Important: kernel

Issue Overview:

A use-after-free flaw was found in the way the Linux kernel’s Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074)

A vulnerability was found in the Linux kernel. When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn’t clear the setgid bit in a similar way; this allows to bypass the check in chmod. (CVE-2016-7097)

A vulnerability was found in the Linux kernel in “tmpfs” file system. When file permissions are modified via “chmod” and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via “setxattr” sets the file permissions as well as the new ACL, but doesn’t clear the setgid bit in a similar way; this allows to bypass the check in “chmod”. (CVE-2017-5551)

An issue was found in the Linux kernel ipv6 implementation of GRE tunnels which allows a remote attacker to trigger an out-of-bounds access. (CVE-2017-5897)

It was discovered that an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. (CVE-2017-5986)

A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation. (CVE-2017-5970)

A flaw was found in the Linux kernel’s handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely. (CVE-2017-6214)

(Updated on 2017-03-21: CVE-2017-5970 was fixed in this release but was previously not part of this errata.)

(Updated on 2017-06-07: CVE-2017-6214 was fixed in this release but was previously not part of this errata.)

Affected Packages:

kernel

Issue Correction:
Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.

New Packages:

i686:  
    kernel-devel-4.4.51-40.58.amzn1.i686  
    kernel-headers-4.4.51-40.58.amzn1.i686  
    kernel-tools-4.4.51-40.58.amzn1.i686  
    perf-debuginfo-4.4.51-40.58.amzn1.i686  
    perf-4.4.51-40.58.amzn1.i686  
    kernel-tools-debuginfo-4.4.51-40.58.amzn1.i686  
    kernel-debuginfo-common-i686-4.4.51-40.58.amzn1.i686  
    kernel-debuginfo-4.4.51-40.58.amzn1.i686  
    kernel-tools-devel-4.4.51-40.58.amzn1.i686  
    kernel-4.4.51-40.58.amzn1.i686  
  
noarch:  
    kernel-doc-4.4.51-40.58.amzn1.noarch  
  
src:  
    kernel-4.4.51-40.58.amzn1.src  
  
x86_64:  
    kernel-debuginfo-common-x86_64-4.4.51-40.58.amzn1.x86_64  
    kernel-tools-4.4.51-40.58.amzn1.x86_64  
    kernel-4.4.51-40.58.amzn1.x86_64  
    perf-debuginfo-4.4.51-40.58.amzn1.x86_64  
    perf-4.4.51-40.58.amzn1.x86_64  
    kernel-tools-debuginfo-4.4.51-40.58.amzn1.x86_64  
    kernel-tools-devel-4.4.51-40.58.amzn1.x86_64  
    kernel-debuginfo-4.4.51-40.58.amzn1.x86_64  
    kernel-devel-4.4.51-40.58.amzn1.x86_64  
    kernel-headers-4.4.51-40.58.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-7097, CVE-2017-5551, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986, CVE-2017-6074, CVE-2017-6214

Mitre: CVE-2016-7097, CVE-2017-5551, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986, CVE-2017-6074, CVE-2017-6214