Detections
Analytics
Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2022-9273)
high Nessus Plugin ID 159642
Language:
Synopsis
The remote Oracle Linux host is missing one or more security updates.Description
The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9273 advisory.- KVM: x86/mmu: do compare-and-exchange of gPTE via the user address (Paolo Bonzini) [Orabug: 34053807] {CVE-2022-1158}
- netfilter: nf_tables: initialize registers in nft_do_chain() (Pablo Neira Ayuso) [Orabug: 34035701] {CVE-2022-1016}
- sr9700: sanity check for packet length (Brian Maly) [Orabug: 33962705] {CVE-2022-26966}
- net/packet: rx_owner_map depends on pg_vec (Willem de Bruijn) [Orabug: 33835787] {CVE-2021-22600}
- NFSv4: Handle case where the lookup of a directory fails (Trond Myklebust) [Orabug: 33958154] {CVE-2022-24448}
- drm/vmwgfx: Fix stale file descriptors on failed usercopy (Mathias Krause) [Orabug: 33840432] {CVE-2022-22942}
- udf: Restore i_lenAlloc when inode expansion fails (Jan Kara) [Orabug: 33870266] {CVE-2022-0617}
- udf: Fix NULL ptr deref when converting from inline format (Jan Kara) [Orabug: 33870266] {CVE-2022-0617}
- ipv4: tcp: send zero IPID in SYNACK messages (Eric Dumazet) [Orabug: 33917056] {CVE-2020-36516}
- ipv4: avoid using shared IP generator for connected sockets (Eric Dumazet) [Orabug: 33917056] {CVE-2020-36516}
- arm64: Use the clearbhb instruction in mitigations (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: add ID_AA64ISAR2_EL1 sys register (Joey Gouly) [Orabug: 33921736] {CVE-2022-23960}
- KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated (James Morse) [Orabug:
33921736] {CVE-2022-23960}
- arm64: Mitigate spectre style branch history side channels (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- KVM: arm64: Add templates for BHB mitigation sequences (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: Add Cortex-X2 CPU part definition (Anshuman Khandual) [Orabug: 33921736] {CVE-2022-23960}
- arm64: Add Neoverse-N2, Cortex-A710 CPU part definition (Suzuki K Poulose) [Orabug: 33921736] {CVE-2022-23960}
- arm64: Add part number for Arm Cortex-A77 (Rob Herring) [Orabug: 33921736] {CVE-2022-23960}
- arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 (James Morse) [Orabug:
33921736] {CVE-2022-23960}
- arm64: Add percpu vectors for EL1 (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Add macro for reading symbol addresses from the trampoline (James Morse) [Orabug:
33921736] {CVE-2022-23960}
- arm64: entry: Add vectors that have the bhb mitigation sequences (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Allow the trampoline text to occupy multiple pages (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Make the kpti trampoline's kpti sequence optional (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Move trampoline macros out of ifdef'd section (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Don't assume tramp_vectors is the start of the vectors (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Allow tramp_alias to access symbols after the 4K boundary (James Morse) [Orabug:
33921736] {CVE-2022-23960}
- arm64: entry: Move the trampoline data page before the text page (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Free up another register on kpti's tramp_exit path (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry: Make the trampoline cleanup optional (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- arm64: entry.S: Add ventry overflow sanity checks (James Morse) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Add initial retpoline support' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: asm: Use *_nospec variants for blr and br.' (Russell King) [Orabug:
33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Add MIDR_APM_POTENZA.' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: insn: Add offset getter/setter for adr.' (Russell King) [Orabug:
33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: alternatives: Add support for adr/adrp with offset in alt block.' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'BACKPORT: VARIANT 2: arm64: Use alternative framework for retpoline.' (Russell King) [Orabug:
33921736] {CVE-2022-23960}
- Revert 'Arm64: add retpoline to cpu_show_spectre_v2' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'arm64: retpoline: Don't use retpoline in KVM's HYP part.' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'uek-rpm: aarch64 config enable RETPOLINE' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- Revert 'uek-rpm: aarch64 config enable RETPOLINE OL8' (Russell King) [Orabug: 33921736] {CVE-2022-23960}
- x86/speculation: Add knob for eibrs_retpoline_enabled (Patrick Colp) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Extend our code to properly support eibrs+lfence and eibrs+retpoline (Patrick Colp) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Update link to AMD speculation whitepaper (Kim Phillips) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Use generic retpoline by default on AMD (Kim Phillips) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting (Josh Poimboeuf) [Orabug: 33941936] {CVE-2021-26401}
- Documentation/hw-vuln: Update spectre doc (Peter Zijlstra) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Add eIBRS + Retpoline options (Peter Zijlstra) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE (Peter Zijlstra (Intel)) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Merge one test in spectre_v2_user_select_mitigation() (Borislav Petkov) [Orabug:
33941936] {CVE-2021-26401}
- x86/speculation: Update ALTERNATIVEs to (more closely) match upstream (Patrick Colp) [Orabug: 33941936] {CVE-2021-26401}
- x86/speculation: Fix bug in retpoline mode on AMD with (Patrick Colp) [Orabug: 33941936] {CVE-2021-26401}
- drm/vmwgfx: Fix stale file descriptors on failed usercopy (Mathias Krause) [Orabug: 33840432] {CVE-2022-22942}
- udf: Restore i_lenAlloc when inode expansion fails (Jan Kara) [Orabug: 33870266] {CVE-2022-0617}
- udf: Fix NULL ptr deref when converting from inline format (Jan Kara) [Orabug: 33870266] {CVE-2022-0617}
- ipv4: tcp: send zero IPID in SYNACK messages (Eric Dumazet) [Orabug: 33917056] {CVE-2020-36516}
- ipv4: avoid using shared IP generator for connected sockets (Eric Dumazet) [Orabug: 33917056] {CVE-2020-36516}
- x86/speculation: Add knob for eibrs_retpoline_enabled (Patrick Colp) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Extend our code to properly support eibrs+lfence and eibrs+retpoline (Patrick Colp) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Update link to AMD speculation whitepaper (Kim Phillips) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Use generic retpoline by default on AMD (Kim Phillips) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting (Josh Poimboeuf) [Orabug: 33941936] {CVE-2021-26341}
- Documentation/hw-vuln: Update spectre doc (Peter Zijlstra) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Add eIBRS + Retpoline options (Peter Zijlstra) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE (Peter Zijlstra (Intel)) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Merge one test in spectre_v2_user_select_mitigation() (Borislav Petkov) [Orabug:
33941936] {CVE-2021-26341}
- x86/speculation: Update ALTERNATIVEs to (more closely) match upstream (Patrick Colp) [Orabug: 33941936] {CVE-2021-26341}
- x86/speculation: Fix bug in retpoline mode on AMD with (Patrick Colp) [Orabug: 33941936] {CVE-2021-26341}
Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
Plugin Details
Severity: High
ID: 159642
File Name: oraclelinux_ELSA-2022-9273.nasl
Version: 1.8
Type: local
Agent: unix
Published: 4/11/2022
Updated: 10/23/2024
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.4
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 6.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2021-22600
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 7.5
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
CVSS Score Source: CVE-2022-22942
Vulnerability Information
CPE: p-cpe:/a:oracle:linux:kernel-uek-debug-devel, p-cpe:/a:oracle:linux:perf, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:python-perf, p-cpe:/a:oracle:linux:kernel-uek-tools, p-cpe:/a:oracle:linux:kernel-uek-tools-libs, p-cpe:/a:oracle:linux:kernel-uek, p-cpe:/a:oracle:linux:kernel-uek-debug
Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/11/2022
Vulnerability Publication Date: 1/26/2022
CISA Known Exploited Vulnerability Due Dates: 5/2/2022
Exploitable With
Metasploit (vmwgfx Driver File Descriptor Handling Priv Esc)
Reference Information
CVE: CVE-2020-36516, CVE-2021-22600, CVE-2021-26341, CVE-2021-26401, CVE-2022-0617, CVE-2022-1016, CVE-2022-1158, CVE-2022-22942, CVE-2022-23960, CVE-2022-24448, CVE-2022-26966