ISHACK AI BOT

Rocky Linux: CVE-2024-21138: java-21-openjdk (RLSA-2024-4573) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 07/30/2024 Added 07/29/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) rocky-upgrade-java-21-openjdk rocky-upgrade-java-21-openjdk-debuginfo rocky-upgrade-java-21-openjdk-debugsource rocky-upgrade-java-21-openjdk-demo rocky-upgrade-java-21-openjdk-demo-fastdebug rocky-upgrade-java-21-openjdk-demo-slowdebug rocky-upgrade-java-21-openjdk-devel rocky-upgrade-java-21-openjdk-devel-debuginfo rocky-upgrade-java-21-openjdk-devel-fastdebug rocky-upgrade-java-21-openjdk-devel-fastdebug-debuginfo rocky-upgrade-java-21-openjdk-devel-slowdebug rocky-upgrade-java-21-openjdk-devel-slowdebug-debuginfo rocky-upgrade-java-21-openjdk-fastdebug rocky-upgrade-java-21-openjdk-fastdebug-debuginfo rocky-upgrade-java-21-openjdk-headless rocky-upgrade-java-21-openjdk-headless-debuginfo rocky-upgrade-java-21-openjdk-headless-fastdebug rocky-upgrade-java-21-openjdk-headless-fastdebug-debuginfo rocky-upgrade-java-21-openjdk-headless-slowdebug rocky-upgrade-java-21-openjdk-headless-slowdebug-debuginfo rocky-upgrade-java-21-openjdk-javadoc rocky-upgrade-java-21-openjdk-javadoc-zip rocky-upgrade-java-21-openjdk-jmods rocky-upgrade-java-21-openjdk-jmods-fastdebug rocky-upgrade-java-21-openjdk-jmods-slowdebug rocky-upgrade-java-21-openjdk-slowdebug rocky-upgrade-java-21-openjdk-slowdebug-debuginfo rocky-upgrade-java-21-openjdk-src rocky-upgrade-java-21-openjdk-src-fastdebug rocky-upgrade-java-21-openjdk-src-slowdebug rocky-upgrade-java-21-openjdk-static-libs rocky-upgrade-java-21-openjdk-static-libs-fastdebug rocky-upgrade-java-21-openjdk-static-libs-slowdebug References https://attackerkb.com/topics/cve-2024-21138 CVE - 2024-21138 https://errata.rockylinux.org/RLSA-2024:4573

AdoptOpenJDK: CVE-2024-21138: Vulnerability in the Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 07/26/2024 Added 07/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21138 CVE - 2024-21138 https://adoptopenjdk.net/releases

Oracle E-Business Suite: CVE-2024-21132: Critical Patch Update Severity 5 CVSS (AV:N/AC:M/Au:S/C:P/I:P/A:N) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Purchasing product of Oracle E-Business Suite (component: Approvals).Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Purchasing.Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Purchasing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Purchasing accessible data as well asunauthorized read access to a subset of Oracle Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). Solution(s) oracle-ebs-jul-2024-cpu-12_2 References https://attackerkb.com/topics/cve-2024-21132 CVE - 2024-21132 https://support.oracle.com/epmos/faces/DocumentDisplay?id=3029477.1 https://www.oracle.com/security-alerts/cpujul2024.html

AdoptOpenJDK: CVE-2024-21131: Vulnerability in the Hotspot component Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/16/2024 Created 07/26/2024 Added 07/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Solution(s) adoptopenjdk-upgrade-latest References https://attackerkb.com/topics/cve-2024-21131 CVE - 2024-21131 https://adoptopenjdk.net/releases

Oracle Linux: CVE-2024-41008: ELSA-2024-7000:kernel security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 07/16/2024 Created 10/24/2024 Added 10/16/2024 Modified 12/10/2024 Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: change vm->task_info handling This patch changes the handling and lifecycle of vm->task_info object. The major changes are: - vm->task_info is a dynamically allocated ptr now, and its uasge is reference counted. - introducing two new helper funcs for task_info lifecycle management - amdgpu_vm_get_task_info: reference counts up task_info before returning this info - amdgpu_vm_put_task_info: reference counts down task_info - last put to task_info() frees task_info from the vm. This patch also does logistical changes required for existing usage of vm->task_info. V2: Do not block all the prints when task_info not found (Felix) V3: Fixed review comments from Felix - Fix wrong indentation - No debug message for -ENOMEM - Add NULL check for task_info - Do not duplicate the debug messages (ti vs no ti) - Get first reference of task_info in vm_init(), put last in vm_fini() V4: Fixed review comments from Felix - fix double reference increment in create_task_info - change amdgpu_vm_get_task_info_pasid - additional changes in amdgpu_gem.c while porting Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2024-41008 CVE - 2024-41008 ELSA-2024-7000

Huawei EulerOS: CVE-2022-48809: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: fix a memleak when uncloning an skb dst and its metadata When uncloning an skb dst and its associated metadata, a new dst+metadata is allocated and later replaces the old one in the skb. This is helpful to have a non-shared dst+metadata attached to a specific skb. The issue is the uncloned dst+metadata is initialized with a refcount of 1, which is increased to 2 before attaching it to the skb. When tun_dst_unclone returns, the dst+metadata is only referenced from a single place (the skb) while its refcount is 2. Its refcount will never drop to 0 (when the skb is consumed), leading to a memory leak. Fix this by removing the call to dst_hold in tun_dst_unclone, as the dst+metadata refcount is already 1. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48809 CVE - 2022-48809 EulerOS-SA-2024-2544

Huawei EulerOS: CVE-2022-48850: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 11/06/2024 Added 11/05/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed. [755.549084] mlx5_core 0000:12:00.1: Shutdown was called [756.404455] mlx5_core 0000:12:00.0: Shutdown was called ... [757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) [758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280 crash> bt ... PID: 12649TASK: ffff8924108f2100CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 [exception RIP: dma_pool_alloc+0x1ab] RIP: ffffffff8ee11acbRSP: ffff89240e1a3968RFLAGS: 00010046 RAX: 0000000000000246RBX: ffff89243d874100RCX: 0000000000001000 RDX: 0000000000000000RSI: 0000000000000246RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4R11: ffffffff8edde9fdR12: 00000000000080d0 R13: ffff89243d874090R14: ffff89243d874080R15: 0000000000000000 ORIG_RAX: ffffffffffffffffCS: 0010SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 crash> net_device.state ffff89443b0c0000 state = 0x5(__LINK_STATE_START| __LINK_STATE_NOCARRIER) To prevent this scenario, we also make sure that the netdevice is present. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48850 CVE - 2022-48850 EulerOS-SA-2024-2806

Oracle WebLogic: CVE-2024-21182 : Critical Patch Update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 07/16/2024 Created 07/27/2024 Added 07/25/2024 Modified 01/28/2025 Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).Supported versions that are affected are 12.2.1.4.0 and14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-weblogic-jul-2024-cpu-12_2_1_4_0 oracle-weblogic-jul-2024-cpu-14_1_1_0_0 References https://attackerkb.com/topics/cve-2024-21182 CVE - 2024-21182 http://www.oracle.com/security-alerts/cpujul2024.html https://support.oracle.com/rs?type=doc&id=3030266.2

Oracle Database: Critical Patch Update - July 2024 (CVE-2024-21123) Severity 1 CVSS (AV:L/AC:L/Au:M/C:N/I:P/A:N) Published 07/16/2024 Created 07/30/2024 Added 07/29/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Database Core component of Oracle Database Server.Supported versions that are affected are 19.3-19.23. Easily exploitable vulnerability allows high privileged attacker having SYSDBA privilege with logon to the infrastructure where Oracle Database Core executes to compromise Oracle Database Core.Successful attacks of this vulnerability can result inunauthorized update, insert or delete access to some of Oracle Database Core accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts).CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). Solution(s) oracle-apply-jul-2024-cpu References https://attackerkb.com/topics/cve-2024-21123 CVE - 2024-21123 http://www.oracle.com/security-alerts/cpujul2024.html https://support.oracle.com/rs?type=doc&id=3027813.1

VMware Photon OS: CVE-2022-48789 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/16/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_async_event and the error recovery handler itself changing the ctrl state. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-48789 CVE - 2022-48789

Ubuntu: (CVE-2021-47623): linux-intel-iotg-5.15 vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description In the Linux kernel, the following vulnerability has been resolved: powerpc/fixmap: Fix VM debug warning on unmap Unmapping a fixmap entry is done by calling __set_fixmap() with FIXMAP_PAGE_CLEAR as flags. Today, powerpc __set_fixmap() calls map_kernel_page(). map_kernel_page() is not happy when called a second time for the same page. WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8 CPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682 NIP:c0017cd4 LR: c00187f0 CTR: 00000010 REGS: e1011d50 TRAP: 0700 Not tainted(5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty) MSR:00029032 <EE,ME,IR,DR,RI>CR: 42000208XER: 00000000 GPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c GPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000 NIP [c0017cd4] set_pte_at+0xc/0x1e8 LR [c00187f0] map_kernel_page+0x9c/0x100 Call Trace: [e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable) [e1011e30] [c0165fec] __set_fixmap+0x30/0x44 [e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170 [e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0 [e1011e90] [c0c03634] do_one_initcall+0x80/0x178 [e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250 [e1011f20] [c0007e34] kernel_init+0x24/0x140 [e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010 4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030 Implement unmap_kernel_page() which clears an existing pte. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2021-47623 CVE - 2021-47623 https://git.kernel.org/linus/aec982603aa8cc0a21143681feb5f60ecc69d718 https://git.kernel.org/stable/c/033fd42c18d9b2121595b6f1e8419a115f9ac5b7 https://git.kernel.org/stable/c/43ae0ccc4d2722b833fb59b905af129428e06d03 https://git.kernel.org/stable/c/67baac10dd5ad1e9f50e8f2659984b3b0728d54e https://git.kernel.org/stable/c/aec982603aa8cc0a21143681feb5f60ecc69d718 https://www.cve.org/CVERecord?id=CVE-2021-47623 View more

Ubuntu: (CVE-2022-48827): linux-intel-iotg-5.15 vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers. Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2022-48827 CVE - 2022-48827 https://git.kernel.org/linus/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9 https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0 https://www.cve.org/CVERecord?id=CVE-2022-48827 View more

Ubuntu: (CVE-2022-48852): linux-intel-iotg-5.15 vulnerability Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Unregister codec device on unbind On bind we will register the HDMI codec device but we don't unregister it on unbind, leading to a device leakage. Unregister our device at unbind. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-realtime References https://attackerkb.com/topics/cve-2022-48852 CVE - 2022-48852 https://git.kernel.org/linus/e40945ab7c7f966d0c37b7bd7b0596497dfe228d https://git.kernel.org/stable/c/1ed68d776246f167aee9cd79f63f089c40a5e2a3 https://git.kernel.org/stable/c/e40945ab7c7f966d0c37b7bd7b0596497dfe228d https://git.kernel.org/stable/c/ee22082c3e2f230028afa0e22aa8773b1de3c919 https://www.cve.org/CVERecord?id=CVE-2022-48852

Ubuntu: USN-7039-1 (CVE-2022-48850): Linux kernel vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 09/28/2024 Added 09/27/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: net-sysfs: add check for netdevice being present to speed_show When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed. [755.549084] mlx5_core 0000:12:00.1: Shutdown was called [756.404455] mlx5_core 0000:12:00.0: Shutdown was called ... [757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) [758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280 crash> bt ... PID: 12649TASK: ffff8924108f2100CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 [exception RIP: dma_pool_alloc+0x1ab] RIP: ffffffff8ee11acbRSP: ffff89240e1a3968RFLAGS: 00010046 RAX: 0000000000000246RBX: ffff89243d874100RCX: 0000000000001000 RDX: 0000000000000000RSI: 0000000000000246RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4R11: ffffffff8edde9fdR12: 00000000000080d0 R13: ffff89243d874090R14: ffff89243d874080R15: 0000000000000000 ORIG_RAX: ffffffffffffffffCS: 0010SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 crash> net_device.state ffff89443b0c0000 state = 0x5(__LINK_STATE_START| __LINK_STATE_NOCARRIER) To prevent this scenario, we also make sure that the netdevice is present. Solution(s) ubuntu-upgrade-linux-image-4-4-0-1136-aws ubuntu-upgrade-linux-image-4-4-0-1137-kvm ubuntu-upgrade-linux-image-4-4-0-1174-aws ubuntu-upgrade-linux-image-4-4-0-259-generic ubuntu-upgrade-linux-image-4-4-0-259-lowlatency ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-lts-utopic ubuntu-upgrade-linux-image-generic-lts-vivid ubuntu-upgrade-linux-image-generic-lts-wily ubuntu-upgrade-linux-image-generic-lts-xenial ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-lts-utopic ubuntu-upgrade-linux-image-lowlatency-lts-vivid ubuntu-upgrade-linux-image-lowlatency-lts-wily ubuntu-upgrade-linux-image-lowlatency-lts-xenial ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-lts-utopic ubuntu-upgrade-linux-image-virtual-lts-vivid ubuntu-upgrade-linux-image-virtual-lts-wily ubuntu-upgrade-linux-image-virtual-lts-xenial References https://attackerkb.com/topics/cve-2022-48850 CVE - 2022-48850 USN-7039-1

Amazon Linux AMI 2: CVE-2024-21138: Security patch for java-1.8.0-amazon-corretto, java-1.8.0-openjdk, java-11-amazon-corretto, java-11-openjdk, java-17-amazon-corretto (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:P) Published 07/16/2024 Created 07/23/2024 Added 07/23/2024 Modified 01/28/2025 Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). Solution(s) amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto amazon-linux-ami-2-upgrade-java-1-8-0-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-accessibility-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src amazon-linux-ami-2-upgrade-java-1-8-0-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-amazon-corretto amazon-linux-ami-2-upgrade-java-11-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-11-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk amazon-linux-ami-2-upgrade-java-11-openjdk-debug amazon-linux-ami-2-upgrade-java-11-openjdk-debuginfo amazon-linux-ami-2-upgrade-java-11-openjdk-demo amazon-linux-ami-2-upgrade-java-11-openjdk-demo-debug amazon-linux-ami-2-upgrade-java-11-openjdk-devel amazon-linux-ami-2-upgrade-java-11-openjdk-devel-debug amazon-linux-ami-2-upgrade-java-11-openjdk-headless amazon-linux-ami-2-upgrade-java-11-openjdk-headless-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-debug amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip amazon-linux-ami-2-upgrade-java-11-openjdk-javadoc-zip-debug amazon-linux-ami-2-upgrade-java-11-openjdk-jmods amazon-linux-ami-2-upgrade-java-11-openjdk-jmods-debug amazon-linux-ami-2-upgrade-java-11-openjdk-src amazon-linux-ami-2-upgrade-java-11-openjdk-src-debug amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs amazon-linux-ami-2-upgrade-java-11-openjdk-static-libs-debug amazon-linux-ami-2-upgrade-java-17-amazon-corretto amazon-linux-ami-2-upgrade-java-17-amazon-corretto-devel amazon-linux-ami-2-upgrade-java-17-amazon-corretto-headless amazon-linux-ami-2-upgrade-java-17-amazon-corretto-javadoc amazon-linux-ami-2-upgrade-java-17-amazon-corretto-jmods References https://attackerkb.com/topics/cve-2024-21138 AL2/ALAS-2024-2599 AL2/ALAS-2024-2600 AL2/ALAS-2024-2720 AL2/ALASCORRETTO8-2024-013 AL2/ALASJAVA-OPENJDK11-2024-010 CVE - 2024-21138

Ubuntu: (CVE-2022-48835): linux-hwe-5.15 vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00 [145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0) [145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0) [149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002) [149.875202] BUG: unable to handle page fault for address: 00000007fffc445d [149.885617] #PF: supervisor read access in kernel mode [149.894346] #PF: error_code(0x0000) - not-present page [149.903123] PGD 0 P4D 0 [149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI [149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S O5.10.89-altav-1 #1 [149.934327] Hardware name: DDN 200NVX2 /200NVX2-MB, BIOS ATHG2.2.02.01 09/10/2021 [149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas] [149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee [149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246 [150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071 [150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8 [150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff [150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000 [150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80 [150.054963] FS:0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000 [150.066715] CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0 [150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [150.108323] PKRU: 55555554 [150.114690] Call Trace: [150.120497]? printk+0x48/0x4a [150.127049]mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas] [150.136453]mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas] [150.145759]scsih_dev_reset+0xea/0x300 [mpt3sas] [150.153891]scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod] [150.162206]? __scsi_host_match+0x20/0x20 [scsi_mod] [150.170406]? scsi_try_target_reset+0x90/0x90 [scsi_mod] [150.178925]? blk_mq_tagset_busy_iter+0x45/0x60 [150.186638]? scsi_try_target_reset+0x90/0x90 [scsi_mod] [150.195087]scsi_error_handler+0x3a5/0x4a0 [scsi_mod] [150.203206]? __schedule+0x1e9/0x610 [150.209783]? scsi_eh_get_sense+0x210/0x210 [scsi_mod] [150.217924]kthread+0x12e/0x150 [150.224041]? kthread_worker_fn+0x130/0x130 [150.231206]ret_from_fork+0x1f/0x30 This is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q pointer outside of the list_for_each_entry() loop. At the end of the full list traversal the pointer is invalid. Move the _base_process_reply_queue() call inside of the loop. Solution(s) ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-realtime References https://attackerkb.com/topics/cve-2022-48835 CVE - 2022-48835 https://git.kernel.org/linus/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05 https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3 https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413 https://www.cve.org/CVERecord?id=CVE-2022-48835 View more

Ubuntu: (CVE-2022-48837): linux vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: prevent integer overflow in rndis_set_response() If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-aws-hwe ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-4-15 ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-4-15 ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-hwe ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-ibm-5-4 ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 ubuntu-upgrade-linux-realtime References https://attackerkb.com/topics/cve-2022-48837 CVE - 2022-48837 https://git.kernel.org/linus/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7 https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65 https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90 https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0 https://www.cve.org/CVERecord?id=CVE-2022-48837 View more

Ubuntu: (CVE-2022-48812): linux-intel-iotg-5.15 vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: dsa: lantiq_gswip: don't use devres for mdiobus As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The GSWIP switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the GSWIP switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The gswip driver has the code structure in place for orderly mdiobus removal, so just replace devm_mdiobus_alloc() with the non-devres variant, and add manual free where necessary, to ensure that we don't let devres free a still-registered bus. Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2022-48812 CVE - 2022-48812 https://git.kernel.org/linus/0d120dfb5d67edc5bcd1804e167dba2b30809afd https://git.kernel.org/stable/c/0d120dfb5d67edc5bcd1804e167dba2b30809afd https://git.kernel.org/stable/c/2443ba2fe396bdde187a2fdfa6a57375643ae93c https://git.kernel.org/stable/c/b5652bc50dde7b84e93dfb25479b64b817e377c1 https://git.kernel.org/stable/c/e177d2e85ebcd3008c4b2abc293f4118e04eedef https://www.cve.org/CVERecord?id=CVE-2022-48812 View more

Ubuntu: (CVE-2022-48811): linux-intel-iotg-5.15 vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description In the Linux kernel, the following vulnerability has been resolved: ibmvnic: don't release napi in __ibmvnic_open() If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers. If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset. This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface: [102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq [102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq [102056] ibmvnic 30000003 env3: Replenished 8 pools Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic] NIP:c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted(5.16.0-rc5-autotest-g6441998e2e37) MSR:8000000000009033 <SF,EE,ME,IR,DR,RI,LE>CR: 28248484XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0 LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic] Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable) [c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic] [c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic] [c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570 [c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660 [c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0 [c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]--- Solution(s) ubuntu-upgrade-linux-intel-iotg-5-15 References https://attackerkb.com/topics/cve-2022-48811 CVE - 2022-48811 https://git.kernel.org/linus/61772b0908c640d0309c40f7d41d062ca4e979fa https://git.kernel.org/stable/c/61772b0908c640d0309c40f7d41d062ca4e979fa https://git.kernel.org/stable/c/960dfaf3b578dd23af012590e809ae2d58ba1827 https://git.kernel.org/stable/c/e08cb9056fb2564d1f6bad789bdf79ab09bf2f81 https://www.cve.org/CVERecord?id=CVE-2022-48811

Oracle MySQL Vulnerability: CVE-2024-21176 Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling).Supported versions that are affected are 8.4.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21176 CVE - 2024-21176 https://www.oracle.com/security-alerts/cpujul2024.html

Oracle MySQL Vulnerability: CVE-2024-21177 Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 07/27/2024 Added 07/26/2024 Modified 01/28/2025 Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).Supported versions that are affected are 8.0.37 and prior and8.4.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server.Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Solution(s) mysql-upgrade-latest References https://attackerkb.com/topics/cve-2024-21177 CVE - 2024-21177 https://www.oracle.com/security-alerts/cpujul2024.html

Huawei EulerOS: CVE-2022-48853: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 07/16/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and thebuffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros.Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48853 CVE - 2022-48853 EulerOS-SA-2024-2544

Huawei EulerOS: CVE-2022-48790: kernel security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 07/16/2024 Created 11/27/2024 Added 11/26/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: nvme: fix a possible use-after-free in controller reset during load Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp. The race condition may happen in the following scenario: 1. driver executes its reset_ctrl_work 2. -> nvme_stop_ctrl - flushes ctrl async_event_work 3. ctrl sends AEN which is received by the host, which in turn schedules AEN handling 4. teardown admin queue (which releases the queue socket) 5. AEN processed, submits another AER, calling the driver to submit 6. driver attempts to send the cmd ==> use-after-free In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission. This addresses the above race in controller resets because the driver during teardown should: 1. change ctrl state to RESETTING 2. flush async_event_work (as well as other async work elements) So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48790 CVE - 2022-48790 EulerOS-SA-2024-2929

Huawei EulerOS: CVE-2022-48836: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/16/2024 Created 11/06/2024 Added 11/05/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: Input: aiptek - properly check endpoint type Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. There was a check for the number of endpoints, but not for the type of endpoint. Fix it by replacing old desc.bNumEndpoints check with usb_find_common_endpoints() helper for finding endpoints Fail log: usb 5-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: usb_hub_wq hub_event ... Call Trace: <TASK> aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 input_open_device+0x1bb/0x320 drivers/input/input.c:629 kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48836 CVE - 2022-48836 EulerOS-SA-2024-2806

Huawei EulerOS: CVE-2022-48805: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/16/2024 Created 10/10/2024 Added 10/09/2024 Modified 10/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by a cloned SKB that has already been handed off into the network stack. - A packet SKB can be constructed whose tail is far beyond its end, causing out-of-bounds heap data to be considered part of the SKB's data. I have tested that this can be used by a malicious USB device to send a bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response that contains random kernel heap data. It's probably also possible to get OOB writes from this on a little-endian system somehow - maybe by triggering skb_cow() via IP options processing -, but I haven't tested that. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-48805 CVE - 2022-48805 EulerOS-SA-2024-2544