Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP2) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2577-1 Final 1 1 2021-07-30T15:51:38Z current 2021-07-30T15:51:38Z 2021-07-30T15:51:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 15 for SLE 15 SP2) This update for the Linux Kernel 5.3.18-24_53_4 fixes several issues. The following security issues were fixed: - CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062) - CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116) - CVE-2020-36385: Fixed a use-after-free vulnerability reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050) - CVE-2021-23133: Fixed a race condition in the SCTP sockets that could lead to kernel privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) - CVE-2021-33034: Fixed a use-after-free vulnerability when destroying an hci_chan which leads to writing an arbitrary value. (bnc#1186111) - CVE-2021-32399: Fixed a race condition in net/bluetooth/hci_request.c for removal of the HCI controller. (bsc#1184611) - CVE-2020-36322: Fixed an issue in the FUSE filesystem implementation. This bug was addressed with a previous fix, which turned out was incomplete, and its incompleteness is tracked as CVE-2021-28950. (bsc#1184211) - CVE-2021-29154: Fixed an incorrect computation of branch displacements in the BPF JIT compilers, which could allow to execute arbitrary code within the kernel context. (bsc#1184391) - CVE-2021-3444: The bpf verifier did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. (bsc#1184170) - CVE-2021-28660: Fixed an out-of-bounds write in rtw_wx_set_scan which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1183593) - CVE-2021-27365: Fixed an issue in certain iSCSI data structures that do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. (bsc#1182715) - CVE-2021-28688: Fixed some uninitialization pointers in Xen that could result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. (bsc#1183646) - CVE-2021-27363: Fixed a kernel pointer leak that can be used to determine the address of the iscsi_transport structure. (bsc#1182716) - CVE-2021-27364: Fixed an issue that provides an unprivileged user the ability of craft Netlink messages. (bsc#1182717) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-2577,SUSE-SLE-Module-Live-Patching-15-SP2-2021-2577 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ Link for SUSE-SU-2021:2577-1 https://lists.suse.com/pipermail/sle-security-updates/2021-July/009234.html E-Mail link for SUSE-SU-2021:2577-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1182717 SUSE Bug 1182717 https://bugzilla.suse.com/1183120 SUSE Bug 1183120 https://bugzilla.suse.com/1183491 SUSE Bug 1183491 https://bugzilla.suse.com/1183658 SUSE Bug 1183658 https://bugzilla.suse.com/1184171 SUSE Bug 1184171 https://bugzilla.suse.com/1184710 SUSE Bug 1184710 https://bugzilla.suse.com/1184952 SUSE Bug 1184952 https://bugzilla.suse.com/1185847 SUSE Bug 1185847 https://bugzilla.suse.com/1185899 SUSE Bug 1185899 https://bugzilla.suse.com/1185901 SUSE Bug 1185901 https://bugzilla.suse.com/1186285 SUSE Bug 1186285 https://bugzilla.suse.com/1187052 SUSE Bug 1187052 https://bugzilla.suse.com/1188117 SUSE Bug 1188117 https://bugzilla.suse.com/1188257 SUSE Bug 1188257 https://www.suse.com/security/cve/CVE-2020-36322/ SUSE CVE CVE-2020-36322 page https://www.suse.com/security/cve/CVE-2020-36385/ SUSE CVE CVE-2020-36385 page https://www.suse.com/security/cve/CVE-2021-22555/ SUSE CVE CVE-2021-22555 page https://www.suse.com/security/cve/CVE-2021-23133/ SUSE CVE CVE-2021-23133 page https://www.suse.com/security/cve/CVE-2021-27363/ SUSE CVE CVE-2021-27363 page https://www.suse.com/security/cve/CVE-2021-27364/ SUSE CVE CVE-2021-27364 page https://www.suse.com/security/cve/CVE-2021-27365/ SUSE CVE CVE-2021-27365 page https://www.suse.com/security/cve/CVE-2021-28660/ SUSE CVE CVE-2021-28660 page https://www.suse.com/security/cve/CVE-2021-28688/ SUSE CVE CVE-2021-28688 page https://www.suse.com/security/cve/CVE-2021-29154/ SUSE CVE CVE-2021-29154 page https://www.suse.com/security/cve/CVE-2021-32399/ SUSE CVE CVE-2021-32399 page https://www.suse.com/security/cve/CVE-2021-33034/ SUSE CVE CVE-2021-33034 page https://www.suse.com/security/cve/CVE-2021-33909/ SUSE CVE CVE-2021-33909 page https://www.suse.com/security/cve/CVE-2021-3444/ SUSE CVE CVE-2021-3444 page SUSE Linux Enterprise Live Patching 15 SP2 kernel-livepatch-5_3_18-24_53_4-default-2-2.1 kernel-livepatch-5_3_18-24_53_4-preempt-2-2.1 kernel-livepatch-5_3_18-24_53_4-default-2-2.1 as a component of SUSE Linux Enterprise Live Patching 15 SP2 An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. CVE-2020-36322 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2020-36322.html CVE-2020-36322 https://bugzilla.suse.com/1184211 SUSE Bug 1184211 https://bugzilla.suse.com/1184952 SUSE Bug 1184952 https://bugzilla.suse.com/1189302 SUSE Bug 1189302 An issue was discovered in the Linux kernel before 5.10. drivers/infiniband/core/ucma.c has a use-after-free because the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called, aka CID-f5449e74802c. CVE-2020-36385 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2020-36385.html CVE-2020-36385 https://bugzilla.suse.com/1187050 SUSE Bug 1187050 https://bugzilla.suse.com/1187052 SUSE Bug 1187052 https://bugzilla.suse.com/1189302 SUSE Bug 1189302 https://bugzilla.suse.com/1196174 SUSE Bug 1196174 https://bugzilla.suse.com/1196810 SUSE Bug 1196810 https://bugzilla.suse.com/1196914 SUSE Bug 1196914 https://bugzilla.suse.com/1200084 SUSE Bug 1200084 https://bugzilla.suse.com/1201734 SUSE Bug 1201734 A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space CVE-2021-22555 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-22555.html CVE-2021-22555 https://bugzilla.suse.com/1188116 SUSE Bug 1188116 https://bugzilla.suse.com/1188117 SUSE Bug 1188117 https://bugzilla.suse.com/1188411 SUSE Bug 1188411 A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket. CVE-2021-23133 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-23133.html CVE-2021-23133 https://bugzilla.suse.com/1184675 SUSE Bug 1184675 https://bugzilla.suse.com/1185901 SUSE Bug 1185901 An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables. CVE-2021-27363 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-27363.html CVE-2021-27363 https://bugzilla.suse.com/1182716 SUSE Bug 1182716 https://bugzilla.suse.com/1182717 SUSE Bug 1182717 https://bugzilla.suse.com/1183120 SUSE Bug 1183120 https://bugzilla.suse.com/1200084 SUSE Bug 1200084 An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages. CVE-2021-27364 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 3.6 AV:L/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-27364.html CVE-2021-27364 https://bugzilla.suse.com/1182715 SUSE Bug 1182715 https://bugzilla.suse.com/1182716 SUSE Bug 1182716 https://bugzilla.suse.com/1182717 SUSE Bug 1182717 https://bugzilla.suse.com/1200084 SUSE Bug 1200084 https://bugzilla.suse.com/1214268 SUSE Bug 1214268 https://bugzilla.suse.com/1218966 SUSE Bug 1218966 An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message. CVE-2021-27365 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-27365.html CVE-2021-27365 https://bugzilla.suse.com/1182712 SUSE Bug 1182712 https://bugzilla.suse.com/1182715 SUSE Bug 1182715 https://bugzilla.suse.com/1183491 SUSE Bug 1183491 https://bugzilla.suse.com/1200084 SUSE Bug 1200084 https://bugzilla.suse.com/1214268 SUSE Bug 1214268 https://bugzilla.suse.com/1218966 SUSE Bug 1218966 rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging issue is relevant to their own customer base. CVE-2021-28660 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-28660.html CVE-2021-28660 https://bugzilla.suse.com/1183593 SUSE Bug 1183593 https://bugzilla.suse.com/1183658 SUSE Bug 1183658 The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains. All Linux versions having the fix for XSA-365 applied are vulnerable. XSA-365 was classified to affect versions back to at least 3.11. CVE-2021-28688 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-28688.html CVE-2021-28688 https://bugzilla.suse.com/1183646 SUSE Bug 1183646 BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. CVE-2021-29154 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-29154.html CVE-2021-29154 https://bugzilla.suse.com/1184391 SUSE Bug 1184391 https://bugzilla.suse.com/1184710 SUSE Bug 1184710 https://bugzilla.suse.com/1186408 SUSE Bug 1186408 net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller. CVE-2021-32399 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-32399.html CVE-2021-32399 https://bugzilla.suse.com/1184611 SUSE Bug 1184611 https://bugzilla.suse.com/1185898 SUSE Bug 1185898 https://bugzilla.suse.com/1185899 SUSE Bug 1185899 https://bugzilla.suse.com/1196174 SUSE Bug 1196174 https://bugzilla.suse.com/1200084 SUSE Bug 1200084 https://bugzilla.suse.com/1201734 SUSE Bug 1201734 In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value. CVE-2021-33034 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-33034.html CVE-2021-33034 https://bugzilla.suse.com/1186111 SUSE Bug 1186111 https://bugzilla.suse.com/1186285 SUSE Bug 1186285 fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05. CVE-2021-33909 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-33909.html CVE-2021-33909 https://bugzilla.suse.com/1188062 SUSE Bug 1188062 https://bugzilla.suse.com/1188063 SUSE Bug 1188063 https://bugzilla.suse.com/1188257 SUSE Bug 1188257 https://bugzilla.suse.com/1189302 SUSE Bug 1189302 https://bugzilla.suse.com/1190859 SUSE Bug 1190859 The bpf verifier in the Linux kernel did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution. This issue was addressed in the upstream kernel in commit 9b00f1b78809 ("bpf: Fix truncation handling for mod32 dst reg wrt zero") and in Linux stable kernels 5.11.2, 5.10.19, and 5.4.101. CVE-2021-3444 SUSE Linux Enterprise Live Patching 15 SP2:kernel-livepatch-5_3_18-24_53_4-default-2-2.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212577-1/ https://www.suse.com/security/cve/CVE-2021-3444.html CVE-2021-3444 https://bugzilla.suse.com/1184170 SUSE Bug 1184170 https://bugzilla.suse.com/1184171 SUSE Bug 1184171