USN-4302-1: Linux kernel vulnerabilities
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 16.04
Description
Paulo Bonzini discovered that the KVM hypervisor implementation in the Linux kernel could improperly let a nested (level 2) guest access the resources of a parent (level 1) guest in certain situations. An attacker could use this to expose sensitive information. (CVE-2020-2732)
Gregory Herrero discovered that the fix for CVE-2019-14615 to address the Linux kernel not properly clearing data structures on context switches for certain Intel graphics processors was incomplete. A local attacker could use this to expose sensitive information. (CVE-2020-8832)
It was discovered that the IPMI message handler implementation in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19046)
It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19051)
It was discovered that the Marvell Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19056)
It was discovered that the Intel® Wi-Fi device driver in the Linux kernel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19058)
It was discovered that the Brocade BFA Fibre Channel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19066)
It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19068)
It was discovered that ZR364XX Camera USB device driver for the Linux kernel did not properly initialize memory. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15217)
CVEs contained in this USN include: CVE-2019-15217, CVE-2019-19051, CVE-2019-19056, CVE-2019-19066, CVE-2019-19068, CVE-2019-19058, CVE-2020-2732, CVE-2019-19046, CVE-2020-8832.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- Xenial Stemcells
- 97.x versions prior to 97.239
- 170.x versions prior to 170.210
- 250.x versions prior to 250.189
- 315.x versions prior to 315.175
- 456.x versions prior to 456.104
- 621.x versions prior to 621.64
- All other stemcells not listed.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- Xenial Stemcells
- Upgrade 97.x versions to 97.239 or greater
- Upgrade 170.x versions to 170.210 or greater
- Upgrade 250.x versions to 250.189 or greater
- Upgrade 315.x versions to 315.175 or greater
- Upgrade 456.x versions to 456.104 or greater
- Upgrade 621.x versions to 621.64 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
References
History
2020-03-17: Initial vulnerability report published.
