USN-4345-1: Linux kernel vulnerabilities
Severity
High
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 16.04
Description
Al Viro discovered that the Linux kernel for s390x systems did not properly perform page table upgrades for kernel sections that use secondary address mode. A local attacker could use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-11884)
It was discovered that the Intel Wi-Fi driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16234)
Tristan Madani discovered that the block I/O tracing implementation in the Linux kernel contained a race condition. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-19768)
It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)
It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)
It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)
It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)
It was discovered that the virtual terminal implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2020-8648)
Jordy Zomer discovered that the floppy driver in the Linux kernel did not properly check for errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-9383)
CVEs contained in this USN include: CVE-2019-16234, CVE-2019-19768, CVE-2020-8648, CVE-2020-9383, CVE-2020-10942, CVE-2020-11608, CVE-2020-11609, CVE-2020-11668, CVE-2020-11884.
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- Xenial Stemcells
- 170.x versions prior to 170.219
- 250.x versions prior to 250.198
- 315.x versions prior to 315.183
- 456.x versions prior to 456.112
- 621.x versions prior to 621.74
- All other stemcells not listed.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- Xenial Stemcells
- Upgrade 170.x versions to 170.219 or greater
- Upgrade 250.x versions to 250.198 or greater
- Upgrade 315.x versions to 315.183 or greater
- Upgrade 456.x versions to 456.112 or greater
- Upgrade 621.x versions to 621.74 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
References
History
2020-04-28: Initial vulnerability report published.
