Vulnerabilities Details

  • Home
  • Vulnerabilities Details

ZMC-2021.07.1.0809

linux kernel: Multiple vulnerabilities

Operating System:

[WIN][UNIX/LINUX]

Published:

1st July 2021

VulnerabilitiesZMC-2021.07.1.0809 


===========================================================================
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.07.1.0809
                      linux kernel: Multiple vulnerabilities
                               1st July 2021

===========================================================================
Product:           linux kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Privileged Data          -- Existing Account
                   Create Arbitrary Files          -- Existing Account
                   Denial of Service               -- Existing Account
                   Reduced Security                -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-33034 CVE-2021-32399 CVE-2021-29154
                   CVE-2021-28950 CVE-2021-28660 CVE-2021-3490
                   CVE-2021-3489 CVE-2020-36322 

Reference:         ESB-2021.2184
                   ESB-2021.2136
                   ESB-2021.1962
                   ESB-2021.1819
                   ESB-2021.1669
                   ESB-2021.1376
                   ESB-2021.1307

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2021/suse-su-20212198-1

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for the Linux Kernel (Live 

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:2198-1
Rating:            important
References:        #1183658 #1184710 #1184952 #1185796 #1185847 #1185856
                   #1185899 #1186285
Cross-References:  CVE-2020-36322 CVE-2021-28660 CVE-2021-29154 CVE-2021-32399
                   CVE-2021-33034 CVE-2021-3489 CVE-2021-3490
Affected Products:
                   SUSE Linux Enterprise Module for Live Patching 15-SP3
______________________________________________________________________________

Patch 0 for
SLE 15 SP3)

An update that solves 7 vulnerabilities and has one errata is now available.

Description:

This update for the Linux Kernel 5.3.18-57 fixes several issues.
The following issues were fixed:

  o CVE-2021-3489: Fixed an issue where the eBPF RINGBUF bpf_ringbuf_reserve
    did not check that the allocated size was smaller than the ringbuf size
    (bsc#1185640).
  o CVE-2021-3490: Fixed an issue where the eBPF ALU32 bounds tracking for
    bitwise ops (AND, OR and XOR) did not update the 32-bit bounds (bsc#
    1185641).
  o CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This
    could lead to writing an arbitrary values (bsc#1186111).
  o CVE-2021-32399: Fixed a race condition when removing the HCI controller
    (bsc#1184611).
  o CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem
    implementation which could have caused a system crash (bsc#1184211).
  o CVE-2021-29154: Fixed incorrect computation of branch displacements,
    allowing arbitrary code execution (bsc#1184391).
  o CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#
    1183593).
  o Fixed a data loss/data corruption that occurs if there is a write error on
    an md/raid array (bsc#1185847).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Live Patching 15-SP3:
    zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-2198=1

Package List:

  o SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x
    x86_64):
       kernel-livepatch-5_3_18-57-default-2-3.1
       kernel-livepatch-5_3_18-57-default-debuginfo-2-3.1
       kernel-livepatch-SLE15-SP3_Update_0-debugsource-2-3.1


References:

  o https://www.suse.com/security/cve/CVE-2020-36322.html
  o https://www.suse.com/security/cve/CVE-2021-28660.html
  o https://www.suse.com/security/cve/CVE-2021-29154.html
  o https://www.suse.com/security/cve/CVE-2021-32399.html
  o https://www.suse.com/security/cve/CVE-2021-33034.html
  o https://www.suse.com/security/cve/CVE-2021-3489.html
  o https://www.suse.com/security/cve/CVE-2021-3490.html
  o https://bugzilla.suse.com/1183658
  o https://bugzilla.suse.com/1184710
  o https://bugzilla.suse.com/1184952
  o https://bugzilla.suse.com/1185796
  o https://bugzilla.suse.com/1185847
  o https://bugzilla.suse.com/1185856
  o https://bugzilla.suse.com/1185899
  o https://bugzilla.suse.com/1186285


 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================

Copyright @2023 ZAMBIA CIRT