Cloud Foundry Logo
blog single gear
Security Advisory

USN-4345-1: Linux kernel vulnerabilities

USN-4345-1: Linux kernel vulnerabilities

Severity

High

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 16.04

Description

Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884)

It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16234)

Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768)

It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648)

Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383)

CVEs contained in this USN include: CVE-2019-16234, CVE-2019-19768, CVE-2020-8648, CVE-2020-9383, CVE-2020-10942, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11884.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • Xenial Stemcells
    • 170.x versions prior to 170.219
    • 250.x versions prior to 250.198
    • 315.x versions prior to 315.183
    • 456.x versions prior to 456.112
    • 621.x versions prior to 621.74
    • All other stemcells not listed.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Xenial Stemcells
    • Upgrade 170.x versions to 170.219 or greater
    • Upgrade 250.x versions to 250.198 or greater
    • Upgrade 315.x versions to 315.183 or greater
    • Upgrade 456.x versions to 456.112 or greater
    • Upgrade 621.x versions to 621.74 or greater
    • All other stemcells should be upgraded to the latest version available onĀ bosh.io.

History

2020-04-28: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES