LSN-0065-1: Kernel Live Patch Security Notice

9 April 2020

Several security issues were fixed in the kernel.

Releases

Software Description

  • aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.4.0-1098)
  • azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.0.0-1025, >= 4.15.0-1063)
  • gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.0.0-1025)
  • generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
  • lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)

Details

Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual
Machine) emulated the IOAPIC. A privileged guest user could exploit
this flaw to read host memory or cause a denial of service (crash
the host). (CVE-2013-1798)

It was discovered that the KVM implementation in the Linux kernel,
when paravirtual TLB flushes are enabled in guests, the hypervisor in
some situations could miss deferred TLB flushes or otherwise mishandle
them. An attacker in a guest VM could use this to expose sensitive
information (read memory from another guest VM). (CVE-2019-3016)

Al Viro discovered that the vfs layer in the Linux kernel contained
a use- after-free vulnerability. A local attacker could use this to
cause a denial of service (system crash) or possibly expose sensitive
information (kernel memory). (CVE-2020-8428)

Checking update status

The problem can be corrected in these Livepatch versions:

Kernel type 18.04 16.04 14.04
aws 65.1
azure 65.1 65.1
gcp 65.1
generic-4.15 65.1 65.1
generic-4.4 65.1 65.1
lowlatency-4.15 65.1 65.1
lowlatency-4.4 65.1 65.1

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status