Important: kernel

Issue Overview:

2024-04-24: CVE-2021-46953 was added to this advisory.

2024-04-24: CVE-2021-46939 was added to this advisory.

2024-04-24: CVE-2021-46950 was added to this advisory.

2024-04-24: CVE-2021-46938 was added to this advisory.

2024-03-13: CVE-2021-46906 was added to this advisory.

A vulnerability was found in the bluez, where Passkey Entry protocol used in Secure Simple Pairing (SSP), Secure Connections (SC) and LE Secure Connections (LESC) of the Bluetooth Core Specification is vulnerable to an impersonation attack where an active attacker can impersonate the initiating device without any previous knowledge. (CVE-2020-26558)

A flaw was found in the Linux kernel. Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. The highest threat from this vulnerability is to data confidentiality and integrity. (CVE-2021-0129)

A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem. (CVE-2021-29650)

A flaw was found in the Linux kernel’s handling of the removal of Bluetooth HCI controllers. This flaw allows an attacker with a local account to exploit a race condition, leading to corrupted memory and possible privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-32399)

A use-after-free flaw was found in hci_send_acl in the bluetooth host controller interface (HCI) in Linux kernel, where a local attacker with an access rights could cause a denial of service problem on the system The issue results from the object hchan, freed in hci_disconn_loglink_complete_evt, yet still used in other places. The highest threat from this vulnerability is to data integrity, confidentiality and system availability. (CVE-2021-33034)

In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db. (CVE-2021-33624)

A flaw double-free memory corruption in the Linux kernel HCI device initialization subsystem was found in the way user attach malicious HCI TTY Bluetooth device. A local user could use this flaw to crash the system. (CVE-2021-3564)

A flaw use-after-free in function hci_sock_bound_ioctl() of the Linux kernel HCI subsystem was found in the way user calls ioct HCIUNBLOCKADDR or other way triggers race condition of the call hci_unregister_dev() together with one of the calls hci_sock_blacklist_add(), hci_sock_blacklist_del(), hci_get_conn_info(), hci_get_auth_info(). A privileged local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-3573)

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix info leak in hid_submit_ctrl

In hid_submit_ctrl(), the way of calculating the report length doesn’t
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl(). (CVE-2021-46906)

In the Linux kernel, the following vulnerability has been resolved:

dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (CVE-2021-46938)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Restructure trace_clock_global() to never block (CVE-2021-46939)

In the Linux kernel, the following vulnerability has been resolved:

md/raid1: properly indicate failure when ending a failed write request

This patch addresses a data corruption bug in raid1 arrays using bitmaps.
Without this fix, the bitmap bits for the failed I/O end up being cleared.

Since we are in the failure leg of raid1_end_write_request, the request
either needs to be retried (R1BIO_WriteError) or failed (R1BIO_Degraded). (CVE-2021-46950)

In the Linux kernel, the following vulnerability has been resolved:

ACPI: GTDT: Don’t corrupt interrupt mappings on watchdow probe failure (CVE-2021-46953)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:  
    kernel-4.14.238-182.421.amzn2.aarch64  
    kernel-headers-4.14.238-182.421.amzn2.aarch64  
    kernel-debuginfo-common-aarch64-4.14.238-182.421.amzn2.aarch64  
    perf-4.14.238-182.421.amzn2.aarch64  
    perf-debuginfo-4.14.238-182.421.amzn2.aarch64  
    python-perf-4.14.238-182.421.amzn2.aarch64  
    python-perf-debuginfo-4.14.238-182.421.amzn2.aarch64  
    kernel-tools-4.14.238-182.421.amzn2.aarch64  
    kernel-tools-devel-4.14.238-182.421.amzn2.aarch64  
    kernel-tools-debuginfo-4.14.238-182.421.amzn2.aarch64  
    kernel-devel-4.14.238-182.421.amzn2.aarch64  
    kernel-debuginfo-4.14.238-182.421.amzn2.aarch64  
  
i686:  
    kernel-headers-4.14.238-182.421.amzn2.i686  
  
src:  
    kernel-4.14.238-182.421.amzn2.src  
  
x86_64:  
    kernel-4.14.238-182.421.amzn2.x86_64  
    kernel-headers-4.14.238-182.421.amzn2.x86_64  
    kernel-debuginfo-common-x86_64-4.14.238-182.421.amzn2.x86_64  
    perf-4.14.238-182.421.amzn2.x86_64  
    perf-debuginfo-4.14.238-182.421.amzn2.x86_64  
    python-perf-4.14.238-182.421.amzn2.x86_64  
    python-perf-debuginfo-4.14.238-182.421.amzn2.x86_64  
    kernel-tools-4.14.238-182.421.amzn2.x86_64  
    kernel-tools-devel-4.14.238-182.421.amzn2.x86_64  
    kernel-tools-debuginfo-4.14.238-182.421.amzn2.x86_64  
    kernel-devel-4.14.238-182.421.amzn2.x86_64  
    kernel-debuginfo-4.14.238-182.421.amzn2.x86_64  
    kernel-livepatch-4.14.238-182.421-1.0-0.amzn2.x86_64  

Additional References

Red Hat: CVE-2020-26558, CVE-2021-0129, CVE-2021-29650, CVE-2021-32399, CVE-2021-33034, CVE-2021-33624, CVE-2021-3564, CVE-2021-3573, CVE-2021-46906, CVE-2021-46938, CVE-2021-46939, CVE-2021-46950, CVE-2021-46953

Mitre: CVE-2020-26558, CVE-2021-0129, CVE-2021-29650, CVE-2021-32399, CVE-2021-33034, CVE-2021-33624, CVE-2021-3564, CVE-2021-3573, CVE-2021-46906, CVE-2021-46938, CVE-2021-46939, CVE-2021-46950, CVE-2021-46953