Unbreakable Enterprise kernel security update

2018-01-0500:00:00

linux.oracle.com

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.976 High

EPSS

Percentile

100.0%

JSON

[4.1.12-112.14.5]

x86/ibrs: Remove ‘ibrs_dump’ and remove the pr_debug (Konrad Rzeszutek Wilk) [Orabug: 27350825]
[4.1.12-112.14.4]
kABI: Revert kABI: Make the boot_cpu_data look normal (Konrad Rzeszutek Wilk) {CVE-2017-5715}
[4.1.12-112.14.3]
userns: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
udf: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
net: mpls: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
fs: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
ipv6: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
ipv4: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
Thermal/int340x: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
cw1200: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
p54: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
bpf: prevent speculative execution in eBPF interpreter (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27340459] {CVE-2017-5753}
kABI: Make the boot_cpu_data look normal. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
kernel.spec: Require the new microcode_ctl. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715} {CVE-2017-5715}
x86/microcode/AMD: Add support for fam17h microcode loading (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715}
x86/spec_ctrl: Disable if running as Xen PV guest. (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
Set IBPB when running a different VCPU (Dave Hansen) [Orabug: 27339995] {CVE-2017-5715}
Clear the host registers after setbe (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715}
Use the ibpb_inuse variable. (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715}
KVM: x86: add SPEC_CTRL to MSR and CPUID lists (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715}
kvm: vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Paolo Bonzini) [Orabug: 27339995] {CVE-2017-5715}
Use the ‘ibrs_inuse’ variable. (Jun Nakajima) [Orabug: 27339995] {CVE-2017-5715}
kvm: svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715}
x86/svm: Set IBPB when running a different VCPU (Paolo Bonzini) [Orabug: 27339995] {CVE-2017-5715}
x86/kvm: Pad RSB on VM transition (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/cpu/AMD: Add speculative control support for AMD (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715}
x86/microcode: Recheck IBRS and IBPB feature on microcode reload (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86: Move IBRS/IBPB feature detection to scattered.c (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/kvm: clear registers on VM exit (Tom Lendacky) [Orabug: 27339995] {CVE-2017-5715}
x86/kvm: Set IBPB when switching VM (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
INCOMPLETE x86/syscall: Clear unused extra registers on syscall entrance (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/mm: Only set IBPB when the new thread cannot ptrace current thread (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/mm: Set IBPB upon context switch (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/spec_ctrl: save IBRS MSR value in paranoid_entry (Andrea Arcangeli) [Orabug: 27339995] {CVE-2017-5715}
Scaffolding x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86: Add macro that does not save rax, rcx, rdx on stack to disable IBRS (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/enter: MACROS to set/clear IBRS and set IBP (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86/feature: Report presence of IBPB and IBRS control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}
x86: Add STIBP feature enumeration (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/cpufeature: Add X86_FEATURE_IA32_ARCH_CAPS and X86_FEATURE_IBRS_ATT (Konrad Rzeszutek Wilk) [Orabug: 27339995] {CVE-2017-5715}
x86/feature: Enable the x86 feature to control (Tim Chen) [Orabug: 27339995] {CVE-2017-5715}

OSVersionArchitecturePackageVersionFilename
oracle linux6srckernel-uek< 4.1.12-112.14.5.el6uekkernel-uek-4.1.12-112.14.5.el6uek.src.rpm
oracle linux6x86_64kernel-uek< 4.1.12-112.14.5.el6uekkernel-uek-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux6x86_64kernel-uek-debug< 4.1.12-112.14.5.el6uekkernel-uek-debug-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux6x86_64kernel-uek-debug-devel< 4.1.12-112.14.5.el6uekkernel-uek-debug-devel-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux6x86_64kernel-uek-devel< 4.1.12-112.14.5.el6uekkernel-uek-devel-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux6noarchkernel-uek-doc< 4.1.12-112.14.5.el6uekkernel-uek-doc-4.1.12-112.14.5.el6uek.noarch.rpm
oracle linux6noarchkernel-uek-firmware< 4.1.12-112.14.5.el6uekkernel-uek-firmware-4.1.12-112.14.5.el6uek.noarch.rpm
oracle linux7srckernel-uek< 4.1.12-112.14.5.el7uekkernel-uek-4.1.12-112.14.5.el7uek.src.rpm
oracle linux7x86_64kernel-uek< 4.1.12-112.14.5.el7uekkernel-uek-4.1.12-112.14.5.el7uek.x86_64.rpm
oracle linux7x86_64kernel-uek-debug< 4.1.12-112.14.5.el7uekkernel-uek-debug-4.1.12-112.14.5.el7uek.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
oracle linux	6	src	kernel-uek	< 4.1.12-112.14.5.el6uek	kernel-uek-4.1.12-112.14.5.el6uek.src.rpm
oracle linux	6	x86_64	kernel-uek	< 4.1.12-112.14.5.el6uek	kernel-uek-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux	6	x86_64	kernel-uek-debug	< 4.1.12-112.14.5.el6uek	kernel-uek-debug-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux	6	x86_64	kernel-uek-debug-devel	< 4.1.12-112.14.5.el6uek	kernel-uek-debug-devel-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux	6	x86_64	kernel-uek-devel	< 4.1.12-112.14.5.el6uek	kernel-uek-devel-4.1.12-112.14.5.el6uek.x86_64.rpm
oracle linux	6	noarch	kernel-uek-doc	< 4.1.12-112.14.5.el6uek	kernel-uek-doc-4.1.12-112.14.5.el6uek.noarch.rpm
oracle linux	6	noarch	kernel-uek-firmware	< 4.1.12-112.14.5.el6uek	kernel-uek-firmware-4.1.12-112.14.5.el6uek.noarch.rpm
oracle linux	7	src	kernel-uek	< 4.1.12-112.14.5.el7uek	kernel-uek-4.1.12-112.14.5.el7uek.src.rpm
oracle linux	7	x86_64	kernel-uek	< 4.1.12-112.14.5.el7uek	kernel-uek-4.1.12-112.14.5.el7uek.x86_64.rpm
oracle linux	7	x86_64	kernel-uek-debug	< 4.1.12-112.14.5.el7uek	kernel-uek-debug-4.1.12-112.14.5.el7uek.x86_64.rpm