kernel-3.10.0-1160.105.1.el7
エラータID: AXSA:2023-6584:29
リリース日:
2023/11/27 Monday - 09:09
題名:
kernel-3.10.0-1160.105.1.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- 一部の Intel 社製のプロセッサの特定のベクター実行ユニットには、
一時的実行後のマイクロアーキテクチャ状態による情報漏洩の問題
があるため、認証されたユーザにより、ローカルアクセスを介して、
情報開示を可能とする脆弱性が存在します。(CVE-2022-40982)
- net/sched/sch_qfq.c の qfq_change_agg() 関数には、メモリ領域の
範囲外書き込みの問題があるため、ローカルの攻撃者により、特権
昇格、およびサービス拒否攻撃 (クラッシュの発生) を可能とする
脆弱性が存在します。(CVE-2023-3611)
- net/sched/cls_fw.c の fw_set_parms() 関数には、tcf_change_indev()
関数が失敗した際に参照カウンタの操作後にエラーを返してしまう
ことに起因したメモリ領域の解放後利用の問題があるため、ローカル
の攻撃者により、特権昇格を可能とする脆弱性が存在します。
(CVE-2023-3776)
- net/sched/cls_fw.c、net/sched/cls_u32.c、および net/sched/cls_route.c
には、メモリ領域の解放後利用の問題があるため、ローカルの攻撃者
により、既存のフィルタによる不正な処理を介して、特権昇格、
および情報の漏洩を可能とする脆弱性が存在します。(CVE-2023-4128)
- net/sched の cls_route コンポーネントには、メモリ領域の解放後
利用の問題があるため、ローカルの攻撃者により、フィルターの更新
を介して、特権昇格を可能とする脆弱性が存在します。
(CVE-2023-4206)
- net/sched の cls_fw コンポーネントには、メモリ領域の解放後利用
の問題があるため、ローカルの攻撃者により、フィルターの更新を
介して、特権昇格を可能とする脆弱性が存在します。(CVE-2023-4207)
- net/sched/cls_fw.c、cls_u32.c、および cls_route.c には、メモリ領域
の解放後利用の問題があるため、ローカルの攻撃者により、既存の
フィルタに対する細工された処理の実行を介して、特権昇格、および
カーネル空間のメモリの情報漏洩を可能とする脆弱性が存在します。
(CVE-2023-4208)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-40982
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2023-3611
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
CVE-2023-3776
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
CVE-2023-4128
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
CVE-2023-4206
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
CVE-2023-4207
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.
CVE-2023-4208
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
追加情報:
N/A
ダウンロード:
SRPMS
- kernel-3.10.0-1160.105.1.el7.src.rpm
MD5: 69151c64c4800ab63930e65ff83df359
SHA-256: 5ebac50a75ae11c9b5bc4f270f07675800014847b3bd845076b006362b93bd39
Size: 98.81 MB
Asianux Server 7 for x86_64
- bpftool-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: faef5af928e7d1f6ad20ed8d17adc6fd
SHA-256: 9a44bd604798bd734f60a5710c05e4ae50ff7fe1e6827c7a86f1c068db4122f3
Size: 8.52 MB - kernel-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: 73325fa03b03d5cadde583ffb8c9a5a6
SHA-256: f3fd956642ce7c1fb591c035b18e6540181bf55b11c6c12cf09c2a2c64a6a0c0
Size: 51.70 MB - kernel-debug-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: 9a5b067c2151507138aebd3b4c6fc19c
SHA-256: 5df6eef29a3a54400486925250a002a0b836a7d0870885b92492495e6ae6d4ef
Size: 54.01 MB - kernel-debug-devel-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: 332e9ea4f27ef849321c047816de0858
SHA-256: 256dea10430be897e7e7f581d12ec3e17166fee1629061515182b06793cde968
Size: 18.08 MB - kernel-devel-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: 96d44e9dcecc393475dee9b73acd46cf
SHA-256: 714ddaa6a06f356f58e983cd50d2170671069c005a1bdd79082d0000dc10aa3b
Size: 18.02 MB - kernel-doc-3.10.0-1160.105.1.el7.noarch.rpm
MD5: a762195cc6a7736b1ea6c7aa932814da
SHA-256: fb313cea5ec65df43bbc4d8c8a3ff79cc465a3ed64d7455d6a11abd581ab8807
Size: 19.55 MB - kernel-headers-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: bdda6625aaf8aafcff33d832f34cced5
SHA-256: 565ed9f4c326b2a8e39b0156ee92736d929b0f61bb8350c8afa09f2e071a2543
Size: 9.08 MB - kernel-tools-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: 407689c7824b7be87aa02d2a17914f3e
SHA-256: de2b046b0ea8d45b351eedf1768427901de0b102bd03ed96b3aea5a6ad7a891f
Size: 8.19 MB - kernel-tools-libs-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: e9bd89d84450502bd373b74c04ea05fe
SHA-256: b2d4976a7587292196bc43dfc99fec220835824df0bb56300769142c9e53dc5a
Size: 8.08 MB - perf-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: b87bb24923aae2fef84a5344834f6919
SHA-256: 71f47c1f3640f8bb5afe142929698a4a57472f3c319d56bbf356531cbd4045ac
Size: 9.73 MB - python-perf-3.10.0-1160.105.1.el7.x86_64.rpm
MD5: fa4ca6a0ac790ac115c490f982ea2afb
SHA-256: 009ddd682f6ee6c3cf42fe2a1bcbbc68feb3c0a56eda90f11e303adeac5cefbb
Size: 8.18 MB
English