Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9245)

high Nessus Plugin ID 159184

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9245 advisory.

- lib/iov_iter: initialize 'flags' in new pipe_buffer (Max Kellermann) [Orabug: 33942325] {CVE-2022-0847}
- arm64: Use the clearbhb instruction in mitigations (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: add ID_AA64ISAR2_EL1 sys register (Joey Gouly) [Orabug: 33937423] {CVE-2022-23960}
- KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated (James Morse) [Orabug:
33937423] {CVE-2022-23960}
- arm64: Mitigate spectre style branch history side channels (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- KVM: arm64: Add templates for BHB mitigation sequences (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: Add Cortex-X2 CPU part definition (Anshuman Khandual) [Orabug: 33937423] {CVE-2022-23960}
- arm64: Add Neoverse-N2, Cortex-A710 CPU part definition (Suzuki K Poulose) [Orabug: 33937423] {CVE-2022-23960}
- arm64: Add part number for Arm Cortex-A77 (Rob Herring) [Orabug: 33937423] {CVE-2022-23960}
- arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 (James Morse) [Orabug:
33937423] {CVE-2022-23960}
- arm64: Add percpu vectors for EL1 (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Add macro for reading symbol addresses from the trampoline (James Morse) [Orabug:
33937423] {CVE-2022-23960}
- arm64: entry: Add vectors that have the bhb mitigation sequences (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Allow the trampoline text to occupy multiple pages (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Make the kpti trampoline's kpti sequence optional (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Move trampoline macros out of ifdef'd section (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Don't assume tramp_vectors is the start of the vectors (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Allow tramp_alias to access symbols after the 4K boundary (James Morse) [Orabug:
33937423] {CVE-2022-23960}
- arm64: entry: Move the trampoline data page before the text page (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Free up another register on kpti's tramp_exit path (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry: Make the trampoline cleanup optional (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- arm64: entry.S: Add ventry overflow sanity checks (James Morse) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Add initial retpoline support' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: asm: Use *_nospec variants for blr and br.' (Russell King) [Orabug:
33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Add MIDR_APM_POTENZA.' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: insn: Add offset getter/setter for adr.' (Russell King) [Orabug:
33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: alternatives: Add support for adr/adrp with offset in alt block.' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Use alternative framework for retpoline.' (Russell King) [Orabug:
33937423] {CVE-2022-23960}
- Revert 'Arm64: add retpoline to cpu_show_spectre_v2' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'arm64: retpoline: Don't use retpoline in KVM's HYP part.' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'uek-rpm: aarch64 config enable RETPOLINE' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- Revert 'uek-rpm: aarch64 config enable RETPOLINE OL8' (Russell King) [Orabug: 33937423] {CVE-2022-23960}
- x86/speculation: Add knob for eibrs_retpoline_enabled (Patrick Colp) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Extend our code to properly support eibrs+lfence and eibrs+retpoline (Patrick Colp) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Update link to AMD speculation whitepaper (Kim Phillips) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Use generic retpoline by default on AMD (Kim Phillips) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting (Josh Poimboeuf) [Orabug: 33937344] {CVE-2021-26401}
- Documentation/hw-vuln: Update spectre doc (Peter Zijlstra) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Add eIBRS + Retpoline options (Peter Zijlstra) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE (Peter Zijlstra (Intel)) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Merge one test in spectre_v2_user_select_mitigation() (Borislav Petkov) [Orabug:
33937344] {CVE-2021-26401}
- x86/speculation: Update ALTERNATIVEs to (more closely) match upstream (Patrick Colp) [Orabug: 33937344] {CVE-2021-26401}
- x86/speculation: Fix bug in retpoline mode on AMD with (Patrick Colp) [Orabug: 33937344] {CVE-2021-26401}
- netfilter: nf_tables_offload: incorrect flow offload action array size (Pablo Neira Ayuso) [Orabug:
33900416] {CVE-2022-25636}
- KVM: x86: nSVM: don't copy virt_ext from vmcb12 (Maxim Levitsky) [Orabug: 33805849] {CVE-2021-3653} {CVE-2021-3656}
- drm/i915: Flush TLBs before releasing backing store (Tvrtko Ursulin) [Orabug: 33835810] {CVE-2022-0330}
- tipc: improve size validations for received domain records (Jon Maloy) [Orabug: 33850801] {CVE-2022-0435} {CVE-2022-0435}
- USB: gadget: bRequestType is a bitfield, not a enum (Greg Kroah-Hartman) [Orabug: 33739525] {CVE-2021-39685}
- USB: gadget: zero allocate endpoint 0 buffers (Greg Kroah-Hartman) [Orabug: 33739525] {CVE-2021-39685}
- USB: gadget: detect too-big endpoint 0 requests (Greg Kroah-Hartman) [Orabug: 33739525] {CVE-2021-39685}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.

See Also

https://linux.oracle.com/errata/ELSA-2022-9245.html

Plugin Details

Severity: High

ID: 159184

File Name: oraclelinux_ELSA-2022-9245.nasl

Version: 1.8

Type: local

Agent: unix

Published: 3/23/2022

Updated: 10/22/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-0435

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:kernel-uek-container, p-cpe:/a:oracle:linux:kernel-uek-container-debug, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/23/2022

Vulnerability Publication Date: 9/8/2021

CISA Known Exploited Vulnerability Due Dates: 5/16/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Dirty Pipe Local Privilege Escalation via CVE-2022-0847)

Reference Information

CVE: CVE-2021-26401, CVE-2021-3653, CVE-2021-3656, CVE-2021-39685, CVE-2022-0330, CVE-2022-0435, CVE-2022-0492, CVE-2022-0847, CVE-2022-23960, CVE-2022-25636