Cloud Foundry Logo
blog single gear
Blog
Security Advisory

USN-4227-1: Linux kernel vulnerabilities

by: February 5, 2020

USN-4227-1: Linux kernel vulnerabilities

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 16.04

Description

It was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901)

It was discovered that a heap-based buffer overflow existed in the Marvell Libertas WLAN Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14896, CVE-2019-14897)

It was discovered that the Fujitsu ES network device driver for the Linux kernel did not properly check for errors in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. (CVE-2019-16231)

It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233)

Anthony Steinhauser discovered that the Linux kernel did not properly perform Spectre_RSB mitigations to all processors for PowerPC architecture systems in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-18660)

It was discovered that the Mellanox Technologies Innova driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19045)

It was discovered that Geschwister Schneider USB CAN interface driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A physically proximate attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19052)

It was discovered that the AMD Display Engine Driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attack could use this to cause a denial of service (memory exhaustion). (CVE-2019-19083)

It was discovered that the driver for memoryless force-feedback input devices in the Linux kernel contained a use-after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2019-19524)

It was discovered that the Microchip CAN BUS Analyzer driver in the Linux kernel contained a use-after-free vulnerability on device disconnect. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19529)

It was discovered that the PEAK-System Technik USB driver in the Linux kernel did not properly sanitize memory before sending it to the device. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2019-19534)

Tristan Madani discovered that the ALSA timer implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19807)

CVEs contained in this USN include: CVE-2019-19083, CVE-2019-14895, CVE-2019-14896, CVE-2019-14897, CVE-2019-14901, CVE-2019-18660, CVE-2019-19052, CVE-2019-19524, CVE-2019-19534, CVE-2019-16231, CVE-2019-16233, CVE-2019-19045, CVE-2019-19529, CVE-2019-19807.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • Xenial Stemcells
    • 97.x versions prior to 97.226
    • 315.x versions prior to 315.163
    • 456.x versions prior to 456.93
    • 170.x versions prior to 170.198
    • 250.x versions prior to 250.178
    • 621.x versions prior to 621.50
    • All other stemcells not listed.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Xenial Stemcells
    • Upgrade 97.x versions to 97.226 or greater
    • Upgrade 315.x versions to 315.163 or greater
    • Upgrade 456.x versions to 456.93 or greater
    • Upgrade 170.x versions to 170.198 or greater
    • Upgrade 250.x versions to 250.178 or greater
    • Upgrade 621.x versions to 621.50 or greater
    • All other stemcells should be upgraded to the latest version available on bosh.io.

History

2020-01-07: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-2812-1 libxml2 vulnerability
Security Advisory

USN-2812-1 libxml2 vulnerability

by Cloud Foundry Foundation Security Team December 2, 2015
CVE-2016-0761 Docker Image Host Files Corruption
Security Advisory

CVE-2016-0761 Docker Image Host Files Corruption

by Cloud Foundry Foundation Security Team February 26, 2016
USN-2943-1 PCRE vulnerabilities
Security Advisory

USN-2943-1 PCRE vulnerabilities

by Cloud Foundry Foundation Security Team April 20, 2017
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept