Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-1192-01

Red Hat Security Advisory 2023-1192-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

Packet Storm
#vulnerability#linux#red_hat#rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: kpatch-patch security update
Advisory ID: RHSA-2023:1192-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1192
Issue date: 2023-03-13
CVE Names: CVE-2022-2964 CVE-2022-41222
====================================================================

  1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux
8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.6) - ppc64le, x86_64

  1. Description:

This is a kernel live patch module which is automatically loaded by the RPM
post-install script to modify the code of a running kernel.

Security Fix(es):

  • kernel: memory corruption in AX88179_178A based USB ethernet device.
    (CVE-2022-2964)

  • kernel: mm/mremap.c use-after-free vulnerability (CVE-2022-41222)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2067482 - CVE-2022-2964 kernel: memory corruption in AX88179_178A based USB ethernet device.
2138818 - CVE-2022-41222 kernel: mm/mremap.c use-after-free vulnerability

  1. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:
kpatch-patch-4_18_0-372_26_1-1-5.el8_6.src.rpm
kpatch-patch-4_18_0-372_32_1-1-4.el8_6.src.rpm
kpatch-patch-4_18_0-372_36_1-1-3.el8_6.src.rpm
kpatch-patch-4_18_0-372_40_1-1-3.el8_6.src.rpm
kpatch-patch-4_18_0-372_41_1-1-2.el8_6.src.rpm

ppc64le:
kpatch-patch-4_18_0-372_26_1-1-5.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_26_1-debuginfo-1-5.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_26_1-debugsource-1-5.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_32_1-1-4.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_32_1-debuginfo-1-4.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_32_1-debugsource-1-4.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_36_1-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_36_1-debuginfo-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_36_1-debugsource-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_40_1-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_40_1-debuginfo-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_40_1-debugsource-1-3.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_41_1-1-2.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_41_1-debuginfo-1-2.el8_6.ppc64le.rpm
kpatch-patch-4_18_0-372_41_1-debugsource-1-2.el8_6.ppc64le.rpm

x86_64:
kpatch-patch-4_18_0-372_26_1-1-5.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_26_1-debuginfo-1-5.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_26_1-debugsource-1-5.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_32_1-1-4.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_32_1-debuginfo-1-4.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_32_1-debugsource-1-4.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_36_1-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_36_1-debuginfo-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_36_1-debugsource-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_40_1-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_40_1-debuginfo-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_40_1-debugsource-1-3.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_41_1-1-2.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_41_1-debuginfo-1-2.el8_6.x86_64.rpm
kpatch-patch-4_18_0-372_41_1-debugsource-1-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-2964
https://access.redhat.com/security/cve/CVE-2022-41222
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZA897tzjgjWX9erEAQikMQ/9FRnl6FKDWMwAnfiUBfNnr+W5aN1TqK8R
TMVKASaKUaDCmi3+ExDK+3SkpDdyb5GGavG5X6whAGeOqxoQw+Lh22nicZnWu4b0
5Qz8hSE5ReYOXNisR9MmZW9QoE8TVG60m1xM3cLemnsex5tCU5YlAF1Lo6WMRHeR
QMQ/mnEtZTeilM+UmO0GSorz2iEX2s7hFvIafwo2cQD6VS0Q3loqH8ePTpYaz9fg
D1w8y13bEX/p+m9BI1ihK/VEX07WxNbvQcaK794RF7ZvKRWD35eqR2ajTTqSdTaY
L1LMy5CuBu9JFYDT0iAmpAcDhB8PhEEKFqm90xGVxfEUSVHagqAthgp7vAceLd7G
qEuE6VEAxP8eAA1j7yRZSTn5LzWuz/qi4kv6gnCzWKq0+M38bYtH6x6XKVldOvRy
CMz1oxomUE2g717pcJBBNQn3cSRicRKkUceqW/R+eoE8/DzzI4X8T0Gme17aiZH7
kZrTZZ4OSt7YhE1m2HvX4rYp1EAUiMvxjdwON1xoagXr97KrBFaRtUs9GveYvC3h
FkgDH8fCyeOx50M3IvVYyxUtFSHeHTdQ/IoFNlY4Mfu8pbPaLeMtY5IyqBwES6Ec
02mtaHyvnkwwVJ6C32g0ZhPWNmKrdFrNBm1piwb9OwGs5SIh3gPqdLF2qQAJ3VzX
AkEXpsRrSU0=LPHk
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

CVE-2023-1476

A use-after-free flaw was found in the Linux kernel’s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between rmap walk and mremap, allowing a local user to crash the system or potentially escalate their privileges on the system.

RHSA-2023:3491: Red Hat Security Advisory: Red Hat Virtualization Host 4.4.z SP 1 security update

An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in how a user triggers a race condition by two malicious flows in the L2CAP bluetooth packets. This flaw allows a local or bluetooth connection user to crash the system or poten...

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

Red Hat Security Advisory 2023-2104-01

Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1659-01

Red Hat Security Advisory 2023-1659-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Red Hat Security Advisory 2023-0932-01

Red Hat Security Advisory 2023-0932-01 - Update information for Logging Subsystem 5.6.3 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-0930-01

Red Hat Security Advisory 2023-0930-01 - Update information for Logging Subsystem 5.5.8 in Red Hat OpenShift. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:0931: Red Hat Security Advisory: Logging Subsystem 5.4.12 - Red Hat OpenShift

Logging Subsystem 5.4.12 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to alloc...

RHSA-2023:0930: Red Hat Security Advisory: Logging Subsystem 5.5.8 - Red Hat OpenShift

Logging Subsystem 5.5.8 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

RHSA-2023:0932: Red Hat Security Advisory: Logging Subsystem 5.6.3 - Red Hat OpenShift

Logging Subsystem 5.6.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&...

Red Hat Security Advisory 2023-0858-01

Red Hat Security Advisory 2023-0858-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

Red Hat Security Advisory 2023-0832-01

Red Hat Security Advisory 2023-0832-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, null pointer, and use-after-free vulnerabilities.

RHSA-2023:0856: Red Hat Security Advisory: kernel security update

An update for kernel is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2964: A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality in ho...

RHSA-2023:0858: Red Hat Security Advisory: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2964: A flaw was found in the Linux kernel’s driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes. * CVE-2022-3564: A use-after-free flaw was found in the Linux kernel’s L2CAP bluetooth functionality...

RHSA-2023:0832: Red Hat Security Advisory: kernel security and bug fix update

An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2873: An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. * CVE-2022-41222: A use-after-free flaw was found in the Linux kernel’s mm/mremap me...

RHSA-2023:0536: Red Hat Security Advisory: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2964: kernel: memory corruption in AX88179_178A based USB ethernet device. * CVE-2022-4139: kernel: i915: Incorrect GPU TLB flush can lead to random memory access

RHSA-2023:0496: Red Hat Security Advisory: kernel security and bug fix update

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2964: kernel: memory corruption in AX88179_178A based USB ethernet device. * CVE-2022-4139: kernel: i915: Incorrect GPU TLB flush can lead to random memory access

Red Hat Security Advisory 2023-0404-01

Red Hat Security Advisory 2023-0404-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Red Hat Security Advisory 2023-0396-01

Red Hat Security Advisory 2023-0396-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Red Hat Security Advisory 2023-0395-01

Red Hat Security Advisory 2023-0395-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Security Advisory 2023-0392-01

Red Hat Security Advisory 2023-0392-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

RHSA-2023:0123: Red Hat Security Advisory: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2964: kernel: memory corruption in AX88179_178A based USB ethernet device. * CVE-2022-4139: kernel: i915: Incorrect GPU TLB flush can lead to random memory access

Ubuntu Security Notice USN-5728-3

Ubuntu Security Notice 5728-3 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5728-2

Ubuntu Security Notice 5728-2 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-5728-1

Ubuntu Security Notice 5728-1 - Jann Horn discovered that the Linux kernel did not properly track memory allocations for anonymous VMA mappings in some situations, leading to potential data structure reuse. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the memory address space accounting implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution