LSN-0086-1: Kernel Live Patch Security Notice
2 June 2022
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054, >= 5.4.0-1009, >= 5.4.0-1061, >= 4.4.0-1098, >= 4.4.0-1129)
- aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.4.0-1069)
- aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
- azure-4.15 - Linux kernel for Microsoft Azure Cloud systems - (>= 4.15.0-1115)
- azure-5.4 - Linux kernel for Microsoft Azure cloud systems - (>= 5.4.0-1069)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 4.15.0-1118)
- gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1121)
- gcp-5.4 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1069)
- generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
- generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
- generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
- gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033, >= 5.15.0-1000)
- gke-4.15 - Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
- gke-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- gkeop-5.4 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
- ibm - Linux kernel for IBM cloud systems - (>= 5.4.0-1009, >= 5.15.0-1000)
- ibm-5.4 - Linux kernel for IBM cloud systems - (>= 5.4.0-1009)
- linux - Linux kernel - (>= 5.15.0-24)
- lowlatency - Linux low latency kernel - (>= 5.15.0-25)
- lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-69)
- lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
- lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
- oem - Linux kernel for OEM systems - (>= 4.15.0-1063)
Details
It was discovered that a race condition existed in the network scheduling
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-39713)
Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the
Linux kernel did not properly restrict access to the cgroups v1
release_agent feature. A local attacker could use this to gain
administrative privileges.(CVE-2022-0492)
It was discovered that the network traffic control implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.(CVE-2022-1055)
Bing-Jhong Billy Jheng discovered that the io_uring subsystem in the Linux
kernel contained in integer overflow. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.(CVE-2022-1116)
It was discovered that the Linux kernel did not properly restrict access to
the kernel debugger when booted in secure boot environments. A privileged
attacker could use this to bypass UEFI Secure Boot restrictions.(CVE-2022-21499)
Kyle Zeng discovered that the Network Queuing and Scheduling subsystem of
the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code.(CVE-2022-29581)
Jann Horn discovered that the Linux kernel did not properly enforce seccomp
restrictions in some situations. A local attacker could use this to bypass
intended seccomp sandbox restrictions.(CVE-2022-30594)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
|---|---|---|---|---|---|
| aws | — | 86.3 | 86.3 | 86.3 | — |
| aws-5.4 | — | — | 86.3 | — | — |
| aws-hwe | — | — | — | 86.3 | — |
| azure | — | 86.3 | — | 86.3 | — |
| azure-4.15 | — | — | 86.3 | — | — |
| azure-5.4 | — | — | 86.3 | — | — |
| gcp | 86.4 | 86.3 | — | 86.3 | — |
| gcp-4.15 | — | — | 86.3 | — | — |
| gcp-5.4 | — | — | 86.3 | — | — |
| generic-4.15 | — | — | 86.3 | 86.3 | — |
| generic-4.4 | — | — | — | 86.3 | 86.3 |
| generic-5.4 | — | 86.3 | 86.3 | — | — |
| gke | 86.4 | 86.3 | — | — | — |
| gke-4.15 | — | — | 86.3 | — | — |
| gke-5.4 | — | — | 86.3 | — | — |
| gkeop | — | 86.3 | — | — | — |
| gkeop-5.4 | — | — | 86.3 | — | — |
| ibm | 86.4 | 86.3 | — | — | — |
| ibm-5.4 | — | — | 86.3 | — | — |
| linux | 86.4 | — | — | — | — |
| lowlatency | 86.4 | — | — | — | — |
| lowlatency-4.15 | — | — | 86.3 | 86.3 | — |
| lowlatency-4.4 | — | — | — | 86.3 | 86.3 |
| lowlatency-5.4 | — | 86.3 | 86.3 | — | — |
| oem | — | — | 86.3 | — | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status