" (4860 bytes)
Download attachment "xsa407/xsa407-4.13-03.patch" of type "application/octet-stream" (8358 bytes)
Download attachment "xsa407/xsa407-4.13-04.patch" of type "application/octet-stream" (6380 bytes)
Download attachment "xsa407/xsa407-4.13-05.patch" of type "application/octet-stream" (4572 bytes)
Download attachment "xsa407/xsa407-4.13-06.patch" of type "application/octet-stream" (2096 bytes)
Download attachment "xsa407/xsa407-4.13-07.patch" of type "application/octet-stream" (3343 bytes)
Download attachment "xsa407/xsa407-4.13-08.patch" of type "application/octet-stream" (1570 bytes)
Download attachment "xsa407/xsa407-4.13-09.patch" of type "application/octet-stream" (5054 bytes)
Download attachment "xsa407/xsa407-4.13-10.patch" of type "application/octet-stream" (3900 bytes)
Download attachment "xsa407/xsa407-4.13-11.patch" of type "application/octet-stream" (7893 bytes)
Download attachment "xsa407/xsa407-4.13-12.patch" of type "application/octet-stream" (2636 bytes)
Download attachment "xsa407/xsa407-4.13-13.patch" of type "application/octet-stream" (4926 bytes)
Download attachment "xsa407/xsa407-4.13-14.patch" of type "application/octet-stream" (5507 bytes)
Download attachment "xsa407/xsa407-4.13-15.patch" of type "application/octet-stream" (3462 bytes)
Download attachment "xsa407/xsa407-4.13-16.patch" of type "application/octet-stream" (3582 bytes)
Download attachment "xsa407/xsa407-4.13-17.patch" of type "application/octet-stream" (3356 bytes)
Download attachment "xsa407/xsa407-4.13-18.patch" of type "application/octet-stream" (10871 bytes)
Download attachment "xsa407/xsa407-4.13-19.patch" of type "application/octet-stream" (4384 bytes)
Download attachment "xsa407/xsa407-4.13-20.patch" of type "application/octet-stream" (3045 bytes)
Download attachment "xsa407/xsa407-4.13-21.patch" of type "application/octet-stream" (12470 bytes)
Download attachment "xsa407/xsa407-4.14-01.patch" of type "application/octet-stream" (3900 bytes)
Download attachment "xsa407/xsa407-4.14-02.patch" of type "application/octet-stream" (9426 bytes)
Download attachment "xsa407/xsa407-4.14-03.patch" of type "application/octet-stream" (2636 bytes)
Download attachment "xsa407/xsa407-4.14-04.patch" of type "application/octet-stream" (4926 bytes)
Download attachment "xsa407/xsa407-4.14-05.patch" of type "application/octet-stream" (5459 bytes)
Download attachment "xsa407/xsa407-4.14-06.patch" of type "application/octet-stream" (3462 bytes)
Download attachment "xsa407/xsa407-4.14-07.patch" of type "application/octet-stream" (3582 bytes)
Download attachment "xsa407/xsa407-4.14-08.patch" of type "application/octet-stream" (3356 bytes)
Download attachment "xsa407/xsa407-4.14-09.patch" of type "application/octet-stream" (11097 bytes)
Download attachment "xsa407/xsa407-4.14-10.patch" of type "application/octet-stream" (4429 bytes)
Download attachment "xsa407/xsa407-4.14-11.patch" of type "application/octet-stream" (3076 bytes)
Download attachment "xsa407/xsa407-4.14-12.patch" of type "application/octet-stream" (12470 bytes)
Download attachment "xsa407/xsa407-4.15-1.patch" of type "application/octet-stream" (5459 bytes)
Download attachment "xsa407/xsa407-4.15-2.patch" of type "application/octet-stream" (3462 bytes)
Download attachment "xsa407/xsa407-4.15-3.patch" of type "application/octet-stream" (3582 bytes)
Download attachment "xsa407/xsa407-4.15-4.patch" of type "application/octet-stream" (3356 bytes)
Download attachment "xsa407/xsa407-4.15-5.patch" of type "application/octet-stream" (11095 bytes)
Download attachment "xsa407/xsa407-4.15-6.patch" of type "application/octet-stream" (4449 bytes)
Download attachment "xsa407/xsa407-4.15-7.patch" of type "application/octet-stream" (3076 bytes)
Download attachment "xsa407/xsa407-4.15-8.patch" of type "application/octet-stream" (12470 bytes)
Download attachment "xsa407/xsa407-4.16-1.patch" of type "application/octet-stream" (5461 bytes)
Download attachment "xsa407/xsa407-4.16-2.patch" of type "application/octet-stream" (3462 bytes)
Download attachment "xsa407/xsa407-4.16-3.patch" of type "application/octet-stream" (3586 bytes)
Download attachment "xsa407/xsa407-4.16-4.patch" of type "application/octet-stream" (3356 bytes)
Download attachment "xsa407/xsa407-4.16-5.patch" of type "application/octet-stream" (11095 bytes)
Download attachment "xsa407/xsa407-4.16-6.patch" of type "application/octet-stream" (4449 bytes)
Download attachment "xsa407/xsa407-4.16-7.patch" of type "application/octet-stream" (3140 bytes)
Download attachment "xsa407/xsa407-4.16-8.patch" of type "application/octet-stream" (12475 bytes)
Download attachment "xsa407/xsa407-4.patch" of type "application/octet-stream" (3378 bytes)
Download attachment "xsa407/xsa407-5.patch" of type "application/octet-stream" (11155 bytes)
Download attachment "xsa407/xsa407-6.patch" of type "application/octet-stream" (4458 bytes)
Download attachment "xsa407/xsa407-7.patch" of type "application/octet-stream" (3187 bytes)
Download attachment "xsa407/xsa407-8.patch" of type "application/octet-stream" (12536 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Gentoo Linux Security Advisory 202402-7 - Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 4.16.6_pre1 are affected.
Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. Called Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Ubuntu Security Notice 5861-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5854-1 - It was discovered that an out-of-bounds write vulnerability existed in the Video for Linux 2 implementation in the Linux kernel. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba discovered that some Intel processors with Enhanced Indirect Branch Restricted Speculation did not properly handle RET instructions after a VM exits. A local attacker could potentially use this to expose sensitive information.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Red Hat Security Advisory 2022-8974-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, code execution, out of bounds write, and privilege escalation vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1158: kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region * CVE-2022-2639: kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size() * CVE-2022-2959: kernel: watch queue race condition can lead to privilege escalation * CVE-2022-21123: hw: cpu: incomplete clean-up of multi-co...
Ubuntu Security Notice 5728-3 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 5728-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.
An update for kernel is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36516: kernel: off-path attacker may inject data or terminate victim's TCP session * CVE-2021-3640: kernel: use-after-free vulnerability in function sco_sock_sendmsg() * CVE-2022-0168: kernel: smb2_ioctl_query_info NULL pointer dereference * CVE-2022-0617: kernel: NULL pointer dereference in udf_expand_file_adinicbdue() during writeback * CVE-2022-0854: ...
An update for kernel-rt is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36516: kernel: off-path attacker may inject data or terminate victim's TCP session * CVE-2021-3640: kernel: use-after-free vulnerability in function sco_sock_sendmsg() * CVE-2022-0168: kernel: smb2_ioctl_query_info NULL pointer dereference * CVE-2022-0617: kernel: NULL pointer dereference in udf_expand_file_adinicbdue() during writeback * CVE-2022-085...
Logging Subsystem 5.5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
An update is now available for OpenShift Logging 5.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32149: golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.
Red Hat Security Advisory 2022-7338-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include code execution, privilege escalation, and use-after-free vulnerabilities.
Red Hat Security Advisory 2022-7337-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include code execution, privilege escalation, and use-after-free vulnerabilities.
An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2588: kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation * CVE-2022-23816: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions * CVE-2022-23825: hw: cpu: AMD: Branch Type Confusion (non-retbleed) * CVE-2022-26373: hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions * ...
An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2588: kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation * CVE-2022-23816: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions * CVE-2022-23825: hw: cpu: AMD: Branch Type Confusion (non-retbleed) * CVE-2022-26373: hw: cpu: Intel: Post-barrier Return Stack Buffer Predictions * CVE...
Red Hat Security Advisory 2022-7201-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.12. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-7276-01 - Red Hat Advanced Cluster Management for Kubernetes 2.4.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service, server-side request forgery, and remote SQL injection vulnerabilities.
Red Hat Advanced Cluster Management for Kubernetes 2.6.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-25887: sanitize-html: insecure global regular expression replacement logic may lead to ReDoS * CVE-2022-25896: passport: incorrect ses...
Red Hat OpenShift Container Platform release 4.11.12 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
Red Hat Advanced Cluster Management for Kubernetes 2.4.8 General Availability release images, which fix security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2238: search-api: SQL injection leads to remote denial of service * CVE-2022-25858: terser: insecure use of regular expressions leads to ReDoS * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-35948: nodejs: undici vulnerable to CRLF via content headers * CVE-2022-35949: n...
Red Hat Security Advisory 2022-7110-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include code execution, information leakage, memory leak, privilege escalation, and use-after-free vulnerabilities.
An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0494: kernel: information leak in scsi_ioctl() * CVE-2022-1353: Kernel: A kernel-info-leak issue in pfkey_register * CVE-2022-2588: kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation * CVE-2022-23816: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions * CVE-2022-23825: hw: c...
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0494: kernel: information leak in scsi_ioctl() * CVE-2022-1353: Kernel: A kernel-info-leak issue in pfkey_register * CVE-2022-2588: kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation * CVE-2022-23816: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions * CVE-2022-23825: hw: cpu:...
Ubuntu Security Notice 5566-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5565-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 5564-1 - Zhenpeng Lin discovered that the network packet scheduler implementation in the Linux kernel did not properly remove all references to a route filter before freeing it in some situations. A local attacker could use this to cause a denial of service or execute arbitrary code. It was discovered that the netfilter subsystem of the Linux kernel did not prevent one nft object from referencing an nft set in another nft table, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or execute arbitrary code.
Linus Torvalds says Retbleed has been addressed in the Linux kernel, but code complexity means the release will be delayed by a week to give more time for testing.
Security researchers have uncovered yet another vulnerability affecting numerous older AMD and Intel microprocessors that could bypass current defenses and result in Spectre-based speculative-execution attacks. Dubbed Retbleed by ETH Zurich researchers Johannes Wikner and Kaveh Razavi, the issues are tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers releasing