Cloud Foundry Logo
blog single gear
Blog
Security Advisory

USN-5071-2: Linux kernel (HWE) vulnerabilities

by: October 4, 2021

Severity

High

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 18.04

Description

Several security issues were fixed in the Linux kernel.

USN-5071-1 fixed vulnerabilities in the Linux kernel for Ubuntu 20.04

LTS. This update provides the corresponding updates for the Linux

Hardware Enablement (HWE) kernel from Ubuntu 20.04 LTS for Ubuntu

18.04 LTS.

Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor

implementation for AMD processors in the Linux kernel allowed a guest VM to

disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a

guest VM could use this to read or write portions of the host’s physical

memory. (CVE-2021-3656)

Maxim Levitsky discovered that the KVM hypervisor implementation for AMD

processors in the Linux kernel did not properly prevent a guest VM from

enabling AVIC in nested guest VMs. An attacker in a guest VM could use this

to write to portions of the host’s physical memory. (CVE-2021-3653)

It was discovered that the KVM hypervisor implementation for AMD processors

in the Linux kernel did not ensure enough processing time was given to

perform cleanups of large SEV VMs. A local attacker could use this to cause

a denial of service (soft lockup). (CVE-2020-36311)

It was discovered that the KVM hypervisor implementation in the Linux

kernel did not properly perform reference counting in some situations,

leading to a use-after-free vulnerability. An attacker who could start and

control a VM could possibly use this to expose sensitive information or

execute arbitrary code. (CVE-2021-22543)

Murray McAllister discovered that the joystick device interface in the

Linux kernel did not properly validate data passed via an ioctl(). A local

attacker could use this to cause a denial of service (system crash) or

possibly execute arbitrary code on systems with a joystick device

registered. (CVE-2021-3612)

CVEs contained in this USN include: CVE-2021-3653, CVE-2020-36311, CVE-2021-22543, CVE-2021-3612, CVE-2021-3656.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • Bionic Stemcells
    • 1.x versions prior to 1.28
    • All other stemcells not listed.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • Bionic Stemcells
    • Upgrade 1.x versions to 1.28 or greater
    • All other stemcells should be upgraded to the latest version available on bosh.io.

History

2021-10-04: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3318-1: GnuTLS vulnerabilities
Security Advisory

USN-3318-1: GnuTLS vulnerabilities

by Cloud Foundry Foundation Security Team June 22, 2017
USN-5402-1: OpenSSL vulnerabilities
Security Advisory

USN-5402-1: OpenSSL vulnerabilities

by Cloud Foundry Foundation Security Team July 29, 2022
USN-3982-2: Linux kernel (Xenial HWE) vulnerabilities (AKA ZombieLoad Attack)
Security Advisory

USN-3982-2: Linux kernel (Xenial HWE) vulnerabilities (AKA ZombieLoad Attack)

by Cloud Foundry Foundation Security Team May 20, 2019
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept