LSN-0103-1: Kernel Live Patch Security Notice
30 April 2024
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000)
- aws-5.15 - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.15.0-1000)
- aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.4.0-1069)
- aws-6.5 - Linux kernel for Amazon Web Services (AWS) systems - (>= 6.5.0-1007)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 5.15.0-1000)
- azure-5.4 - Linux kernel for Microsoft Azure cloud systems - (>= 5.4.0-1069)
- azure-6.5 - Linux kernel for Microsoft Azure cloud systems - (>= 6.5.0-1000)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000)
- gcp-5.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000)
- gcp-5.4 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1069)
- gcp-6.5 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 6.5.0-1000)
- generic-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-150, >= 5.4.0-26)
- gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033, >= 5.15.0-1000)
- hwe-6.5 - Linux hardware enablement (HWE) kernel - (>= 6.5.0-5)
- ibm - Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
- ibm-5.15 - Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
- linux - Linux kernel - (>= 5.15.0-71, >= 5.15.0-24)
- lowlatency-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-150, >= 5.4.0-26)
Details
Lonial Con discovered that the netfilter subsystem in the Linux kernel
contained a memory leak when handling certain element flush operations. A
local attacker could use this to expose sensitive information (kernel
memory).(CVE-2023-4569)
Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)
It was discovered that a race condition existed in the AppleTalk networking
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-51781)
Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)
Lonial Con discovered that the netfilter subsystem in the Linux kernel did
not properly handle element deactivation in certain cases, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1085)
Notselwyn discovered that the netfilter subsystem in the Linux kernel did
not properly handle verdict parameters in certain cases, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)
In the Linux kernel, the following vulnerability has been
resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable
rmnet_link_ops assign a bigger maxtype which leads to a global out-of-
bounds read when parsing the netlink attributes. (CVE-2024-26597)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 22.04 | 20.04 | 18.04 |
|---|---|---|---|
| aws | 103.3 | 103.3 | — |
| aws-5.15 | — | 103.3 | — |
| aws-5.4 | — | — | 103.3 |
| aws-6.5 | 103.1 | — | — |
| azure | 103.3 | 103.3 | — |
| azure-5.4 | — | — | 103.3 |
| azure-6.5 | 103.1 | — | — |
| gcp | 103.3 | 103.3 | — |
| gcp-5.15 | — | 103.3 | — |
| gcp-5.4 | — | — | 103.3 |
| gcp-6.5 | 103.1 | — | — |
| generic-5.15 | — | 103.3 | — |
| generic-5.4 | — | 103.3 | 103.3 |
| gke | 103.3 | 103.3 | — |
| hwe-6.5 | 103.1 | — | — |
| ibm | 103.3 | — | — |
| ibm-5.15 | — | 103.3 | — |
| linux | 103.3 | — | — |
| lowlatency-5.15 | — | 103.3 | — |
| lowlatency-5.4 | — | 103.3 | 103.3 |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status