LSN-0087-1: Kernel Live Patch Security Notice

Publication date

16 June 2022

Overview

Several security issues were fixed in the kernel.


Software description

  • aws – Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054, >= 4.15.0-1119, >= 5.4.0-1009, >= 5.4.0-1061, >= 4.4.0-1098, >= 4.4.0-1129)
  • aws-5.4 – Linux kernel for Amazon Web Services (AWS) systems - (>= 5.4.0-1069)
  • aws-hwe – Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
  • azure – Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
  • azure-4.15 – Linux kernel for Microsoft Azure Cloud systems - (>= 4.15.0-1115)
  • azure-5.4 – Linux kernel for Microsoft Azure cloud systems - (>= 5.4.0-1069)
  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 4.15.0-1118)
  • gcp-4.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1121)
  • gcp-5.4 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1069)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • aws – Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054, >= 4.15.0-1119, >= 5.4.0-1009, >= 5.4.0-1061, >= 4.4.0-1098, >= 4.4.0-1129)
  • aws-5.4 – Linux kernel for Amazon Web Services (AWS) systems - (>= 5.4.0-1069)
  • aws-hwe – Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
  • azure – Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
  • azure-4.15 – Linux kernel for Microsoft Azure Cloud systems - (>= 4.15.0-1115)
  • azure-5.4 – Linux kernel for Microsoft Azure cloud systems - (>= 5.4.0-1069)
  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 4.15.0-1118)
  • gcp-4.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1121)
  • gcp-5.4 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1069)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • generic-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • gke – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033, >= 5.15.0-1000)
  • gke-4.15 – Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
  • gke-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
  • ibm – Linux kernel for IBM cloud systems - (>= 5.4.0-1009, >= 5.15.0-1000)
  • linux – Linux kernel - (>= 5.15.0-24)
  • lowlatency – Linux low latency kernel - (>= 5.15.0-25)
  • lowlatency-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
  • lowlatency-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • lowlatency-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • oem – Linux kernel for OEM systems - (>= 4.15.0-1063)

Details

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did
not properly handle the removal of stateful expressions in some situations,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-1966)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel
did not properly validate sets with multiple ranged fields. A local
attacker could use this to cause a denial of service or execute arbitrary
code.(CVE-2022-1972)

Aaron Adams discovered that the netfilter subsystem in the Linux kernel did
not properly handle the removal of stateful expressions in some situations,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-1966)

Ziming Zhang discovered that the netfilter subsystem in the Linux kernel
did not properly validate sets with multiple ranged fields. A local
attacker could use this to cause a denial of service or execute arbitrary
code.(CVE-2022-1972)

Checking update status

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

The problem can be corrected in these Livepatch versions:

Kernel type 22.04 20.04 18.04 16.04 14.04
aws 87.1 87.2 87.1
aws-5.4 87.1
aws-hwe 87.2
azure 87.1 87.1
azure-4.15 87.1
azure-5.4 87.1
gcp 87.1 87.1 87.1
gcp-4.15 87.1
gcp-5.4 87.1
generic-4.15 87.1 87.1
generic-4.4 87.1 87.1
generic-5.4 87.1 87.1
gke 87.1 87.1
gke-4.15 87.1
gke-5.4 87.1
gkeop 87.1
gkeop-5.4 87.1
ibm 87.1 87.1
linux 87.1
lowlatency 87.1
lowlatency-4.15 87.1 87.1
lowlatency-4.4 87.1 87.1
lowlatency-5.4 87.1 87.1
oem 87.1

References


Have additional questions?

Talk to a member of the team ›