DATABASE RESOURCES PRICING ABOUT US

{"id": "VERACODE:39398", "vendorId": null, "type": "veracode", "bulletinFamily": "software", "title": "Information Disclosure", "description": "xen is vulnerable to Information Disclosure. AMD processors may speculatively execute instruction from a sibling thread after a SMT mode switch leading to information disclosure.\n", "published": "2023-02-24T07:35:49", "modified": "2023-03-10T06:44:39", "epss": [{"cve": "CVE-2022-27672", "epss": 0.00043, "percentile": 0.06992, "modified": "2023-06-03"}], "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 1.0}, "severity": "LOW", "exploitabilityScore": 1.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-39398/summary", "reporter": "Veracode Vulnerability Database", "references": ["https://secdb.alpinelinux.org/edge/main.yaml", "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-1045"], "cvelist": ["CVE-2022-27672"], "immutableFields": [], "lastseen": "2023-06-03T19:58:53", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "amd", "idList": ["AMD-SB-1045"]}, {"type": "cve", "idList": ["CVE-2022-27672"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-27672"]}, {"type": "fedora", "idList": ["FEDORA:08664304CB8B", "FEDORA:82921304C6F7"]}, {"type": "mageia", "idList": ["MGASA-2023-0087", "MGASA-2023-0088"]}, {"type": "nessus", "idList": ["AL2023_ALAS2023-2023-132.NASL", "AL2_ALASKERNEL-5_10-2023-028.NASL", "AL2_ALASKERNEL-5_15-2023-015.NASL", "AL2_ALASKERNEL-5_4-2023-043.NASL", "EULEROS_SA-2023-1873.NASL", "EULEROS_SA-2023-2020.NASL", "FEDORA_2023-C69A2A8F8B.NASL", "FEDORA_2023-DAD0295B25.NASL", "ORACLELINUX_ELSA-2023-12255.NASL", "ORACLELINUX_ELSA-2023-12256.NASL", "SUSE_SU-2023-0692-1.NASL", "UBUNTU_USN-5978-1.NASL", "UBUNTU_USN-6079-1.NASL", "UBUNTU_USN-6080-1.NASL", "UBUNTU_USN-6085-1.NASL", "UBUNTU_USN-6090-1.NASL", "UBUNTU_USN-6091-1.NASL", "UBUNTU_USN-6096-1.NASL", "UBUNTU_USN-6133-1.NASL", "UBUNTU_USN-6134-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2023-12255", "ELSA-2023-12256"]}, {"type": "redhatcve", "idList": ["RH:CVE-2022-27672"]}, {"type": "ubuntu", "idList": ["USN-5978-1", "USN-6079-1", "USN-6080-1", "USN-6085-1", "USN-6090-1", "USN-6091-1", "USN-6096-1", "USN-6133-1", "USN-6134-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-27672"]}, {"type": "xen", "idList": ["XSA-426"]}]}, "score": {"value": 6.2, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-27672", "epss": 0.00043, "percentile": 0.07019, "modified": "2023-05-02"}], "vulnersScore": 6.2}, "_state": {"dependencies": 1685838547, "score": 1685822508, "epss": 0}, "_internal": {"score_hash": "708afe83e96367a98368bb286be146f2"}, "affectedSoftware": [{"version": "4.14.1-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r7", "operator": "eq", "name": "xen:edge"}, {"version": "4.14.1-r5", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r5", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.17.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r6", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.14.1-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.0-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.1-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.0-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.1-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.14.1-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r7", "operator": "eq", "name": "xen:edge"}, {"version": "4.14.1-r5", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r5", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.17.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r6", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.14.1-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r3", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.0-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.1-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.0-r0", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.15.1-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.0-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r1", "operator": "eq", "name": "xen:edge"}, {"version": "4.13.0-r4", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.1-r2", "operator": "eq", "name": "xen:edge"}, {"version": "4.16.2-r0", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r4", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r5", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r0", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.3-r0", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r1", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r6", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r3", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.1-r2", "operator": "eq", "name": "xen:3.16"}, {"version": "4.16.2-r2", "operator": "eq", "name": "xen:3.17"}, {"version": "4.16.3-r0", "operator": "eq", "name": "xen:3.17"}, {"version": "4.16.2-r0", "operator": "eq", "name": "xen:3.17"}, {"version": "4.16.2-r1", "operator": "eq", "name": "xen:3.17"}]}

{"nessus": [{"lastseen": "2023-05-17T16:44:02", "description": "The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-dad0295b25 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-06T00:00:00", "type": "nessus", "title": "Fedora 36 : xen (2023-dad0295b25)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:36", "p-cpe:/a:fedoraproject:fedora:xen"], "id": "FEDORA_2023-DAD0295B25.NASL", "href": "https://www.tenable.com/plugins/nessus/172112", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2023-dad0295b25\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(172112);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\"CVE-2022-27672\");\n script_xref(name:\"FEDORA\", value:\"2023-dad0295b25\");\n\n script_name(english:\"Fedora 36 : xen (2023-dad0295b25)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the\nFEDORA-2023-dad0295b25 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2023-dad0295b25\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xen package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-27672\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:36\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xen\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');\nvar os_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^36([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 36', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\nvar pkgs = [\n {'reference':'xen-4.16.3-3.fc36', 'release':'FC36', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xen');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:43:46", "description": "The remote SUSE Linux SLED15 / SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:0692-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-10T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xen (SUSE-SU-2023:0692-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:xen", "p-cpe:/a:novell:suse_linux:xen-devel", "p-cpe:/a:novell:suse_linux:xen-libs", "p-cpe:/a:novell:suse_linux:xen-tools", "p-cpe:/a:novell:suse_linux:xen-tools-domu", "p-cpe:/a:novell:suse_linux:xen-tools-xendomains-wait-disk", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2023-0692-1.NASL", "href": "https://www.tenable.com/plugins/nessus/172407", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2023:0692-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(172407);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\"CVE-2022-27672\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2023:0692-1\");\n\n script_name(english:\"SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xen (SUSE-SU-2023:0692-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as\nreferenced in the SUSE-SU-2023:0692-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1027519\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1205792\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1208286\");\n # https://lists.suse.com/pipermail/sle-security-updates/2023-March/014011.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?40ce2970\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-27672\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-27672\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen-tools-domU\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:xen-tools-xendomains-wait-disk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES|SUSE)\") audit(AUDIT_OS_NOT, \"SUSE / openSUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+|SUSE([\\d.]+))\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15|SUSE15\\.4)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLED15 SP4\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'xen-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-server-applications-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-devel-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-server-applications-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-libs-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-libs-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-tools-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-server-applications-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-tools-domU-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-tools-domU-4.16.3_04-150400.4.22.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-basesystem-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-tools-xendomains-wait-disk-4.16.3_04-150400.4.22.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4', 'SLE_HPC-release-15.4', 'sle-module-server-applications-release-15.4', 'sles-release-15.4']},\n {'reference':'xen-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-devel-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-devel-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-doc-html-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-doc-html-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-libs-32bit-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-libs-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-libs-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-tools-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-tools-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-tools-domU-4.16.3_04-150400.4.22.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-tools-domU-4.16.3_04-150400.4.22.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'xen-tools-xendomains-wait-disk-4.16.3_04-150400.4.22.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xen / xen-devel / xen-doc-html / xen-libs / xen-libs-32bit / xen-tools / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:44:15", "description": "The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-c69a2a8f8b advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-02-20T00:00:00", "type": "nessus", "title": "Fedora 37 : xen (2023-c69a2a8f8b)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:37", "p-cpe:/a:fedoraproject:fedora:xen"], "id": "FEDORA_2023-C69A2A8F8B.NASL", "href": "https://www.tenable.com/plugins/nessus/171639", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2023-c69a2a8f8b\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(171639);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/21\");\n\n script_cve_id(\"CVE-2022-27672\");\n script_xref(name:\"FEDORA\", value:\"2023-c69a2a8f8b\");\n\n script_name(english:\"Fedora 37 : xen (2023-c69a2a8f8b)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the\nFEDORA-2023-c69a2a8f8b advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2023-c69a2a8f8b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected xen package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-27672\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:xen\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');\nvar os_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^37([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 37', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\nvar pkgs = [\n {'reference':'xen-4.16.3-2.fc37', 'release':'FC37', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xen');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:46:36", "description": "It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-132 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-21T00:00:00", "type": "nessus", "title": "Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2023-132)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2023-1078"], "modified": "2023-04-04T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-libbpf", "p-cpe:/a:amazon:linux:kernel-libbpf-devel", "p-cpe:/a:amazon:linux:kernel-libbpf-static", "p-cpe:/a:amazon:linux:kernel-livepatch-6.1.12-17.42", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python3-perf", "p-cpe:/a:amazon:linux:python3-perf-debuginfo", "cpe:/o:amazon:linux:2023"], "id": "AL2023_ALAS2023-2023-132.NASL", "href": "https://www.tenable.com/plugins/nessus/173140", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2023 Security Advisory ALAS2023-2023-132.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173140);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/04\");\n\n script_cve_id(\"CVE-2022-27672\", \"CVE-2023-1078\");\n\n script_name(english:\"Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2023-132)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2023 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-132 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2023/ALAS-2023-132.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-27672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1078.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'dnf update kernel --releasever=2023.0.20230315' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-1078\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-libbpf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-libbpf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-libbpf-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-livepatch-6.1.12-17.42\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python3-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2023\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"-2023\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2023\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2022-27672\", \"CVE-2023-1078\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALAS2023-2023-132\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-aarch64-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-x86_64-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-6.1.12-17.42.amzn2023', 'cpu':'i686', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-devel-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-devel-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-static-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-libbpf-static-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-livepatch-6.1.12-17.42-1.0-0.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-livepatch-6.1.12-17.42-1.0-0.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'aarch64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-debuginfo-6.1.12-17.42.amzn2023', 'cpu':'x86_64', 'release':'AL-2023', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:46:12", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12255 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). (CVE-2022-3108)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. (CVE-2023-23559)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-17T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2023-12255)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3108", "CVE-2022-4129", "CVE-2023-23559"], "modified": "2023-04-17T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2023-12255.NASL", "href": "https://www.tenable.com/plugins/nessus/174419", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-12255.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174419);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/17\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-3108\",\n \"CVE-2022-4129\",\n \"CVE-2022-27672\",\n \"CVE-2023-23559\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2023-12255)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2023-12255 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in\n drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). (CVE-2022-3108)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an\n integer overflow in an addition. (CVE-2023-23559)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-12255.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-23559\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.318.7.1.el7uek', '5.4.17-2136.318.7.1.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2023-12255');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2136.318.7.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.318.7.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.318.7.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.318.7.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2136.318.7.1.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-5.4.17-2136.318.7.1.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-5.4.17'},\n {'reference':'kernel-uek-tools-libs-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-5.4.17'},\n {'reference':'perf-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'perf-5.4.17'},\n {'reference':'python-perf-5.4.17-2136.318.7.1.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'python-perf-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2136.318.7.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2136.318.7.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.318.7.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.318.7.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.318.7.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.318.7.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.318.7.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.318.7.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2136.318.7.1.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:47:01", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12256 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). (CVE-2022-3108)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. (CVE-2023-23559)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-17T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2023-12256)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3108", "CVE-2022-4129", "CVE-2023-23559"], "modified": "2023-04-17T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2023-12256.NASL", "href": "https://www.tenable.com/plugins/nessus/174416", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2023-12256.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174416);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/17\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-3108\",\n \"CVE-2022-4129\",\n \"CVE-2022-27672\",\n \"CVE-2023-23559\"\n );\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2023-12256)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2023-12256 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16-rc6. kfd_parse_subtype_iolink in\n drivers/gpu/drm/amd/amdkfd/kfd_crat.c lacks check of the return value of kmemdup(). (CVE-2022-3108)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an\n integer overflow in an addition. (CVE-2023-23559)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2023-12256.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-23559\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.318.7.1.el7', '5.4.17-2136.318.7.1.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2023-12256');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2136.318.7.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2136.318.7.1.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2136.318.7.1.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2136.318.7.1.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:45:50", "description": "The version of kernel installed on the remote host is prior to 5.15.102-61.139. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.15-2023-015 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-22T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.15-2023-015)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2023-0458", "CVE-2023-1077", "CVE-2023-1078", "CVE-2023-1829", "CVE-2023-1998", "CVE-2023-26545"], "modified": "2023-05-08T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-livepatch-5.15.102-61.139", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASKERNEL-5_15-2023-015.NASL", "href": "https://www.tenable.com/plugins/nessus/173235", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.15-2023-015.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173235);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/08\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-27672\",\n \"CVE-2023-0458\",\n \"CVE-2023-1077\",\n \"CVE-2023-1078\",\n \"CVE-2023-1829\",\n \"CVE-2023-1998\",\n \"CVE-2023-26545\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.15-2023-015)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.15.102-61.139. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.15-2023-015 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited\n to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate\n filters in case of a perfect hashes while deleting the underlying structure which can later lead to double\n freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON\n condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a\n type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing\n memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2023-015.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2196.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-27672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-0458.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1077.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1078.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1829.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1998.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-26545.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-1829\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-livepatch-5.15.102-61.139\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2022-2196\", \"CVE-2022-27672\", \"CVE-2023-0458\", \"CVE-2023-1077\", \"CVE-2023-1078\", \"CVE-2023-1829\", \"CVE-2023-1998\", \"CVE-2023-26545\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.15-2023-015\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'bpftool-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'bpftool-debuginfo-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'bpftool-debuginfo-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-debuginfo-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-debuginfo-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-debuginfo-common-aarch64-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-debuginfo-common-x86_64-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-devel-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-devel-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-headers-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-headers-5.15.102-61.139.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-headers-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-livepatch-5.15.102-61.139-1.0-0.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-livepatch-5.15.102-61.139-1.0-0.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-debuginfo-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-debuginfo-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-devel-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'kernel-tools-devel-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'perf-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'perf-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'perf-debuginfo-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'perf-debuginfo-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'python-perf-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'python-perf-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'python-perf-debuginfo-5.15.102-61.139.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'},\n {'reference':'python-perf-debuginfo-5.15.102-61.139.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.15'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:46:37", "description": "The version of kernel installed on the remote host is prior to 5.4.235-144.344. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2023-043 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-22T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.4-2023-043)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2023-0458", "CVE-2023-1077", "CVE-2023-1078", "CVE-2023-1829", "CVE-2023-1998", "CVE-2023-2162", "CVE-2023-26545"], "modified": "2023-05-08T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASKERNEL-5_4-2023-043.NASL", "href": "https://www.tenable.com/plugins/nessus/173230", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.4-2023-043.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173230);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/08\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-27672\",\n \"CVE-2023-0458\",\n \"CVE-2023-1077\",\n \"CVE-2023-1078\",\n \"CVE-2023-1829\",\n \"CVE-2023-1998\",\n \"CVE-2023-2162\",\n \"CVE-2023-26545\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.4-2023-043)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.4.235-144.344. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.4-2023-043 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited\n to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate\n filters in case of a perfect hashes while deleting the underlying structure which can later lead to double\n freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON\n condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a\n type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing\n memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2023-043.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2196.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-27672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-0458.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1077.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1078.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1829.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1998.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-2162.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-26545.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-1829\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2022-2196\", \"CVE-2022-27672\", \"CVE-2023-0458\", \"CVE-2023-1077\", \"CVE-2023-1078\", \"CVE-2023-1829\", \"CVE-2023-1998\", \"CVE-2023-2162\", \"CVE-2023-26545\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.4-2023-043\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-aarch64-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-x86_64-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.235-144.344.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.235-144.344.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.235-144.344.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:46:37", "description": "The version of kernel installed on the remote host is prior to 5.10.173-154.642. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2023-028 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-22T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.10-2023-028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2023-0458", "CVE-2023-1077", "CVE-2023-1078", "CVE-2023-1829", "CVE-2023-1998", "CVE-2023-2162", "CVE-2023-22998", "CVE-2023-26545"], "modified": "2023-05-08T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-livepatch-5.10.173-154.642", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASKERNEL-5_10-2023-028.NASL", "href": "https://www.tenable.com/plugins/nessus/173228", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.10-2023-028.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173228);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/08\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-27672\",\n \"CVE-2023-0458\",\n \"CVE-2023-1077\",\n \"CVE-2023-1078\",\n \"CVE-2023-1829\",\n \"CVE-2023-1998\",\n \"CVE-2023-2162\",\n \"CVE-2023-22998\",\n \"CVE-2023-26545\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.10-2023-028)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.10.173-154.642. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.10-2023-028 advisory.\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited\n to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate\n filters in case of a perfect hashes while deleting the underlying structure which can later lead to double\n freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - In the Linux kernel, pick_next_rt_entity() may return a type confused entry, not detected by the BUG_ON\n condition, as the confused entry will not be NULL, but list_head.The buggy error condition would lead to a\n type confused entry with the list head,which would then be used as a type confused sched_rt_entity,causing\n memory corruption. (CVE-2023-1077)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2196.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-27672.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-0458.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1077.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1078.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1829.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-1998.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-2162.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-22998.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2023-26545.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-1829\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-livepatch-5.10.173-154.642\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2022-2196\", \"CVE-2022-27672\", \"CVE-2023-0458\", \"CVE-2023-1077\", \"CVE-2023-1078\", \"CVE-2023-1829\", \"CVE-2023-1998\", \"CVE-2023-2162\", \"CVE-2023-22998\", \"CVE-2023-26545\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.10-2023-028\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-debuginfo-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'bpftool-debuginfo-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-common-aarch64-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-debuginfo-common-x86_64-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-devel-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-devel-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.173-154.642.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-headers-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-livepatch-5.10.173-154.642-1.0-0.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-livepatch-5.10.173-154.642-1.0-0.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-debuginfo-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-debuginfo-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-devel-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'kernel-tools-devel-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-debuginfo-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'perf-debuginfo-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-debuginfo-5.10.173-154.642.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'},\n {'reference':'python-perf-debuginfo-5.10.173-154.642.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.10'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-05T12:51:25", "description": "The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6085-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-17T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS : Linux kernel (Raspberry Pi) vulnerabilities (USN-6085-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2022-47929", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1029--raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1029--raspi-nolpae"], "id": "UBUNTU_USN-6085-1.NASL", "href": "https://www.tenable.com/plugins/nessus/175988", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6085-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175988);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/17\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-27672\",\n \"CVE-2023-0459\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-2162\",\n \"CVE-2023-20938\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6085-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS : Linux kernel (Raspberry Pi) vulnerabilities (USN-6085-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-6085-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input\n validation. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows\n an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control\n configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in\n net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6085-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-20938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1029--raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1029--raspi-nolpae\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^22.04$\", string:os_release)) {\n kernel_pattern = \"^5.15.0-\\d+-(raspi|raspi-nolpae)$\";\n kernel_mappings = {\n \"5.15.0-\\d+(-raspi|-raspi-nolpae)\" : \"5.15.0-1029\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6085-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-27672', 'CVE-2023-0459', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-2162', 'CVE-2023-20938', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6085-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-05T12:49:20", "description": "The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6090-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-18T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6090-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2022-47929", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1034-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1035-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle"], "id": "UBUNTU_USN-6090-1.NASL", "href": "https://www.tenable.com/plugins/nessus/176090", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6090-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176090);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-27672\",\n \"CVE-2023-0459\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-2162\",\n \"CVE-2023-20938\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6090-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6090-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-6090-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input\n validation. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows\n an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control\n configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in\n net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6090-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-20938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1034-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1035-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(20\\.04|22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^20.04$\", string:os_release)) {\n kernel_pattern = \"^5.15.0-\\d+-(gcp|gke|oracle)$\";\n kernel_mappings = {\n \"5.15.0-\\d+-gcp\" : \"5.15.0-1034\",\n \"5.15.0-\\d+-gke\" : \"5.15.0-1033\",\n \"5.15.0-\\d+-oracle\" : \"5.15.0-1035\"\n };\n };\n if (preg(pattern:\"^22.04$\", string:os_release)) {\n kernel_pattern = \"^5.15.0-\\d+-(gcp|gke|gkeop)$\";\n kernel_mappings = {\n \"5.15.0-\\d+-gcp\" : \"5.15.0-1034\",\n \"5.15.0-\\d+-gke\" : \"5.15.0-1033\",\n \"5.15.0-\\d+-gkeop\" : \"5.15.0-1020\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6090-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-27672', 'CVE-2023-0459', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-2162', 'CVE-2023-20938', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6090-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-05T12:49:12", "description": "The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6080-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed. (CVE-2021-26341) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-16T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6080-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26341", "CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-16T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1035-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1036-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1038-azure-fde", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-fde", "p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle"], "id": "UBUNTU_USN-6080-1.NASL", "href": "https://www.tenable.com/plugins/nessus/175883", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6080-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175883);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/16\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-27672\",\n \"CVE-2023-0459\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-2162\",\n \"CVE-2023-20938\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6080-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6080-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-6080-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input\n validation. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The\n Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on\n AMD instances (*5a*). This is done by default, and no administrator action is needed. (CVE-2021-26341)\n (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6080-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-20938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1033-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1035-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1036-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1038-azure-fde\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-72--lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-fde\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(20\\.04|22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^20.04$\", string:os_release)) {\n kernel_pattern = \"^5.15.0-\\d+-(aws|azure-fde|generic|generic-64k|generic-lpae|lowlatency|lowlatency-64k)$\";\n kernel_mappings = {\n \"5.15.0-\\d+(-generic|-generic-64k|-generic-lpae|-lowlatency|-lowlatency-64k)\" : \"5.15.0-72\",\n \"5.15.0-\\d+-aws\" : \"5.15.0-1036\",\n \"5.15.0-\\d+-azure-fde\" : \"5.15.0-1038\"\n };\n };\n if (preg(pattern:\"^22.04$\", string:os_release)) {\n kernel_pattern = \"^5.15.0-\\d+-(aws|azure-fde|generic|generic-64k|generic-lpae|ibm|kvm|lowlatency|lowlatency-64k|oracle)$\";\n kernel_mappings = {\n \"5.15.0-\\d+(-generic|-generic-64k|-generic-lpae|-lowlatency|-lowlatency-64k)\" : \"5.15.0-72\",\n \"5.15.0-\\d+-aws\" : \"5.15.0-1036\",\n \"5.15.0-\\d+-azure-fde\" : \"5.15.0-1038\",\n \"5.15.0-\\d+-ibm\" : \"5.15.0-1030\",\n \"5.15.0-\\d+-kvm\" : \"5.15.0-1033\",\n \"5.15.0-\\d+-oracle\" : \"5.15.0-1035\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6080-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-27672', 'CVE-2023-0459', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-2162', 'CVE-2023-20938', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6080-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-22T22:47:20", "description": "The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5978-1 advisory.\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side. (CVE-2022-4382)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use- after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. (CVE-2023-23559)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196) (CVE-2023-1078)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-27T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5978-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-4382", "CVE-2022-4842", "CVE-2023-0394", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1281", "CVE-2023-23559", "CVE-2023-26545"], "modified": "2023-04-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-6.1.0-1008-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem"], "id": "UBUNTU_USN-5978-1.NASL", "href": "https://www.tenable.com/plugins/nessus/173443", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5978-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173443);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/20\");\n\n script_cve_id(\n \"CVE-2022-2196\",\n \"CVE-2022-4382\",\n \"CVE-2022-4842\",\n \"CVE-2022-27672\",\n \"CVE-2023-0394\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1281\",\n \"CVE-2023-23559\",\n \"CVE-2023-26545\"\n );\n script_xref(name:\"USN\", value:\"5978-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5978-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-5978-1 advisory.\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was\n found. It could be triggered by yanking out a device that is running the gadgetfs side. (CVE-2022-4382)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A\n local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network\n subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege\n Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-\n after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this\n vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git\n commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an\n integer overflow in an addition. (CVE-2023-23559)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure\n (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\n L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after\n running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can\n execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past\n commit 2e7eab81425a (CVE-2022-2196) (CVE-2023-1078)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5978-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-23559\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2196\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.1.0-1008-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^((6.1.0-\\d+-oem))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"6.1.0-\\d+-oem\" : \"6.1.0-1008\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5978-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2196', 'CVE-2022-4382', 'CVE-2022-4842', 'CVE-2022-27672', 'CVE-2023-0394', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1281', 'CVE-2023-23559', 'CVE-2023-26545');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5978-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T16:50:48", "description": "The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6133-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. (CVE-2023-1872)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-06-02T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS : Linux kernel (Intel IoTG) vulnerabilities (USN-6133-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1829", "CVE-2023-1872", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-06-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-intel-iotg", "p-cpe:/a:canonical:ubuntu_linux:linux-image-intel-iotg"], "id": "UBUNTU_USN-6133-1.NASL", "href": "https://www.tenable.com/plugins/nessus/176617", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6133-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176617);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/02\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-27672\",\n \"CVE-2023-0459\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-1829\",\n \"CVE-2023-1872\",\n \"CVE-2023-2162\",\n \"CVE-2023-20938\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6133-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS : Linux kernel (Intel IoTG) vulnerabilities (USN-6133-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-6133-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec\n allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would\n allow an attacker to leak information. We recommend upgrading beyond commit\n 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited\n to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate\n filters in case of a perfect hashes while deleting the underlying structure which can later lead to double\n freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local\n privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead\n to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend\n upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. (CVE-2023-1872)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input\n validation. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6133-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-20938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-intel-iotg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-intel-iotg\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if ('22.04' >< os_release) {\n kernel_pattern = \"^(5.15.0-\\d+-intel-iotg)$\";\n kernel_mappings = {\n \"5.15.0-\\d+-intel-iotg\" : \"5.15.0-1030\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6133-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-27672', 'CVE-2023-0459', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-1829', 'CVE-2023-1872', 'CVE-2023-2162', 'CVE-2023-20938', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6133-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:48:22", "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action 'mirred') a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. (CVE-2022-4269)\n\n - An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. (CVE-2022-45934)\n\n - The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)\n\n - There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)\n\n - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ('net: sched: fix race condition in qdisc_graft()') not applied yet, then kernel could be affected. (CVE-2023-0590)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. (CVE-2023-1076)\n\n - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.\n (CVE-2023-1079)\n\n - In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list\n -- the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use- after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. (CVE-2023-1380)\n\n - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. (CVE-2023-1382)\n\n - A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue.\n Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition. (CVE-2023-1390)\n\n - A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel.\n This issue may allow a local attacker with user privilege to cause a denial of service. (CVE-2023-1582)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.\n This flaw allows a local user to crash the system or potentially cause a denial of service.\n (CVE-2023-28328)\n\n - do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)\n\n - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. (CVE-2023-28772)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2023-05-13T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : kernel (EulerOS-SA-2023-1873)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3923", "CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4269", "CVE-2022-45934", "CVE-2023-0045", "CVE-2023-0461", "CVE-2023-0590", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1076", "CVE-2023-1079", "CVE-2023-1095", "CVE-2023-1118", "CVE-2023-1281", "CVE-2023-1380", "CVE-2023-1382", "CVE-2023-1390", "CVE-2023-1582", "CVE-2023-25012", "CVE-2023-26545", "CVE-2023-28328", "CVE-2023-28466", "CVE-2023-28772"], "modified": "2023-05-13T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2023-1873.NASL", "href": "https://www.tenable.com/plugins/nessus/175514", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175514);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/13\");\n\n script_cve_id(\n \"CVE-2021-3923\",\n \"CVE-2022-3707\",\n \"CVE-2022-4269\",\n \"CVE-2022-27672\",\n \"CVE-2022-45934\",\n \"CVE-2023-0045\",\n \"CVE-2023-0461\",\n \"CVE-2023-0590\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1076\",\n \"CVE-2023-1079\",\n \"CVE-2023-1095\",\n \"CVE-2023-1118\",\n \"CVE-2023-1281\",\n \"CVE-2023-1380\",\n \"CVE-2023-1382\",\n \"CVE-2023-1390\",\n \"CVE-2023-1582\",\n \"CVE-2023-26545\",\n \"CVE-2023-28328\",\n \"CVE-2023-28466\",\n \"CVE-2023-28772\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : kernel (EulerOS-SA-2023-1873)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a\n privileged local account can leak kernel stack information when issuing commands to the\n /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it\n can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking\n configuration (redirecting egress packets to ingress using TC action 'mirred') a local unprivileged user\n could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a\n retransmission, resulting in a denial of service condition. (CVE-2022-4269)\n\n - An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c\n has an integer wraparound via L2CAP_CONF_REQ packets. (CVE-2022-45934)\n\n - The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The\n ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL\n MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the\n TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to\n the prctl syscall. The patch that added the support for the conditional mitigation via prctl\n (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit\n a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)\n\n - There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local\n privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or\n CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a\n use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can\n install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this\n socket is disconnected and reused as a listener. If a new socket is created from the listener, the context\n is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend\n upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)\n\n - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race\n problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ('net: sched: fix race\n condition in qdisc_graft()') not applied yet, then kernel could be affected. (CVE-2023-0590)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a\n type confusion in their initialization function. While it will be often correct, as tuntap devices require\n CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This\n would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing\n network filters. (CVE-2023-1076)\n\n - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when\n plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to\n the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED\n controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led\n structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.\n (CVE-2023-1079)\n\n - In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the\n transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list\n -- the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege\n Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-\n after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this\n vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git\n commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in\n drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur\n when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading\n to a denial of service. (CVE-2023-1380)\n\n - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This\n issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc\n protocol in the Linux kernel. (CVE-2023-1382)\n\n - A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while\n loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue.\n Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system\n to instantly spike to 100%, causing a denial of service condition. (CVE-2023-1390)\n\n - A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel.\n This issue may allow a local attacker with user privilege to cause a denial of service. (CVE-2023-1582)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure\n (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in\n the Linux Kernel. The message from user space is not checked properly before transferring into the device.\n This flaw allows a local user to crash the system or potentially cause a denial of service.\n (CVE-2023-28328)\n\n - do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading\n to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)\n\n - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer\n overflow. (CVE-2023-28772)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-1873\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?565c3dd8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-0045\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2023-28772\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar _release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(_release) || _release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (_release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu && \"x86\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"x86\" >!< cpu) audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"kernel-tools-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"kernel-tools-libs-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"python3-perf-4.18.0-147.5.1.6.h998.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-02T12:05:17", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action 'mirred') a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. (CVE-2022-4269)\n\n - An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets. (CVE-2022-45934)\n\n - The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)\n\n - There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)\n\n - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ('net: sched: fix race condition in qdisc_graft()') not applied yet, then kernel could be affected. (CVE-2023-0590)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. (CVE-2023-1076)\n\n - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.\n (CVE-2023-1079)\n\n - In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list\n -- the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use- after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. (CVE-2023-1380)\n\n - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc protocol in the Linux kernel. (CVE-2023-1382)\n\n - A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue.\n Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition. (CVE-2023-1390)\n\n - A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel.\n This issue may allow a local attacker with user privilege to cause a denial of service. (CVE-2023-1582)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.\n This flaw allows a local user to crash the system or potentially cause a denial of service.\n (CVE-2023-28328)\n\n - do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)\n\n - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow. (CVE-2023-28772)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2023-06-02T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2023-2020)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3923", "CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4269", "CVE-2022-45934", "CVE-2023-0045", "CVE-2023-0461", "CVE-2023-0590", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1076", "CVE-2023-1079", "CVE-2023-1095", "CVE-2023-1118", "CVE-2023-1281", "CVE-2023-1380", "CVE-2023-1382", "CVE-2023-1390", "CVE-2023-1582", "CVE-2023-25012", "CVE-2023-26545", "CVE-2023-28328", "CVE-2023-28466", "CVE-2023-28772"], "modified": "2023-06-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2023-2020.NASL", "href": "https://www.tenable.com/plugins/nessus/176579", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176579);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/02\");\n\n script_cve_id(\n \"CVE-2021-3923\",\n \"CVE-2022-3707\",\n \"CVE-2022-4269\",\n \"CVE-2022-27672\",\n \"CVE-2022-45934\",\n \"CVE-2023-0045\",\n \"CVE-2023-0461\",\n \"CVE-2023-0590\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1076\",\n \"CVE-2023-1079\",\n \"CVE-2023-1095\",\n \"CVE-2023-1118\",\n \"CVE-2023-1281\",\n \"CVE-2023-1380\",\n \"CVE-2023-1382\",\n \"CVE-2023-1390\",\n \"CVE-2023-1582\",\n \"CVE-2023-26545\",\n \"CVE-2023-28328\",\n \"CVE-2023-28466\",\n \"CVE-2023-28772\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2023-2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a\n privileged local account can leak kernel stack information when issuing commands to the\n /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it\n can be further used to defeat existing kernel protection mechanisms. (CVE-2021-3923)\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking\n configuration (redirecting egress packets to ingress using TC action 'mirred') a local unprivileged user\n could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a\n retransmission, resulting in a denial of service condition. (CVE-2022-4269)\n\n - An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c\n has an integer wraparound via L2CAP_CONF_REQ packets. (CVE-2022-45934)\n\n - The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The\n ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL\n MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the\n TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to\n the prctl syscall. The patch that added the support for the conditional mitigation via prctl\n (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit\n a664ec9158eeddd75121d39c9a0758016097fa96 (CVE-2023-0045)\n\n - There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local\n privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or\n CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a\n use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can\n install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this\n socket is disconnected and reused as a listener. If a new socket is created from the listener, the context\n is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend\n upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)\n\n - A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race\n problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ('net: sched: fix race\n condition in qdisc_graft()') not applied yet, then kernel could be affected. (CVE-2023-0590)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a\n type confusion in their initialization function. While it will be often correct, as tuntap devices require\n CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This\n would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing\n network filters. (CVE-2023-1076)\n\n - A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when\n plugging/disconnecting in a malicious USB device, which advertises itself as an Asus device. Similarly to\n the previous known CVE-2023-25012, but in asus devices, the work_struct may be scheduled by the LED\n controller while the device is disconnecting, triggering a use-after-free on the struct asus_kbd_leds *led\n structure. A malicious USB device may exploit the issue to cause memory corruption with controlled data.\n (CVE-2023-1079)\n\n - In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the\n transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list\n -- the list head is all zeroes, this results in a NULL pointer dereference. (CVE-2023-1095)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege\n Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-\n after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this\n vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git\n commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in\n drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur\n when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading\n to a denial of service. (CVE-2023-1380)\n\n - A data race flaw was found in the Linux kernel, between where con is allocated and con->sock is set. This\n issue leads to a NULL pointer dereference when accessing con->sock->sk in net/tipc/topsrv.c in the tipc\n protocol in the Linux kernel. (CVE-2023-1382)\n\n - A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while\n loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue.\n Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system\n to instantly spike to 100%, causing a denial of service condition. (CVE-2023-1390)\n\n - A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel.\n This issue may allow a local attacker with user privilege to cause a denial of service. (CVE-2023-1582)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure\n (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in\n the Linux Kernel. The message from user space is not checked properly before transferring into the device.\n This flaw allows a local user to crash the system or potentially cause a denial of service.\n (CVE-2023-28328)\n\n - do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading\n to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)\n\n - An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer\n overflow. (CVE-2023-28772)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-2020\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?229190b4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-0045\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2023-28772\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar _release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(_release) || _release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu && \"x86\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"x86\" >!< cpu) audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"kernel-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"kernel-tools-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"kernel-tools-libs-4.18.0-147.5.1.6.h998.eulerosv2r9\",\n \"python3-perf-4.18.0-147.5.1.6.h998.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-04T12:51:33", "description": "The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6134-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. (CVE-2023-0386)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use- after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. (CVE-2023-1652)\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. (CVE-2023-1872)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-06-02T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS : Linux kernel (Intel IoTG) vulnerabilities (USN-6134-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-47929", "CVE-2022-4842", "CVE-2023-0386", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1281", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-1829", "CVE-2023-1872", "CVE-2023-20938", "CVE-2023-21102", "CVE-2023-2162", "CVE-2023-26545", "CVE-2023-32269"], "modified": "2023-06-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-intel-iotg", "p-cpe:/a:canonical:ubuntu_linux:linux-image-intel-iotg"], "id": "UBUNTU_USN-6134-1.NASL", "href": "https://www.tenable.com/plugins/nessus/176616", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6134-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176616);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/02\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-4129\",\n \"CVE-2022-4842\",\n \"CVE-2022-27672\",\n \"CVE-2022-47929\",\n \"CVE-2023-0386\",\n \"CVE-2023-0394\",\n \"CVE-2023-0458\",\n \"CVE-2023-0459\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1281\",\n \"CVE-2023-1513\",\n \"CVE-2023-1652\",\n \"CVE-2023-1829\",\n \"CVE-2023-1872\",\n \"CVE-2023-2162\",\n \"CVE-2023-20938\",\n \"CVE-2023-21102\",\n \"CVE-2023-26545\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6134-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS : Linux kernel (Intel IoTG) vulnerabilities (USN-6134-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-6134-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows\n an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control\n configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in\n net/sched/sch_api.c. (CVE-2022-47929)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A\n local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with\n capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from\n a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges\n on the system. (CVE-2023-0386)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network\n subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec\n allowing a user to bypass the access_ok check and pass a kernel pointer to copy_from_user(). This would\n allow an attacker to leak information. We recommend upgrading beyond commit\n 74e19ef0ff8061ef55957c3abd71614ef0f42f47 (CVE-2023-0459)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege\n Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-\n after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this\n vulnerability to elevate its privileges to root. This issue affects Linux Kernel: from 4.14 before git\n commit ee059170b1f7e94e55fa6cadee544e176a6e59c2. (CVE-2023-1281)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the\n Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel\n information leak problem. (CVE-2023-1652)\n\n - A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited\n to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate\n filters in case of a perfect hashes while deleting the underlying structure which can later lead to double\n freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.\n We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28. (CVE-2023-1829)\n\n - A use-after-free vulnerability in the Linux Kernel io_uring system can be exploited to achieve local\n privilege escalation. The io_file_get_fixed function lacks the presence of ctx->uring_lock which can lead\n to a Use-After-Free vulnerability due a race condition with fixed files getting unregistered. We recommend\n upgrading past commit da24142b1ef9fd5d36b76e36bab328a5b27523e8. (CVE-2023-1872)\n\n - In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input\n validation. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-257685302References: Upstream kernel (CVE-2023-20938)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to\n a logic error in the code. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure\n (for registering the sysctl table under a new location) during the renaming of a device. (CVE-2023-26545)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6134-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-21102\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1030-intel-iotg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-intel-iotg\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if ('20.04' >< os_release) {\n kernel_pattern = \"^(5.15.0-\\d+-intel-iotg)$\";\n kernel_mappings = {\n \"5.15.0-\\d+-intel-iotg\" : \"5.15.0-1030\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6134-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-4129', 'CVE-2022-4842', 'CVE-2022-27672', 'CVE-2022-47929', 'CVE-2023-0386', 'CVE-2023-0394', 'CVE-2023-0458', 'CVE-2023-0459', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1281', 'CVE-2023-1513', 'CVE-2023-1652', 'CVE-2023-1829', 'CVE-2023-1872', 'CVE-2023-2162', 'CVE-2023-20938', 'CVE-2023-21102', 'CVE-2023-26545', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6134-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T15:25:07", "description": "The remote Ubuntu 22.04 LTS / 22.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6096-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of- bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-23T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS / 22.10 : Linux kernel vulnerabilities (USN-6096-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-47929", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp"], "id": "UBUNTU_USN-6096-1.NASL", "href": "https://www.tenable.com/plugins/nessus/176226", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6096-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176226);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/23\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-4129\",\n \"CVE-2022-4842\",\n \"CVE-2022-27672\",\n \"CVE-2022-36280\",\n \"CVE-2022-48423\",\n \"CVE-2022-48424\",\n \"CVE-2023-0210\",\n \"CVE-2023-0394\",\n \"CVE-2023-0458\",\n \"CVE-2023-0459\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-1652\",\n \"CVE-2023-2162\",\n \"CVE-2023-21102\",\n \"CVE-2023-21106\",\n \"CVE-2023-23454\",\n \"CVE-2023-23455\",\n \"CVE-2023-26544\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6096-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS / 22.10 : Linux kernel vulnerabilities (USN-6096-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS / 22.10 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-6096-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in\n drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128\n (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing\n a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A\n local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-\n bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An\n unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in\n Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network\n subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the\n Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel\n information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to\n a logic error in the code. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This\n could lead to local escalation of privilege with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes\n indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition\n rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a\n difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows\n an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control\n configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in\n net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6096-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-26544\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.04|22\\.10)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04 / 22.10', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^22.04$\", string:os_release)) {\n kernel_pattern = \"^5.19.0-\\d+-(generic|generic-64k|generic-lpae)$\";\n kernel_mappings = {\n \"5.19.0-\\d+(-generic|-generic-64k|-generic-lpae)\" : \"5.19.0-42\"\n };\n };\n if (preg(pattern:\"^22.10$\", string:os_release)) {\n kernel_pattern = \"^(5.19.0-\\d+-gcp)$\";\n kernel_mappings = {\n \"5.19.0-\\d+-gcp\" : \"5.19.0-1024\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6096-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-4129', 'CVE-2022-4842', 'CVE-2022-27672', 'CVE-2022-36280', 'CVE-2022-48423', 'CVE-2022-48424', 'CVE-2023-0210', 'CVE-2023-0394', 'CVE-2023-0458', 'CVE-2023-0459', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-1652', 'CVE-2023-2162', 'CVE-2023-21102', 'CVE-2023-21106', 'CVE-2023-23454', 'CVE-2023-23455', 'CVE-2023-26544', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6096-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T15:24:35", "description": "The remote Ubuntu 22.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6091-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of- bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-18T00:00:00", "type": "nessus", "title": "Ubuntu 22.10 : Linux kernel vulnerabilities (USN-6091-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-47929", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-18T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1022-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1023-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle"], "id": "UBUNTU_USN-6091-1.NASL", "href": "https://www.tenable.com/plugins/nessus/176089", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6091-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176089);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/18\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-4129\",\n \"CVE-2022-4842\",\n \"CVE-2022-27672\",\n \"CVE-2022-36280\",\n \"CVE-2022-48423\",\n \"CVE-2022-48424\",\n \"CVE-2023-0210\",\n \"CVE-2023-0394\",\n \"CVE-2023-0458\",\n \"CVE-2023-0459\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-1652\",\n \"CVE-2023-2162\",\n \"CVE-2023-21102\",\n \"CVE-2023-21106\",\n \"CVE-2023-23454\",\n \"CVE-2023-23455\",\n \"CVE-2023-26544\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6091-1\");\n\n script_name(english:\"Ubuntu 22.10 : Linux kernel vulnerabilities (USN-6091-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nUSN-6091-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in\n drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128\n (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing\n a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A\n local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-\n bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An\n unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in\n Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network\n subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the\n Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel\n information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to\n a logic error in the code. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This\n could lead to local escalation of privilege with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes\n indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition\n rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a\n difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows\n an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control\n configuration that is set up with tc qdisc and tc class commands. This affects qdisc_graft in\n net/sched/sch_api.c. (CVE-2022-47929) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6091-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-26544\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1022-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1023-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.10)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.10', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^22.10$\", string:os_release)) {\n kernel_pattern = \"^5.19.0-\\d+-(ibm|oracle)$\";\n kernel_mappings = {\n \"5.19.0-\\d+-ibm\" : \"5.19.0-1022\",\n \"5.19.0-\\d+-oracle\" : \"5.19.0-1023\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6091-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-4129', 'CVE-2022-4842', 'CVE-2022-27672', 'CVE-2022-36280', 'CVE-2022-48423', 'CVE-2022-48424', 'CVE-2023-0210', 'CVE-2023-0394', 'CVE-2023-0458', 'CVE-2023-0459', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-1652', 'CVE-2023-2162', 'CVE-2023-21102', 'CVE-2023-21106', 'CVE-2023-23454', 'CVE-2023-23455', 'CVE-2023-26544', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6091-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T15:23:43", "description": "The remote Ubuntu 22.04 LTS / 22.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6079-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128 (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of- bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info` actually points to something else that is potentially controlled by local user. It is known how to trigger this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed. (CVE-2021-26341) (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-17T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS / 22.10 : Linux kernel vulnerabilities (USN-6079-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26341", "CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1018--raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1018--raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1023-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024--lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024--lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1025-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1026-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm"], "id": "UBUNTU_USN-6079-1.NASL", "href": "https://www.tenable.com/plugins/nessus/175914", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-6079-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175914);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/17\");\n\n script_cve_id(\n \"CVE-2022-3707\",\n \"CVE-2022-4129\",\n \"CVE-2022-4842\",\n \"CVE-2022-27672\",\n \"CVE-2022-36280\",\n \"CVE-2022-48423\",\n \"CVE-2022-48424\",\n \"CVE-2023-0210\",\n \"CVE-2023-0394\",\n \"CVE-2023-0458\",\n \"CVE-2023-0459\",\n \"CVE-2023-1073\",\n \"CVE-2023-1074\",\n \"CVE-2023-1075\",\n \"CVE-2023-1078\",\n \"CVE-2023-1118\",\n \"CVE-2023-1513\",\n \"CVE-2023-1652\",\n \"CVE-2023-2162\",\n \"CVE-2023-21102\",\n \"CVE-2023-21106\",\n \"CVE-2023-23454\",\n \"CVE-2023-23455\",\n \"CVE-2023-26544\",\n \"CVE-2023-32269\"\n );\n script_xref(name:\"USN\", value:\"6079-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS / 22.10 : Linux kernel vulnerabilities (USN-6079-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS / 22.10 host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-6079-1 advisory.\n\n - When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the\n sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)\n\n - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in\n drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128\n (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing\n a denial of service(DoS). (CVE-2022-36280)\n\n - A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card\n system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could\n allow a local user to crash the system. (CVE-2022-3707)\n\n - A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing\n sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw\n to potentially crash the system causing a denial of service. (CVE-2022-4129)\n\n - A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A\n local user could use this flaw to crash the system. (CVE-2022-4842)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/record.c does not validate resident attribute names. An out-of-\n bounds write may occur. (CVE-2022-48423)\n\n - In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An\n unhandled page fault may occur. (CVE-2022-48424)\n\n - A bug affects the Linux kernel's ksmbd NTLMv2 authentication and is known to crash the OS immediately in\n Linux-based systems. (CVE-2023-0210)\n\n - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network\n subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)\n\n - A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The\n resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be\n used to leak the contents. We recommend upgrading past version 6.1.8 or commit\n 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)\n\n - A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a\n user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their\n privileges on the system. (CVE-2023-1073)\n\n - A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may\n occur when a user starts a malicious networking service and someone connects to this service. This could\n allow a local user to starve resources, causing a denial of service. (CVE-2023-1074)\n\n - A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,\n potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field\n that overlaps with rec->tx_ready. (CVE-2023-1075)\n\n - A flaw was found in the Linux Kernel in RDS (Reliable Datagram Sockets) protocol. The\n rds_rm_zerocopy_callback() uses list_entry() on the head of a list causing a type confusion. Local user\n can trigger this with rds_message_put(). Type confusion leads to `struct rds_msg_zcopy_info *info`\n actually points to something else that is potentially controlled by local user. It is known how to trigger\n this, which causes an out of bounds access, and a lock corruption. (CVE-2023-1078)\n\n - A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the\n way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate\n their privileges on the system. (CVE-2023-1118)\n\n - A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl, on 32-bit systems, there might be some\n uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an\n information leak. (CVE-2023-1513)\n\n - A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the\n Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel\n information leak problem. (CVE-2023-1652)\n\n - In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to\n a logic error in the code. This could lead to local escalation of privilege with no additional execution\n privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android\n kernelAndroid ID: A-260821414References: Upstream kernel (CVE-2023-21102)\n\n - In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This\n could lead to local escalation of privilege with no additional execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-265016072References: Upstream kernel (CVE-2023-21106)\n\n - A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in\n SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.\n (CVE-2023-2162)\n\n - cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes\n indicate a TC_ACT_SHOT condition rather than valid classification results). (CVE-2023-23454)\n\n - atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial\n of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition\n rather than valid classification results). (CVE-2023-23455)\n\n - In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a\n difference between NTFS sector size and media sector size. (CVE-2023-26544)\n\n - An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-\n after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order\n for an attacker to exploit this, the system must have netrom routing configured or the attacker must have\n the CAP_NET_ADMIN capability. (CVE-2023-32269)\n\n - AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The\n Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on\n AMD instances (*5a*). This is done by default, and no administrator action is needed. (CVE-2021-26341)\n (CVE-2023-0459)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-6079-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-26544\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image--raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1018--raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1018--raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1023-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024--lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1024--lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1025-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-1026-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.19.0-42--generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.04|22\\.10)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04 / 22.10', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n var kernel_pattern;\n var kernel_mappings;\n var extra = '';\n if (preg(pattern:\"^22.04$\", string:os_release)) {\n kernel_pattern = \"^(5.19.0-\\d+-azure)$\";\n kernel_mappings = {\n \"5.19.0-\\d+-azure\" : \"5.19.0-1026\"\n };\n };\n if (preg(pattern:\"^22.10$\", string:os_release)) {\n kernel_pattern = \"^5.19.0-\\d+-(aws|azure|generic|generic-64k|generic-lpae|kvm|lowlatency|lowlatency-64k|raspi|raspi-nolpae)$\";\n kernel_mappings = {\n \"5.19.0-\\d+(-generic|-generic-64k|-generic-lpae)\" : \"5.19.0-42\",\n \"5.19.0-\\d+(-lowlatency|-lowlatency-64k)\" : \"5.19.0-1024\",\n \"5.19.0-\\d+(-raspi|-raspi-nolpae)\" : \"5.19.0-1018\",\n \"5.19.0-\\d+-aws\" : \"5.19.0-1025\",\n \"5.19.0-\\d+-azure\" : \"5.19.0-1026\",\n \"5.19.0-\\d+-kvm\" : \"5.19.0-1023\"\n };\n };\n if (! preg(pattern:kernel_pattern, string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D.*?)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6079-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-3707', 'CVE-2022-4129', 'CVE-2022-4842', 'CVE-2022-27672', 'CVE-2022-36280', 'CVE-2022-48423', 'CVE-2022-48424', 'CVE-2023-0210', 'CVE-2023-0394', 'CVE-2023-0458', 'CVE-2023-0459', 'CVE-2023-1073', 'CVE-2023-1074', 'CVE-2023-1075', 'CVE-2023-1078', 'CVE-2023-1118', 'CVE-2023-1513', 'CVE-2023-1652', 'CVE-2023-2162', 'CVE-2023-21102', 'CVE-2023-21106', 'CVE-2023-23454', 'CVE-2023-23455', 'CVE-2023-26544', 'CVE-2023-32269');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6079-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "debiancve": [{"lastseen": "2023-06-03T14:41:28", "description": "When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-01T08:15:00", "type": "debiancve", "title": "CVE-2022-27672", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-01T08:15:00", "id": "DEBIANCVE:CVE-2022-27672", "href": "https://security-tracker.debian.org/tracker/CVE-2022-27672", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2023-06-04T13:12:30", "description": "When SMT is enabled, certain AMD processors may speculatively execute\ninstructions using a target from the sibling thread after an SMT mode\nswitch potentially resulting in information disclosure.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | hypervisor packages are in universe. For issues in the hypervisor, add appropriate tags to each section, ex: Tags_xen: universe-binary\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-01T00:00:00", "type": "ubuntucve", "title": "CVE-2022-27672", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-01T00:00:00", "id": "UB:CVE-2022-27672", "href": "https://ubuntu.com/security/CVE-2022-27672", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "redhatcve": [{"lastseen": "2023-06-03T14:44:02", "description": "A flaw was found in HW. When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch, potentially resulting in information disclosure.\n#### Mitigation\n\nThe current mitigations for spectre V4 (or spectre_v2) should mitigate this flaw, no additional steps will need to be taken. \n\n\nIn more details, according to the article \n<https://kernel.org/doc/html//next/admin-guide/hw-vuln/cross-thread-rsb.html> \n\n\nTwo mitigations are needed: \n\n\n1) Stuff the RSB during context switch which is already being done in RHEL8/RHEL9 as long as the spectre_v2 mitigation is active. \n2) For KVM, the mitigation for the KVM_CAP_X86_DISABLE_EXITS capability can be turned on using the boolean module parameter mitigate_smt_rsb, e.g. vm.mitigate_smt_rsb=1. \n\n\nThe command to check if mitigation is active: \ncat /sys/devices/system/cpu/vulnerabilities/spectre_v2 \n\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-02T12:29:59", "type": "redhatcve", "title": "CVE-2022-27672", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-04-06T09:22:27", "id": "RH:CVE-2022-27672", "href": "https://access.redhat.com/security/cve/cve-2022-27672", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-06-03T14:31:33", "description": "When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-01T08:15:00", "type": "cve", "title": "CVE-2022-27672", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-10T01:55:00", "cpe": ["cpe:/o:amd:ryzen_5_5500u_firmware:-", "cpe:/o:amd:ryzen_threadripper_2920x_firmware:-", "cpe:/o:amd:a12-9730p_firmware:-", "cpe:/o:amd:ryzen_7_2800h_firmware:-", "cpe:/o:amd:a6-9220_firmware:-", "cpe:/o:amd:athlon_x4_835_firmware:-", "cpe:/o:amd:ryzen_5_3580u_firmware:-", "cpe:/o:amd:ryzen_3_3100_firmware:-", "cpe:/o:amd:epyc_embedded_735p_firmware:-", "cpe:/o:amd:ryzen_5_3600x_firmware:-", "cpe:/o:amd:athlon_pro_3145b_firmware:-", "cpe:/o:amd:ryzen_7_3800x_firmware:-", "cpe:/o:amd:a9-9410_firmware:-", "cpe:/o:amd:ryzen_3_pro_3300u_firmware:-", "cpe:/o:amd:ryzen_9_5900hx_firmware:-", "cpe:/o:amd:epyc_embedded_3151_firmware:-", "cpe:/o:amd:ryzen_5_2500u_firmware:-", "cpe:/o:amd:ryzen_threadripper_pro_5955wx_firmware:-", "cpe:/o:amd:ryzen_3_5300u_firmware:-", "cpe:/o:amd:epyc_embedded_7551_firmware:-", "cpe:/o:amd:athlon_x4_830_firmware:-", "cpe:/o:amd:ryzen_5_3500x_firmware:-", "cpe:/o:amd:ryzen_7_5800hs_firmware:-", "cpe:/o:amd:epyc_7552_firmware:-", "cpe:/o:amd:ryzen_7_3700x_firmware:-", "cpe:/o:amd:epyc_embedded_3251_firmware:-", "cpe:/o:amd:ryzen_7_5825u_firmware:-", "cpe:/o:amd:ryzen_3_1200_firmware:-", "cpe:/o:amd:ryzen_threadripper_3990x_firmware:-", "cpe:/o:amd:epyc_embedded_3551_firmware:-", "cpe:/o:amd:ryzen_5_3600_firmware:-", "cpe:/o:amd:ryzen_5_4600h_firmware:-", "cpe:/o:amd:ryzen_9_5980hs_firmware:-", "cpe:/o:amd:ryzen_5_5600h_firmware:-", "cpe:/o:amd:ryzen_7_4700ge_firmware:-", "cpe:/o:amd:ryzen_5_3600xt_firmware:-", "cpe:/o:amd:ryzen_7_2700u_firmware:-", "cpe:/o:amd:epyc_7262_firmware:-", "cpe:/o:amd:epyc_embedded_7601_firmware:-", "cpe:/o:amd:a4-9120c_firmware:-", "cpe:/o:amd:athlon_x4_870k_firmware:-", "cpe:/o:amd:ryzen_5_2600h_firmware:-", "cpe:/o:amd:athlon_pro_3045b_firmware:-", "cpe:/o:amd:ryzen_3_2200u_firmware:-", "cpe:/o:amd:ryzen_3_5400u_firmware:-", "cpe:/o:amd:epyc_embedded_740p_firmware:-", "cpe:/o:amd:ryzen_3_4300ge_firmware:-", "cpe:/o:amd:athlon_gold_7220u_firmware:-", "cpe:/o:amd:ryzen_9_3900x_firmware:-", "cpe:/o:amd:epyc_7542_firmware:-", "cpe:/o:amd:ryzen_9_3950x_firmware:-", "cpe:/o:amd:ryzen_5_4600ge_firmware:-", "cpe:/o:amd:ryzen_7_5800h_firmware:-", "cpe:/o:amd:athlon_pro_300u_firmware:-", "cpe:/o:amd:ryzen_5_4500u_firmware:-", "cpe:/o:amd:athlon_silver_7120u_firmware:-", "cpe:/o:amd:ryzen_9_5980hx_firmware:-", "cpe:/o:amd:epyc_7402p_firmware:-", "cpe:/o:amd:athlon_silver_3050c_firmware:-", "cpe:/o:amd:ryzen_threadripper_pro_5965wx_firmware:-", "cpe:/o:amd:epyc_embedded_3255_firmware:-", "cpe:/o:amd:a6-9210_firmware:-", "cpe:/o:amd:athlon_silver_3050u_firmware:-", "cpe:/o:amd:athlon_gold_3150c_firmware:-", "cpe:/o:amd:epyc_7642_firmware:-", "cpe:/o:amd:ryzen_7_4800u_firmware:-", "cpe:/o:amd:epyc_embedded_7371_firmware:-", "cpe:/o:amd:ryzen_5_2600x_firmware:-", "cpe:/o:amd:epyc_7702p_firmware:-", "cpe:/o:amd:athlon_x4_880k_firmware:-", "cpe:/o:amd:ryzen_7_3700u_firmware:-", "cpe:/o:amd:athlon_x4_840_firmware:-", "cpe:/o:amd:athlon_x4_860k_firmware:-", "cpe:/o:amd:ryzen_7_5700u_firmware:-", "cpe:/o:amd:ryzen_9_4900h_firmware:-", "cpe:/o:amd:ryzen_3_3300x_firmware:-", "cpe:/o:amd:ryzen_5_2500x_firmware:-", "cpe:/o:amd:epyc_7702_firmware:-", "cpe:/o:amd:epyc_embedded_7501_firmware:-", "cpe:/o:amd:epyc_embedded_7451_firmware:-", "cpe:/o:amd:epyc_embedded_3201_firmware:-", "cpe:/o:amd:ryzen_7_3800xt_firmware:-", "cpe:/o:amd:epyc_7h12_firmware:-", "cpe:/o:amd:athlon_x4_940_firmware:-", "cpe:/o:amd:epyc_7f72_firmware:-", "cpe:/o:amd:epyc_7402_firmware:-", "cpe:/o:amd:athlon_x4_845_firmware:-", "cpe:/o:amd:epyc_embedded_3101_firmware:-", "cpe:/o:amd:epyc_7662_firmware:-", "cpe:/o:amd:a10-9600p_firmware:-", "cpe:/o:amd:ryzen_9_3900_firmware:-", "cpe:/o:amd:epyc_7302_firmware:-", "cpe:/o:amd:epyc_7f52_firmware:-", "cpe:/o:amd:ryzen_7_4700g_firmware:-", "cpe:/o:amd:ryzen_5_3550h_firmware:-", "cpe:/o:amd:ryzen_threadripper_3970x_firmware:-", "cpe:/o:amd:ryzen_7_2700_firmware:-", "cpe:/o:amd:ryzen_threadripper_pro_5995wx_firmware:-", "cpe:/o:amd:ryzen_5_pro_3500u_firmware:-", "cpe:/o:amd:ryzen_7_pro_5850u_firmware:-", "cpe:/o:amd:epyc_embedded_7281_firmware:-", "cpe:/o:amd:ryzen_3_2300u_firmware:-", "cpe:/o:amd:epyc_7f32_firmware:-", "cpe:/o:amd:athlon_gold_3150u_firmware:-", "cpe:/o:amd:epyc_embedded_3451_firmware:-", "cpe:/o:amd:ryzen_threadripper_2950x_firmware:-", "cpe:/o:amd:ryzen_5_3500_firmware:-", "cpe:/o:amd:a12-9700p_firmware:-", "cpe:/o:amd:ryzen_7_4700u_firmware:-", "cpe:/o:amd:ryzen_9_3900xt_firmware:-", "cpe:/o:amd:ryzen_threadripper_2970wx_firmware:-", "cpe:/o:amd:epyc_embedded_7301_firmware:-", "cpe:/o:amd:a4-9120_firmware:-", "cpe:/o:amd:ryzen_7_2700x_firmware:-", "cpe:/o:amd:ryzen_3_3300u_firmware:-", "cpe:/o:amd:epyc_embedded_7251_firmware:-", "cpe:/o:amd:ryzen_3_4300g_firmware:-", "cpe:/o:amd:ryzen_5_3500u_firmware:-", "cpe:/o:amd:ryzen_5_5600u_firmware:-", "cpe:/o:amd:a6-9220c_firmware:-", "cpe:/o:amd:epyc_embedded_7401_firmware:-", "cpe:/o:amd:ryzen_7_3780u_firmware:-", "cpe:/o:amd:ryzen_threadripper_2990wx_firmware:-", "cpe:/o:amd:ryzen_5_4600u_firmware:-", "cpe:/o:amd:ryzen_threadripper_3960x_firmware:-", "cpe:/o:amd:ryzen_5_5625u_firmware:-", "cpe:/o:amd:epyc_7742_firmware:-", "cpe:/o:amd:ryzen_5_5600hs_firmware:-", "cpe:/o:amd:ryzen_9_5900hs_firmware:-", "cpe:/o:amd:epyc_7282_firmware:-", "cpe:/o:amd:epyc_7502p_firmware:-", "cpe:/o:amd:ryzen_5_2600_firmware:-", "cpe:/o:amd:epyc_embedded_7261_firmware:-", "cpe:/o:amd:ryzen_threadripper_pro_5975w_firmware:-", "cpe:/o:amd:ryzen_7_2700e_firmware:-", "cpe:/o:amd:epyc_embedded_755p_firmware:-", "cpe:/o:amd:a10-9630p_firmware:-", "cpe:/o:amd:ryzen_3_3200u_firmware:-", "cpe:/o:amd:ryzen_9_pro_3900_firmware:-", "cpe:/o:amd:epyc_7532_firmware:-", "cpe:/o:amd:ryzen_3_3250u_firmware:-", "cpe:/o:amd:epyc_7302p_firmware:-", "cpe:/o:amd:ryzen_5_1600_af_firmware:-", "cpe:/o:amd:athlon_x4_950_firmware:-", "cpe:/o:amd:a9-9420_firmware:-", "cpe:/o:amd:ryzen_5_4600g_firmware:-", "cpe:/o:amd:ryzen_threadripper_pro_5945wx_firmware:-", "cpe:/o:amd:ryzen_3_4300u_firmware:-", "cpe:/o:amd:ryzen_7_3750h_firmware:-", "cpe:/o:amd:epyc_7352_firmware:-", "cpe:/o:amd:athlon_x4_750_firmware:-", "cpe:/o:amd:ryzen_7_pro_3700u_firmware:-", "cpe:/o:amd:athlon_x4_970_firmware:-", "cpe:/o:amd:athlon_x4_760k_firmware:-", "cpe:/o:amd:epyc_7272_firmware:-", "cpe:/o:amd:ryzen_7_5800u_firmware:-", "cpe:/o:amd:epyc_7502_firmware:-", "cpe:/o:amd:epyc_7252_firmware:-", "cpe:/o:amd:epyc_7452_firmware:-", "cpe:/o:amd:athlon_silver_3050e_firmware:-", "cpe:/o:amd:ryzen_3_2300x_firmware:-", "cpe:/o:amd:ryzen_3_5425u_firmware:-", "cpe:/o:amd:epyc_7232p_firmware:-", "cpe:/o:amd:ryzen_7_4800h_firmware:-", "cpe:/o:amd:epyc_embedded_7351_firmware:-"], "id": "CVE-2022-27672", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27672", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:amd:epyc_embedded_735p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3500_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7501_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_5300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_5800hs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_870k_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_gold_7220u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_750_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_860k_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_5800u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7532_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3600x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_4300g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_3300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_940_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7352_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7662_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a6-9220_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_1200_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_pro_3900_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_970_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7402p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_5625u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_2950x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_4600ge_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_pro_5850u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_5600h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7451_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_2700_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3700x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_pro_5955wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7h12_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_pro_5945wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a10-9630p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_pro_3300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_3300x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_pro_5995wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_silver_3050e_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_4700u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_pro_5975w_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_2500u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_4600h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7262_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3780u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3551_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7702p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7502p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3500u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3151_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7252_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7251_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3800x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_gold_3150u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7702_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7282_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_2970wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3101_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3201_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_3990x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_silver_7120u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7302p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7401_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_3100_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3500x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7272_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7f52_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_4800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_pro_3145b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7f32_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_3960x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_5700u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_5425u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3550h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_4800u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a4-9120c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_840_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_2800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7551_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_pro_300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_5800h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_5600u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_5900hx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_760k_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7452_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_740p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_2300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a6-9220c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3580u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_5400u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_4700ge_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3800xt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_3250u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_2600_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_835_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7371_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7261_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_silver_3050u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7f72_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_755p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_5980hs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_5980hx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7601_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3600xt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3451_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_pro_5965wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3251_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a9-9420_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_4500u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_1600_af_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_3600_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a12-9700p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_4700g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7742_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_5900hs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_2920x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_pro_3500u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_2990wx_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_5500u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_4300u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7402_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_3200u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7542_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7351_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_5825u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7552_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_4300ge_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a12-9730p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7502_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a4-9120_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_2600h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7642_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3700u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_2200u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7232p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_2600x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_gold_3150c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7281_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a10-9600p_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_silver_3050c_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_7301_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_2700x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_3_2300x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a6-9210_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_3900x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_3900_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_pro_3700u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_pro_3045b_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_3900xt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_7302_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_3950x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_2500x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_9_4900h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_5600hs_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_4600u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_threadripper_3970x_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:athlon_x4_880k_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_2700u_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_2700e_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_7_3750h_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:ryzen_5_4600g_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:epyc_embedded_3255_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:amd:a9-9410_firmware:-:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2023-06-03T15:07:34", "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-20T01:20:05", "type": "fedora", "title": "[SECURITY] Fedora 37 Update: xen-4.16.3-2.fc37", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-02-20T01:20:05", "id": "FEDORA:08664304CB8B", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MGOIZDZWAGH6T5VV67ZKQN4KZPS2H2PS/", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-03T15:07:34", "description": "This package contains the XenD daemon and xm command line tools, needed to manage virtual machines running under the Xen hypervisor ", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-03-06T00:54:34", "type": "fedora", "title": "[SECURITY] Fedora 36 Update: xen-4.16.3-3.fc36", "bulletinFamily": "unix", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-03-06T00:54:34", "id": "FEDORA:82921304C6F7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BEVTCEVSKET2DJXJ6H3EDI46KTE3DP5Z/", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "xen": [{"lastseen": "2023-06-03T15:09:41", "description": "#### ISSUE DESCRIPTION\nIt has been discovered that on some AMD CPUs, the RAS (Return Address Stack, also called RAP - Return Address Predictor - in some AMD documentation, and RSB - Return Stack Buffer - in Intel terminology) is dynamically partitioned between non-idle threads. This allows an attacker to control speculative execution on the adjacent thread.\nFor more details, see: <a href=\"https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045\">https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045</a>\n#### IMPACT\nAn attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests.\n#### VULNERABLE SYSTEMS\nOnly AMD CPUs are known to be potentially vulnerable. CPUs from other hardware vendors are not believed to be impacted.\nOnly the Zen1 and Zen2 microarchitectures are believed to be potentially vulnerable. Other microarchitectures are not believed to be vulnerable.\nOnly configurations with SMT activate are potentially vulnerable. If SMT is disabled by the firmware, or at runtime with `smt=0` on Xen's command line, then the platform is not vulnerable.\nXen 4.16 and later contains an optimisation, specifically:\n c/s afab477fba3b (\"x86/spec-ctrl: Skip RSB overwriting when safe to do so\")\nwhich in combination with disabling 32bit PV guests (either at compile time with CONFIG_PV32=n, or at runtime with `pv=no-32` on the command line) renders Xen vulnerable to attack from PV guests.\nNote: multiple downstreams are known to have backported this optimisation to older versions of Xen. Consult your software vendor documentation.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-14T18:02:00", "type": "xen", "title": "x86: Cross-Thread Return Address Predictions", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-02-16T17:42:00", "id": "XSA-426", "href": "http://xenbits.xen.org/xsa/advisory-426.html", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "amd": [{"lastseen": "2023-06-03T16:26:26", "description": "**Bulletin ID:** AMD-SB-1045 \n**Potential Impact:** Information Disclosure \n\n\n## Summary\n\nAMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. As of this notice, AMD is not aware of any actual real-world exploits based on this behavior.\n\n## CVE Details\n\nCVE-2022-27672\n\nWhen SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. \n\n\n## Affected Products\n\nDesktop\n\n * AMD Athlon\u2122 X4 Processor \n\n * AMD Ryzen\u2122 Threadripper\u2122 PRO Processor \n\n * 2nd Gen AMD Ryzen\u2122 Threadripper\u2122 Processors \n\n * 3rd Gen AMD Ryzen\u2122 Threadripper\u2122 Processors \n\n * 7th Generation AMD A-Series APUs \n\n * AMD Ryzen\u2122 2000 Series Desktop Processors \n\n * AMD Ryzen\u2122 3000 Series Desktop Processors \n\n * AMD Ryzen\u2122 4000 Series Desktop Processors with Radeon\u2122 Graphics \n\n\nMobile \n\n\n * AMD Ryzen\u2122 2000 Series Mobile Processor \n\n * AMD Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics\n * AMD Ryzen\u2122 3000 Series Mobile Processors or 2nd Gen AMD Ryzen\u2122 Mobile processors with Radeon\u2122 Graphics \n\n * AMD Ryzen\u2122 4000 Series Mobile processors with Radeon\u2122 Graphics \n\n * AMD Ryzen\u2122 5000 Series Mobile Processors with Radeon\u2122 Graphics \n\n\nChromebook \n\n\n * AMD Athlon\u2122 Mobile Processors with Radeon\u2122 Graphics \n\n\nServer \n\n\n * 1st Gen AMD EPYC\u2122 Processors \n\n * 2nd Gen AMD EPYC\u2122 Processors \n\n\n## Mitigation\n\nMitigations may be specific to a respective OS/Hypervisor solution. Not all Hypervisor or OS vendors may be impacted. If applicable, an OS update to address this CVE may be available. AMD recommends that you contact your OS partners for details.\n\nAMD recommends OS/Hypervisor developers review code paths that can result in a processor entering an idle state (e.g., HLT/MWAIT/IO C-state). If required, AMD recommends developers to consider the following mitigations: \n\n\n 1. Fill the RAP prior to entering the idle state \n\n\nBefore entering the idle processor state, software can execute a sequence of 32 CALL instructions with non-0 displacement to fill the RAP with \u2018safe\u2019 speculation targets.\n\n 2. Prevent unprivileged transitions to idle state\n\nHVs can prevent guest VMs from directly entering processor idle states by intercepting the HLT, MWAIT, and IN instructions. See APM Volume 2 [1] appendix B for details.\n\nRefer to Glossary for explanation of terms \n\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-02-14T00:00:00", "type": "amd", "title": "Cross-Thread Return Address Predictions", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.0, "vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672"], "modified": "2023-02-14T00:00:00", "id": "AMD-SB-1045", "href": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-1045.html", "cvss": {"score": 1.0, "vector": "AV:L/AC:H/Au:S/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2023-06-05T19:01:37", "description": "[5.4.17-2136.318.7.1.el7]\n- KVM: arm64: Disabling disabled PMU counters wastes a lot of time (Alexandre Chartre) [Orabug: 33312587]\n- KVM: arm64: Don't zero the cycle count register when PMCR_EL0.P is set (Alexandru Elisei) [Orabug: 33312587]\n- KVM: arm64: pmu: Only handle supported event counters (Eric Auger\n[5.4.17-2136.318.7.el8]\n- mm, compaction: Skip all pinned pages during scan (Khalid Aziz) [Orabug: 35251798]\n- xfs: add missing cmap->br_state = XFS_EXT_NORM update (Gao Xiang) [Orabug: 35214060]\n- rds/ib: Fix the softlock-up in RDS cache GC worker (Arumugam Kolappan) [Orabug: 35146761]\n- uek-rpm: Update linux-firmware dependency (Somasundaram Krishnasamy) [Orabug: 33755589]\n[5.4.17-2136.318.6.el8]\n- net/rds: Flip the default value of 'rds_wq_strictly_ordered' (Gerd Rausch)\n [Orabug: 35197635]\n[5.4.17-2136.318.5.el8]\n- udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192763]\n- selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192763]\n- arm64: kdump: Increase reserved memory for larger machines (Henry Willard) [Orabug: 35051468]\n- KVM: x86/pmu: Update AMD PMC sample period to fix guest NMI-watchdog (Like Xu) [Orabug: 34729426]\n- KVM: x86/pmu: Introduce pmc->is_paused to reduce the call time of perf interfaces (Like Xu) [Orabug: 34729426]\n- Revert 'perf/x86/uncore: Factor out uncore_device_to_die()' (Thomas Tai) [Orabug: 35053343]\n- Revert 'perf/x86/uncore: Fix potential NULL pointer in uncore_get_alias_name' (Thomas Tai) [Orabug: 35053343]\n- Revert 'perf/x86/uncore: Ignore broken units in discovery table' (Thomas Tai) [Orabug: 35053343]\n- Revert 'perf/x86/uncore: Add a quirk for UPI on SPR' (Thomas Tai) [Orabug: 35053343]\n- Revert 'perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table' (Thomas Tai) [Orabug: 35053343]\n- Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- KVM: x86: Mitigate the cross-thread return address predictions bug (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- x86/speculation: Identify processors vulnerable to SMT RSB predictions (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- uek-rpm: aarch64: embedded: Enable CONFIG_RANDOMIZE_BASE to support ksplice for T93 (Thomas Tai) [Orabug: 35180981]\n- drm/amdkfd: Check for null pointer after calling kmemdup (Jiasheng Jiang) [Orabug: 34951503] {CVE-2022-3108}\n- mm: use padata for copying page ranges in vma_dup() (Anthony Yznaga) [Orabug: 35054622]\n- mm: parallelize unmap_page_range() for some large VMAs (Anthony Yznaga) [Orabug: 35054622]\n- net/rds: serialize up+down-work to relax strict ordering (Gerd Rausch) [Orabug: 35094723]\n- rds: ib: Fix non-parenthetical mutex/semaphore use (Hakon Bugge) [Orabug: 35155114]\n- Revert 'btrfs: free device in btrfs_close_devices for a single device filesystem' (Vijayendra Suman) [Orabug: 35161536]\n[5.4.17-2136.318.4.el8]\n- ipc: update semtimedop() to use hrtimer (Prakash Sangappa) [Orabug: 35069807]\n- rds: ib: Destroy fastreg resources correctly (Hakon Bugge) [Orabug: 35140658]\n- rds: ib: Use one-bit booleans in struct rds_ib_device and keep them adjacent (Hakon Bugge) [Orabug: 35140648]\n- mips64: drivers/watchdog: Add IRQF_NOBALANCING when requesting irq (Thomas Tai) [Orabug: 35159790]\n- net: mana: Fix IRQ name - add PCI and queue number (Haiyang Zhang) [Orabug: 35084730]\n- uek-rpm: Add opbmc to nano rpm (Somasundaram Krishnasamy) [Orabug: 35145857]\n[5.4.17-2136.318.3.el8]\n- vc_screen: don't clobber return value in vcs_read (Thomas WeiBschuh) \n- LTS tag: v5.4.233 (Sherry Yang) \n- bpf: add missing header file include (Linus Torvalds) \n- Revert 'net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs' (Vladimir Oltean) \n- ext4: Fix function prototype mismatch for ext4_feat_ktype (Kees Cook) \n- wifi: mwifiex: Add missing compatible string for SD8787 (Lukas Wunner) \n- uaccess: Add speculation barrier to copy_from_user() (Dave Hansen) \n- mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh (Pavel Skripkin) \n- drm/i915/gvt: fix double free bug in split_2MB_gtt_entry (Zheng Wang) \n- alarmtimer: Prevent starvation by small intervals and SIG_IGN (Thomas Gleixner) \n- powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 (Sean Anderson) \n- can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len (Marc Kleine-Budde) \n- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS (Jim Mattson) {CVE-2022-2196}\n- KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception (Sean Christopherson) \n- random: always mix cycle counter in add_latent_entropy() (Jason A. Donenfeld) \n- powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G (Sean Anderson) \n- wifi: rtl8xxxu: gen2: Turn on the rate control (Bitterblue Smith) \n- drm/etnaviv: don't truncate physical page address (Lucas Stach) \n- drm: etnaviv: fix common struct sg_table related issues (Marek Szyprowski) \n- scatterlist: add generic wrappers for iterating over sgtable objects (Marek Szyprowski) \n- dma-mapping: add generic helpers for mapping sgtable objects (Marek Szyprowski) \n- LTS tag: v5.4.232 (Sherry Yang) \n- net: sched: sch: Fix off by one in htb_activate_prios() (Dan Carpenter) \n- ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak (Pierre-Louis Bossart) \n- nilfs2: fix underflow in second superblock position calculations (Ryusuke Konishi) \n- kvm: initialize all of the kvm_debugregs structure before sending it to userspace (Greg Kroah-Hartman) \n- i40e: Add checking for null for nlmsg_find_attr() (Natalia Petrova) \n- ipv6: Fix tcp socket connection with DSCP. (Guillaume Nault) \n- ipv6: Fix datagram socket connection with DSCP. (Guillaume Nault) \n- ixgbe: add double of VLAN header when computing the max MTU (Jason Xing) \n- net: mpls: fix stale pointer if allocation fails during device rename (Jakub Kicinski) \n- net: stmmac: Restrict warning on disabling DMA store and fwd mode (Cristian Ciocaltea) \n- bnxt_en: Fix mqprio and XDP ring checking logic (Michael Chan) \n- net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence (Johannes Zink) \n- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path (Miko Larsson) \n- dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. (Kuniyuki Iwashima) \n- sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list (Pietro Borrello) \n- net: bgmac: fix BCM5358 support by setting correct flags (Rafa Mi ecki) \n- i40e: add double of VLAN header when computing the max MTU (Jason Xing) \n- ixgbe: allow to increase MTU to 3K with XDP enabled (Jason Xing) \n- revert 'squashfs: harden sanity check in squashfs_read_xattr_id_table' (Andrew Morton) \n- net: Fix unwanted sign extension in netdev_stats_to_stats64() (Felix Riemann) \n- Revert 'mm: Always release pages to the buddy allocator in memblock_free_late().' (Aaron Thompson) \n- hugetlb: check for undefined shift on 32 bit architectures (Mike Kravetz) \n- sched/psi: Fix use-after-free in ep_remove_wait_queue() (Munehisa Kamata) \n- ALSA: hda/realtek - fixed wrong gpio assigned (Kailang Yang) \n- ALSA: hda/conexant: add a new hda codec SN6180 (Bo Liu) \n- mmc: mmc_spi: fix error handling in mmc_spi_probe() (Yang Yingliang) \n- mmc: sdio: fix possible resource leaks in some error paths (Yang Yingliang) \n- Revert 'ipv4: Fix incorrect route flushing when source address is deleted' (Shaoying Xu) \n- xfs: sync lazy sb accounting on quiesce of read-only mounts (Brian Foster) \n- xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (Darrick J. Wong) \n- xfs: ensure inobt record walks always make forward progress (Darrick J. Wong) \n- xfs: fix missing CoW blocks writeback conversion retry (Darrick J. Wong) \n- xfs: fix finobt btree block recovery ordering (Dave Chinner) \n- xfs: remove the xfs_inode_log_item_t typedef (Christoph Hellwig) \n- xfs: remove the xfs_efd_log_item_t typedef (Christoph Hellwig) \n- xfs: remove the xfs_efi_log_item_t typedef (Christoph Hellwig) \n- netfilter: nft_tproxy: restrict to prerouting hook (Florian Westphal) \n- btrfs: free device in btrfs_close_devices for a single device filesystem (Anand Jain) \n- aio: fix mremap after fork null-deref (Seth Jenkins) \n- nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association (Amit Engel) \n- s390/decompressor: specify __decompress() buf len to avoid overflow (Vasily Gorbik) \n- net: sched: sch: Bounds check priority (Kees Cook) \n- net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC (Andrey Konovalov) \n- net/rose: Fix to not accept on connected socket (Hyunwoo Kim) \n- tools/virtio: fix the vringh test for virtio ring changes (Shunsuke Mie) \n- ASoC: cs42l56: fix DT probe (Arnd Bergmann) \n- selftests/bpf: Verify copy_register_state() preserves parent/live fields (Eduard Zingerman) \n- migrate: hugetlb: check for hugetlb shared PMD in node migration (Mike Kravetz) \n- bpf: Always return target ifindex in bpf_fib_lookup (Toke Hoiland-Jorgensen) \n- nvme-pci: Move enumeration by class to be last in the table (Andy Shevchenko) \n- arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte (Guo Ren) \n- ceph: flush cap releases when the session is flushed (Xiubo Li) \n- usb: typec: altmodes/displayport: Fix probe pin assign check (Prashant Malani) \n- usb: core: add quirk for Alcor Link AK9563 smartcard reader (Mark Pearson) \n- net: USB: Fix wrong-direction WARNING in plusb.c (Alan Stern) \n- pinctrl: intel: Restore the pins that used to be in Direct IRQ mode (Andy Shevchenko) \n- pinctrl: single: fix potential NULL dereference (Maxim Korotkov) \n- pinctrl: aspeed: Fix confusing types in return value (Joel Stanley) \n- ALSA: pci: lx6464es: fix a debug loop (Dan Carpenter) \n- selftests: forwarding: lib: quote the sysctl values (Hangbin Liu) \n- ice: Do not use WQ_MEM_RECLAIM flag for workqueue (Anirudh Venkataramanan) \n- net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY (Heiner Kallweit) \n- bonding: fix error checking in bond_debug_reregister() (Qi Zheng) \n- xfrm: fix bug with DSCP copy to v6 from v4 tunnel (Christian Hopps) \n- IB/IPoIB: Fix legacy IPoIB due to wrong number of queues (Dragos Tatulea) \n- IB/hfi1: Restore allocated resources on failed copyout (Dean Luick) \n- can: j1939: do not wait 250 ms if the same addr was already claimed (Devid Antonio Filoni) \n- tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw (Shiju Jose) \n- ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() (Artemii Karasev) \n- btrfs: zlib: zero-initialize zlib workspace (Alexander Potapenko) \n- btrfs: limit device extents to the device size (Josef Bacik) \n- iio:adc:twl6030: Enable measurement of VAC (Andreas Kemnade) \n- wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads (Minsuk Kang) \n- f2fs: fix to do sanity check on i_extra_isize in is_alive() (Chao Yu) \n- fbdev: smscufx: fix error handling code in ufx_usb_probe (Dongliang Mu) \n- powerpc/imc-pmu: Revert nest_init_lock to being a mutex (Michael Ellerman) \n- serial: 8250_dma: Fix DMA Rx rearm race (Ilpo Jarvinen) \n- serial: 8250_dma: Fix DMA Rx completion race (Ilpo Jarvinen) \n- xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (Zhang Xiaoxu) \n- mm: swap: properly update readahead statistics in unuse_pte_range() (Andrea Righi) \n- nvmem: core: fix cell removal on error (Michael Walle) \n- Squashfs: fix handling and sanity checking of xattr_ids count (Phillip Lougher) \n- mm/swapfile: add cond_resched() in get_swap_pages() (Longlong Xia) \n- fpga: stratix10-soc: Fix return value check in s10_ops_write_init() (Zheng Yongjun) \n- mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps (Mike Kravetz) \n- riscv: disable generation of unwind tables (Andreas Schwab) \n- parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case (Helge Deller) \n- parisc: Fix return code of pdc_iodc_print() (Helge Deller) \n- iio:adc:twl6030: Enable measurements of VUSB, VBAT and others (Andreas Kemnade) \n- iio: adc: berlin2-adc: Add missing of_node_put() in error path (Xiongfeng Wang) \n- iio: hid: fix the retval in accel_3d_capture_sample (Dmitry Perchanov) \n- efi: Accept version 2 of memory attributes table (Ard Biesheuvel) \n- watchdog: diag288_wdt: fix __diag288() inline assembly (Alexander Egorenkov) \n- watchdog: diag288_wdt: do not use stack buffers for hardware data (Alexander Egorenkov) \n- fbcon: Check font dimension limits (Samuel Thibault) \n- Input: i8042 - add Clevo PCX0DX to i8042 quirk table (Werner Sembach) \n- Input: i8042 - add TUXEDO devices to i8042 quirk tables (Werner Sembach) \n- Input: i8042 - merge quirk tables (Werner Sembach) \n- Input: i8042 - move __initconst to fix code styling warning (Werner Sembach) \n- vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF (George Kennedy) \n- usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait (Udipto Goswami) \n- usb: dwc3: qcom: enable vbus override when in OTG dr-mode (Neil Armstrong) \n- usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API (Wesley Cheng) \n- iio: adc: stm32-dfsdm: fill module aliases (Olivier Moysan) \n- net/x25: Fix to not accept on connected socket (Hyunwoo Kim) \n- i2c: rk3x: fix a bunch of kernel-doc warnings (Randy Dunlap) \n- scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (Mike Christie) \n- scsi: target: core: Fix warning on RT kernels (Maurizio Lombardi) \n- efi: fix potential NULL deref in efi_mem_reserve_persistent (Anton Gusev) \n- net: openvswitch: fix flow memory leak in ovs_flow_cmd_new (Fedor Pchelkin) \n- virtio-net: Keep stop() to follow mirror sequence of open() (Parav Pandit) \n- selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking (Andrei Gherzan) \n- selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs (Andrei Gherzan) \n- selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided (Andrei Gherzan) \n- selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning (Andrei Gherzan) \n- ata: libata: Fix sata_down_spd_limit() when no link speed is reported (Damien Le Moal) \n- can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate (Ziyang Xuan) \n- net: phy: meson-gxl: Add generic dummy stubs for MMD register access (Chris Healy) \n- netfilter: br_netfilter: disable sabotage_in hook after first suppression (Florian Westphal) \n- netrom: Fix use-after-free caused by accept on already connected socket (Hyunwoo Kim) \n- fix 'direction' argument of iov_iter_kvec() (Al Viro) \n- fix iov_iter_bvec() 'direction' argument (Al Viro) \n- WRITE is 'data source', not destination... (Al Viro) \n- scsi: Revert 'scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT' (Martin K. Petersen) \n- arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX (Pierluigi Passaro) \n- ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() (Artemii Karasev) \n- ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use (Andy Shevchenko) \n- bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() (Yuan Can) \n- firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region (Takashi Sakamoto) \n- LTS tag: v5.4.231 (Sherry Yang) \n- usb: host: xhci-plat: add wakeup entry at sysfs (Peter Chen) \n- Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (Soenke Huster) \n- ipv6: ensure sane device mtu in tunnels (Eric Dumazet) \n- exit: Use READ_ONCE() for all oops/warn limit reads (Kees Cook) \n- docs: Fix path paste-o for /sys/kernel/warn_count (Kees Cook) \n- panic: Expose 'warn_count' to sysfs (Kees Cook) \n- panic: Introduce warn_limit (Kees Cook) \n- panic: Consolidate open-coded panic_on_warn checks (Kees Cook) \n- exit: Allow oops_limit to be disabled (Kees Cook) \n- exit: Expose 'oops_count' to sysfs (Kees Cook) \n- exit: Put an upper limit on how often we can oops (Jann Horn) \n- ia64: make IA64_MCA_RECOVERY bool instead of tristate (Randy Dunlap) \n- csky: Fix function name in csky_alignment() and die() (Nathan Chancellor) \n- h8300: Fix build errors from do_exit() to make_task_dead() transition (Nathan Chancellor) \n- hexagon: Fix function name in die() (Nathan Chancellor) \n- objtool: Add a missing comma to avoid string concatenation (Eric W. Biederman) \n- exit: Add and use make_task_dead. (Eric W. Biederman) \n- mm: kasan: do not panic if both panic_on_warn and kasan_multishot set (David Gow) \n- panic: unset panic_on_warn inside panic() (Tiezhu Yang) \n- sysctl: add a new register_sysctl_init() interface (Xiaoming Ni) \n- dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init (Hui Wang) \n- blk-cgroup: fix missing pd_online_fn() while activating policy (Yu Kuai) \n- bpf: Skip task with pid=1 in send_signal_common() (Hao Sun) \n- ARM: dts: imx: Fix pca9547 i2c-mux node name (Geert Uytterhoeven) \n- x86/asm: Fix an assembler warning with current binutils (Mikulas Patocka) \n- clk: Fix pointer casting to prevent oops in devm_clk_release() (Uwe Kleine-Konig) \n- perf/x86/amd: fix potential integer overflow on shift of a int (Colin Ian King) \n- netfilter: conntrack: unify established states for SCTP paths (Sriram Yagnaraman) \n- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Thomas Gleixner) \n- block: fix and cleanup bio_check_ro (Christoph Hellwig) \n- nfsd: Ensure knfsd shuts down when the 'nfsd' pseudofs is unmounted (Trond Myklebust) \n- Revert 'Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode' (Dmitry Torokhov) \n- net: mdio-mux-meson-g12a: force internal PHY off on mux switch (Jerome Brunet) \n- net: xgene: Move shared header file into include/linux (Andrew Lunn) \n- net/phy/mdio-i2c: Move header file to include/linux/mdio (Andrew Lunn) \n- net/tg3: resolve deadlock in tg3_reset_task() during EEH (David Christensen) \n- thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() (Rafael J. Wysocki) \n- net: ravb: Fix possible hang if RIS2_QFF1 happen (Yoshihiro Shimoda) \n- sctp: fail if no bound addresses can be used for a given scope (Marcelo Ricardo Leitner) \n- net/sched: sch_taprio: do not schedule in taprio_reset() (Eric Dumazet) \n- netrom: Fix use-after-free of a listening socket. (Kuniyuki Iwashima) \n- netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE (Sriram Yagnaraman) \n- ipv4: prevent potential spectre v1 gadget in fib_metrics_match() (Eric Dumazet) \n- ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() (Eric Dumazet) \n- netlink: annotate data races around sk_state (Eric Dumazet) \n- netlink: annotate data races around dst_portid and dst_group (Eric Dumazet) \n- netlink: annotate data races around nlk->portid (Eric Dumazet) \n- netfilter: nft_set_rbtree: skip elements in transaction from garbage collection (Pablo Neira Ayuso) \n- net: fix UaF in netns ops registration error path (Paolo Abeni) \n- netlink: prevent potential spectre v1 gadgets (Eric Dumazet) \n- EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info (Manivannan Sadhasivam) \n- EDAC/device: Respect any driver-supplied workqueue polling value (Manivannan Sadhasivam) \n- ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment (Giulio Benetti) \n- thermal: intel: int340x: Protect trip temperature from concurrent updates (Srinivas Pandruvada) \n- KVM: x86/vmx: Do not skip segment attributes if unusable bit is set (Hendrik Borghorst) \n- cifs: Fix oops due to uncleared server->smbd_conn in reconnect (David Howells) \n- ftrace/scripts: Update the instructions for ftrace-bisect.sh (Steven Rostedt (Google)) \n- trace_events_hist: add check for return value of 'create_hist_field' (Natalia Petrova) \n- tracing: Make sure trace_printk() can output as soon as it can be used (Steven Rostedt (Google)) \n- module: Don't wait for GOING modules (Petr Pavlu) \n- scsi: hpsa: Fix allocation size for scsi_host_alloc() (Alexey V. Vissarionov) \n- Bluetooth: hci_sync: cancel cmd_timer if hci_open failed (Archie Pusaka) \n- Revert 'Revert 'xhci: Set HCD flag to defer primary roothub registration'' (Sasha Levin) \n- fs: reiserfs: remove useless new_opts in reiserfs_remount (Dongliang Mu) \n- mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting (Haibo Chen) \n- mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning (Haibo Chen) \n- mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci (Haibo Chen) \n- lockref: stop doing cpu_relax in the cmpxchg loop (Mateusz Guzik) \n- platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK (Hans de Goede) \n- platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD (Michael Klein) \n- scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id (Yihang Li) \n- KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (Heiko Carstens) \n- spi: spidev: remove debug messages that access spidev->spi without locking (Bartosz Golaszewski) \n- ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets (Mark Brown) \n- ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC (Mark Brown) \n- cpufreq: armada-37xx: stop using 0 as NULL pointer (Miles Chen) \n- s390/debug: add _ASM_S390_ prefix to header guard (Niklas Schnelle) \n- drm: Add orientation quirk for Lenovo ideapad D330-10IGL (Patrick Thompson) \n- ASoC: fsl_micfil: Correct the number of steps on SX controls (Chancel Liu) \n- cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist (Sumit Gupta) \n- tcp: fix rate_app_limited to default to 1 (David Morley) \n- net: dsa: microchip: ksz9477: port map correction in ALU table entry register (Rakesh Sankaranarayanan) \n- driver core: Fix test_async_probe_init saves device in wrong array (Chen Zhongjin) \n- w1: fix WARNING after calling w1_process() (Yang Yingliang) \n- w1: fix deadloop in __w1_remove_master_device() (Yang Yingliang) \n- tcp: avoid the lookup process failing to get sk in ehash table (Jason Xing) \n- dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() (Liu Shixin) \n- dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling (Swati Agarwal) \n- dmaengine: xilinx_dma: use devm_platform_ioremap_resource() (Radhey Shyam Pandey) \n- HID: betop: check shape of output reports (Pietro Borrello) \n- net: macb: fix PTP TX timestamp failure due to packet padding (Robert Hancock) \n- dmaengine: Fix double increment of client_count in dma_chan_get() (Koba Ko) \n- drm/panfrost: fix GENERIC_ATOMIC64 dependency (Arnd Bergmann) \n- net: mlx5: eliminate anonymous module_init & module_exit (Randy Dunlap) \n- usb: gadget: f_fs: Ensure ep0req is dequeued before free_request (Udipto Goswami) \n- usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait (Udipto Goswami) \n- HID: revert CHERRY_MOUSE_000C quirk (Jiri Kosina) \n- net: stmmac: fix invalid call to mdiobus_get_phy() (Heiner Kallweit) \n- HID: check empty report_list in bigben_probe() (Pietro Borrello) \n- HID: check empty report_list in hid_validate_values() (Pietro Borrello) \n- net: mdio: validate parameter addr in mdiobus_get_phy() (Heiner Kallweit) \n- net: usb: sr9700: Handle negative len (Szymon Heidrich) \n- l2tp: Don't sleep and disable BH under writer-side sk_callback_lock (Jakub Sitnicki) \n- l2tp: Serialize access to sk_user_data with sk_callback_lock (Jakub Sitnicki) \n- net: fix a concurrency bug in l2tp_tunnel_register() (Gong, Sishuai) \n- net/sched: sch_taprio: fix possible use-after-free (Eric Dumazet) \n- wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid (Szymon Heidrich) \n- gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode (Marek Vasut) \n- net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs (Esina Ekaterina) \n- net: nfc: Fix use-after-free in local_cleanup() (Jisoo Jang) \n- phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() (Shang XiaoJing) \n- bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (Luis Gerhorst) \n- amd-xgbe: Delay AN timeout during KR training (Raju Rangoju) \n- amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent (Raju Rangoju) \n- affs: initialize fsdata in affs_truncate() (Alexander Potapenko) \n- IB/hfi1: Fix expected receive setup error exit issues (Dean Luick) \n- IB/hfi1: Reserve user expected TIDs (Dean Luick) \n- IB/hfi1: Reject a zero-length user expected buffer (Dean Luick) \n- RDMA/core: Fix ib block iterator counter overflow (Yonatan Nachum) \n- tomoyo: fix broken dependency on *.conf.default (Masahiro Yamada) \n- EDAC/highbank: Fix memory leak in highbank_mc_probe() (Miaoqian Lin) \n- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (Jiasheng Jiang) \n- ARM: imx: add missing of_node_put() (Dario Binacchi) \n- ARM: imx35: Retrieve the IIM base address from devicetree (Fabio Estevam) \n- ARM: imx31: Retrieve the IIM base address from devicetree (Fabio Estevam) \n- ARM: imx27: Retrieve the SYSCTRL base address from devicetree (Fabio Estevam) \n- ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' (Fabio Estevam) \n- memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() (Gaosheng Cui) \n- memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() (Gaosheng Cui) \n- clk: Provide new devm_clk helpers for prepared and enabled clocks (Uwe Kleine-Konig) \n- clk: generalize devm_clk_get() a bit (Uwe Kleine-Konig)\n[5.4.17-2136.318.2.el8]\n- iommu/amd: Increase kdump command sync timeout to 2secs (Joao Martins)\n [Orabug: 35117313]\n[5.4.17-2136.318.1.el8]\n- uek-rpm: aarch64: embedded: Clean up T93 config file v2 (Henry Willard) [Orabug: 35029259]\n- uek-rpm: aarch64 embedded: make some modules built-in (Dave Kleikamp) [Orabug: 35029259]\n- uek-rpm: aarch64: pensando: config file update for January 2023 update (Dave Kleikamp) [Orabug: 35089950]\n- drivers/mtd/spi-nor: Winbond w25q02nw flash support. (Hiren Mehta) [Orabug: 35089950]\n- drivers/i2c: Reset Lattice RD1173 master for i2c_busy set. (Hiren Mehta) [Orabug: 35089950]\n- drivers/soc/pensando: boot_count to sysfs for kdump.log (Hiren Mehta) [Orabug: 35089950]\n- drivers/soc/pensando sbus driver (Hiren Mehta) [Orabug: 35089950]\n- drivers/reset: Add emmc hardware reset (Hiren Mehta) [Orabug: 35089950]\n- uek-rpm: Add missing dax_pmem_compat.ko to nano rpm (Somasundaram Krishnasamy) [Orabug: 35094871]", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-04-17T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3108", "CVE-2022-4129", "CVE-2023-23559"], "modified": "2023-04-17T00:00:00", "id": "ELSA-2023-12256", "href": "http://linux.oracle.com/errata/ELSA-2023-12256.html", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T19:01:31", "description": "[5.4.17-2136.318.7.1]\n- KVM: arm64: Disabling disabled PMU counters wastes a lot of time (Alexandre Chartre) [Orabug: 33312587] \n- KVM: arm64: Don't zero the cycle count register when PMCR_EL0.P is set (Alexandru Elisei) [Orabug: 33312587] \n- KVM: arm64: pmu: Only handle supported event counters (Eric Auger) [Orabug: 33312587]\n[5.4.17-2136.318.7]\n- mm, compaction: Skip all pinned pages during scan (Khalid Aziz) [Orabug: 35251798] \n- xfs: add missing cmap->br_state = XFS_EXT_NORM update (Gao Xiang) [Orabug: 35214060] \n- rds/ib: Fix the softlock-up in RDS cache GC worker (Arumugam Kolappan) [Orabug: 35146761] \n- uek-rpm: Update linux-firmware dependency (Somasundaram Krishnasamy) [Orabug: 33755589]\n[5.4.17-2136.318.6]\n- net/rds: Flip the default value of 'rds_wq_strictly_ordered' (Gerd Rausch) [Orabug: 35197635]\n[5.4.17-2136.318.5]\n- udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192763] \n- selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192763] \n- arm64: kdump: Increase reserved memory for larger machines (Henry Willard) [Orabug: 35051468] \n- KVM: x86/pmu: Update AMD PMC sample period to fix guest NMI-watchdog (Like Xu) [Orabug: 34729426] \n- KVM: x86/pmu: Introduce pmc->is_paused to reduce the call time of perf interfaces (Like Xu) [Orabug: 34729426] \n- perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table (Kan Liang) [Orabug: 35053343] \n- perf/x86/uncore: Add a quirk for UPI on SPR (Kan Liang) [Orabug: 35053343] \n- perf/x86/uncore: Ignore broken units in discovery table (Kan Liang) [Orabug: 35053343] \n- perf/x86/uncore: Fix potential NULL pointer in uncore_get_alias_name (Kan Liang) [Orabug: 35053343] \n- perf/x86/uncore: Factor out uncore_device_to_die() (Kan Liang) [Orabug: 35053343] \n- Revert 'perf/x86/uncore: Factor out uncore_device_to_die()' (Thomas Tai) [Orabug: 35053343] \n- Revert 'perf/x86/uncore: Fix potential NULL pointer in uncore_get_alias_name' (Thomas Tai) [Orabug: 35053343] \n- Revert 'perf/x86/uncore: Ignore broken units in discovery table' (Thomas Tai) [Orabug: 35053343] \n- Revert 'perf/x86/uncore: Add a quirk for UPI on SPR' (Thomas Tai) [Orabug: 35053343] \n- Revert 'perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table' (Thomas Tai) [Orabug: 35053343] \n- Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- KVM: x86: Mitigate the cross-thread return address predictions bug (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- x86/speculation: Identify processors vulnerable to SMT RSB predictions (Tom Lendacky) [Orabug: 35166671] {CVE-2022-27672}\n- uek-rpm: aarch64: embedded: Enable CONFIG_RANDOMIZE_BASE to support ksplice for T93 (Thomas Tai) [Orabug: 35180981] \n- drm/amdkfd: Check for null pointer after calling kmemdup (Jiasheng Jiang) [Orabug: 34951503] {CVE-2022-3108}\n- mm: use padata for copying page ranges in vma_dup() (Anthony Yznaga) [Orabug: 35054622] \n- mm: parallelize unmap_page_range() for some large VMAs (Anthony Yznaga) [Orabug: 35054622] \n- net/rds: serialize up+down-work to relax strict ordering (Gerd Rausch) [Orabug: 35094723] \n- rds: ib: Fix non-parenthetical mutex/semaphore use (Hakon Bugge) [Orabug: 35155114] \n- Revert 'btrfs: free device in btrfs_close_devices for a single device filesystem' (Vijayendra Suman) [Orabug: 35161536]\n[5.4.17-2136.318.4]\n- ipc: update semtimedop() to use hrtimer (Prakash Sangappa) [Orabug: 35069807] \n- rds: ib: Destroy fastreg resources correctly (Hakon Bugge) [Orabug: 35140658] \n- rds: ib: Use one-bit booleans in struct rds_ib_device and keep them adjacent (Hakon Bugge) [Orabug: 35140648] \n- mips64: drivers/watchdog: Add IRQF_NOBALANCING when requesting irq (Thomas Tai) [Orabug: 35159790] \n- net: mana: Fix IRQ name - add PCI and queue number (Haiyang Zhang) [Orabug: 35084730] \n- uek-rpm: Add opbmc to nano rpm (Somasundaram Krishnasamy) [Orabug: 35145857]\n[5.4.17-2136.318.3]\n- vc_screen: don't clobber return value in vcs_read (Thomas WeiBschuh) \n- LTS tag: v5.4.233 (Sherry Yang) \n- bpf: add missing header file include (Linus Torvalds) \n- Revert 'net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs' (Vladimir Oltean) \n- ext4: Fix function prototype mismatch for ext4_feat_ktype (Kees Cook) \n- wifi: mwifiex: Add missing compatible string for SD8787 (Lukas Wunner) \n- uaccess: Add speculation barrier to copy_from_user() (Dave Hansen) \n- mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh (Pavel Skripkin) \n- drm/i915/gvt: fix double free bug in split_2MB_gtt_entry (Zheng Wang) \n- alarmtimer: Prevent starvation by small intervals and SIG_IGN (Thomas Gleixner) \n- powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 (Sean Anderson) \n- can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len (Marc Kleine-Budde) \n- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS (Jim Mattson) [Orabug: 34982694] {CVE-2022-2196}\n- KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception (Sean Christopherson) \n- random: always mix cycle counter in add_latent_entropy() (Jason A. Donenfeld) \n- powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G (Sean Anderson) \n- wifi: rtl8xxxu: gen2: Turn on the rate control (Bitterblue Smith) \n- drm/etnaviv: don't truncate physical page address (Lucas Stach) \n- drm: etnaviv: fix common struct sg_table related issues (Marek Szyprowski) \n- scatterlist: add generic wrappers for iterating over sgtable objects (Marek Szyprowski) \n- dma-mapping: add generic helpers for mapping sgtable objects (Marek Szyprowski) \n- LTS tag: v5.4.232 (Sherry Yang) \n- net: sched: sch: Fix off by one in htb_activate_prios() (Dan Carpenter) \n- ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak (Pierre-Louis Bossart) \n- nilfs2: fix underflow in second superblock position calculations (Ryusuke Konishi) \n- kvm: initialize all of the kvm_debugregs structure before sending it to userspace (Greg Kroah-Hartman) \n- i40e: Add checking for null for nlmsg_find_attr() (Natalia Petrova) \n- ipv6: Fix tcp socket connection with DSCP. (Guillaume Nault) \n- ipv6: Fix datagram socket connection with DSCP. (Guillaume Nault) \n- ixgbe: add double of VLAN header when computing the max MTU (Jason Xing) \n- net: mpls: fix stale pointer if allocation fails during device rename (Jakub Kicinski) \n- net: stmmac: Restrict warning on disabling DMA store and fwd mode (Cristian Ciocaltea) \n- bnxt_en: Fix mqprio and XDP ring checking logic (Michael Chan) \n- net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence (Johannes Zink) \n- net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path (Miko Larsson) \n- dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. (Kuniyuki Iwashima) \n- sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list (Pietro Borrello) \n- net: bgmac: fix BCM5358 support by setting correct flags (Rafa Mi ecki) \n- i40e: add double of VLAN header when computing the max MTU (Jason Xing) \n- ixgbe: allow to increase MTU to 3K with XDP enabled (Jason Xing) \n- revert 'squashfs: harden sanity check in squashfs_read_xattr_id_table' (Andrew Morton) \n- net: Fix unwanted sign extension in netdev_stats_to_stats64() (Felix Riemann) \n- Revert 'mm: Always release pages to the buddy allocator in memblock_free_late().' (Aaron Thompson) \n- hugetlb: check for undefined shift on 32 bit architectures (Mike Kravetz) \n- sched/psi: Fix use-after-free in ep_remove_wait_queue() (Munehisa Kamata) \n- ALSA: hda/realtek - fixed wrong gpio assigned (Kailang Yang) \n- ALSA: hda/conexant: add a new hda codec SN6180 (Bo Liu) \n- mmc: mmc_spi: fix error handling in mmc_spi_probe() (Yang Yingliang) \n- mmc: sdio: fix possible resource leaks in some error paths (Yang Yingliang) \n- ipv4: Fix incorrect route flushing when source address is deleted (Ido Schimmel) \n- Revert 'ipv4: Fix incorrect route flushing when source address is deleted' (Shaoying Xu) \n- xfs: sync lazy sb accounting on quiesce of read-only mounts (Brian Foster) \n- xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (Darrick J. Wong) \n- xfs: ensure inobt record walks always make forward progress (Darrick J. Wong) \n- xfs: fix missing CoW blocks writeback conversion retry (Darrick J. Wong) \n- xfs: fix finobt btree block recovery ordering (Dave Chinner) \n- xfs: remove the xfs_inode_log_item_t typedef (Christoph Hellwig) \n- xfs: remove the xfs_efd_log_item_t typedef (Christoph Hellwig) \n- xfs: remove the xfs_efi_log_item_t typedef (Christoph Hellwig) \n- netfilter: nft_tproxy: restrict to prerouting hook (Florian Westphal) \n- btrfs: free device in btrfs_close_devices for a single device filesystem (Anand Jain) \n- aio: fix mremap after fork null-deref (Seth Jenkins) \n- nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association (Amit Engel) \n- s390/decompressor: specify __decompress() buf len to avoid overflow (Vasily Gorbik) \n- net: sched: sch: Bounds check priority (Kees Cook) \n- net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC (Andrey Konovalov) \n- net/rose: Fix to not accept on connected socket (Hyunwoo Kim) \n- tools/virtio: fix the vringh test for virtio ring changes (Shunsuke Mie) \n- ASoC: cs42l56: fix DT probe (Arnd Bergmann) \n- selftests/bpf: Verify copy_register_state() preserves parent/live fields (Eduard Zingerman) \n- migrate: hugetlb: check for hugetlb shared PMD in node migration (Mike Kravetz) \n- bpf: Always return target ifindex in bpf_fib_lookup (Toke Hoiland-Jorgensen) \n- nvme-pci: Move enumeration by class to be last in the table (Andy Shevchenko) \n- arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- arm64: dts: meson-g12-common: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive (Heiner Kallweit) \n- riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte (Guo Ren) \n- ceph: flush cap releases when the session is flushed (Xiubo Li) \n- usb: typec: altmodes/displayport: Fix probe pin assign check (Prashant Malani) \n- usb: core: add quirk for Alcor Link AK9563 smartcard reader (Mark Pearson) \n- net: USB: Fix wrong-direction WARNING in plusb.c (Alan Stern) \n- pinctrl: intel: Restore the pins that used to be in Direct IRQ mode (Andy Shevchenko) \n- pinctrl: single: fix potential NULL dereference (Maxim Korotkov) \n- pinctrl: aspeed: Fix confusing types in return value (Joel Stanley) \n- ALSA: pci: lx6464es: fix a debug loop (Dan Carpenter) \n- selftests: forwarding: lib: quote the sysctl values (Hangbin Liu) \n- ice: Do not use WQ_MEM_RECLAIM flag for workqueue (Anirudh Venkataramanan) \n- net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY (Heiner Kallweit) \n- bonding: fix error checking in bond_debug_reregister() (Qi Zheng) \n- xfrm: fix bug with DSCP copy to v6 from v4 tunnel (Christian Hopps) \n- IB/IPoIB: Fix legacy IPoIB due to wrong number of queues (Dragos Tatulea) \n- IB/hfi1: Restore allocated resources on failed copyout (Dean Luick) \n- can: j1939: do not wait 250 ms if the same addr was already claimed (Devid Antonio Filoni) \n- tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw (Shiju Jose) \n- ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() (Artemii Karasev) \n- btrfs: zlib: zero-initialize zlib workspace (Alexander Potapenko) \n- btrfs: limit device extents to the device size (Josef Bacik) \n- iio:adc:twl6030: Enable measurement of VAC (Andreas Kemnade) \n- wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads (Minsuk Kang) \n- f2fs: fix to do sanity check on i_extra_isize in is_alive() (Chao Yu) \n- fbdev: smscufx: fix error handling code in ufx_usb_probe (Dongliang Mu) \n- powerpc/imc-pmu: Revert nest_init_lock to being a mutex (Michael Ellerman) \n- serial: 8250_dma: Fix DMA Rx rearm race (Ilpo Jarvinen) \n- serial: 8250_dma: Fix DMA Rx completion race (Ilpo Jarvinen) \n- xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (Zhang Xiaoxu) \n- mm: swap: properly update readahead statistics in unuse_pte_range() (Andrea Righi) \n- nvmem: core: fix cell removal on error (Michael Walle) \n- Squashfs: fix handling and sanity checking of xattr_ids count (Phillip Lougher) \n- mm/swapfile: add cond_resched() in get_swap_pages() (Longlong Xia) \n- fpga: stratix10-soc: Fix return value check in s10_ops_write_init() (Zheng Yongjun) \n- mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps (Mike Kravetz) \n- riscv: disable generation of unwind tables (Andreas Schwab) \n- parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case (Helge Deller) \n- parisc: Fix return code of pdc_iodc_print() (Helge Deller) \n- iio:adc:twl6030: Enable measurements of VUSB, VBAT and others (Andreas Kemnade) \n- iio: adc: berlin2-adc: Add missing of_node_put() in error path (Xiongfeng Wang) \n- iio: hid: fix the retval in accel_3d_capture_sample (Dmitry Perchanov) \n- efi: Accept version 2 of memory attributes table (Ard Biesheuvel) \n- watchdog: diag288_wdt: fix __diag288() inline assembly (Alexander Egorenkov) \n- watchdog: diag288_wdt: do not use stack buffers for hardware data (Alexander Egorenkov) \n- fbcon: Check font dimension limits (Samuel Thibault) \n- Input: i8042 - add Clevo PCX0DX to i8042 quirk table (Werner Sembach) \n- Input: i8042 - add TUXEDO devices to i8042 quirk tables (Werner Sembach) \n- Input: i8042 - merge quirk tables (Werner Sembach) \n- Input: i8042 - move __initconst to fix code styling warning (Werner Sembach) \n- vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF (George Kennedy) \n- usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait (Udipto Goswami) \n- usb: dwc3: qcom: enable vbus override when in OTG dr-mode (Neil Armstrong) \n- usb: dwc3: dwc3-qcom: Fix typo in the dwc3 vbus override API (Wesley Cheng) \n- iio: adc: stm32-dfsdm: fill module aliases (Olivier Moysan) \n- net/x25: Fix to not accept on connected socket (Hyunwoo Kim) \n- i2c: rk3x: fix a bunch of kernel-doc warnings (Randy Dunlap) \n- scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (Mike Christie) \n- scsi: target: core: Fix warning on RT kernels (Maurizio Lombardi) \n- efi: fix potential NULL deref in efi_mem_reserve_persistent (Anton Gusev) \n- net: openvswitch: fix flow memory leak in ovs_flow_cmd_new (Fedor Pchelkin) \n- virtio-net: Keep stop() to follow mirror sequence of open() (Parav Pandit) \n- selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking (Andrei Gherzan) \n- selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs (Andrei Gherzan) \n- selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided (Andrei Gherzan) \n- selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning (Andrei Gherzan) \n- ata: libata: Fix sata_down_spd_limit() when no link speed is reported (Damien Le Moal) \n- can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate (Ziyang Xuan) \n- net: phy: meson-gxl: Add generic dummy stubs for MMD register access (Chris Healy) \n- squashfs: harden sanity check in squashfs_read_xattr_id_table (Fedor Pchelkin) \n- netfilter: br_netfilter: disable sabotage_in hook after first suppression (Florian Westphal) \n- netrom: Fix use-after-free caused by accept on already connected socket (Hyunwoo Kim) \n- fix 'direction' argument of iov_iter_kvec() (Al Viro) \n- fix iov_iter_bvec() 'direction' argument (Al Viro) \n- WRITE is 'data source', not destination... (Al Viro) \n- scsi: Revert 'scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT' (Martin K. Petersen) \n- arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX (Pierluigi Passaro) \n- ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() (Artemii Karasev) \n- ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use (Andy Shevchenko) \n- bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() (Yuan Can) \n- firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region (Takashi Sakamoto) \n- LTS tag: v5.4.231 (Sherry Yang) \n- usb: host: xhci-plat: add wakeup entry at sysfs (Peter Chen) \n- Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt (Soenke Huster) \n- ipv6: ensure sane device mtu in tunnels (Eric Dumazet) \n- exit: Use READ_ONCE() for all oops/warn limit reads (Kees Cook) \n- docs: Fix path paste-o for /sys/kernel/warn_count (Kees Cook) \n- panic: Expose 'warn_count' to sysfs (Kees Cook) \n- panic: Introduce warn_limit (Kees Cook) \n- panic: Consolidate open-coded panic_on_warn checks (Kees Cook) \n- exit: Allow oops_limit to be disabled (Kees Cook) \n- exit: Expose 'oops_count' to sysfs (Kees Cook) \n- exit: Put an upper limit on how often we can oops (Jann Horn) \n- ia64: make IA64_MCA_RECOVERY bool instead of tristate (Randy Dunlap) \n- csky: Fix function name in csky_alignment() and die() (Nathan Chancellor) \n- h8300: Fix build errors from do_exit() to make_task_dead() transition (Nathan Chancellor) \n- hexagon: Fix function name in die() (Nathan Chancellor) \n- objtool: Add a missing comma to avoid string concatenation (Eric W. Biederman) \n- exit: Add and use make_task_dead. (Eric W. Biederman) \n- mm: kasan: do not panic if both panic_on_warn and kasan_multishot set (David Gow) \n- panic: unset panic_on_warn inside panic() (Tiezhu Yang) \n- sysctl: add a new register_sysctl_init() interface (Xiaoming Ni) \n- dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init (Hui Wang) \n- blk-cgroup: fix missing pd_online_fn() while activating policy (Yu Kuai) \n- bpf: Skip task with pid=1 in send_signal_common() (Hao Sun) \n- ARM: dts: imx: Fix pca9547 i2c-mux node name (Geert Uytterhoeven) \n- x86/asm: Fix an assembler warning with current binutils (Mikulas Patocka) \n- clk: Fix pointer casting to prevent oops in devm_clk_release() (Uwe Kleine-Konig) \n- perf/x86/amd: fix potential integer overflow on shift of a int (Colin Ian King) \n- netfilter: conntrack: unify established states for SCTP paths (Sriram Yagnaraman) \n- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Thomas Gleixner) \n- block: fix and cleanup bio_check_ro (Christoph Hellwig) \n- nfsd: Ensure knfsd shuts down when the 'nfsd' pseudofs is unmounted (Trond Myklebust) \n- Revert 'Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode' (Dmitry Torokhov) \n- net: mdio-mux-meson-g12a: force internal PHY off on mux switch (Jerome Brunet) \n- net: xgene: Move shared header file into include/linux (Andrew Lunn) \n- net/phy/mdio-i2c: Move header file to include/linux/mdio (Andrew Lunn) \n- net/tg3: resolve deadlock in tg3_reset_task() during EEH (David Christensen) \n- thermal: intel: int340x: Add locking to int340x_thermal_get_trip_type() (Rafael J. Wysocki) \n- net: ravb: Fix possible hang if RIS2_QFF1 happen (Yoshihiro Shimoda) \n- sctp: fail if no bound addresses can be used for a given scope (Marcelo Ricardo Leitner) \n- net/sched: sch_taprio: do not schedule in taprio_reset() (Eric Dumazet) \n- netrom: Fix use-after-free of a listening socket. (Kuniyuki Iwashima) \n- netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE (Sriram Yagnaraman) \n- ipv4: prevent potential spectre v1 gadget in fib_metrics_match() (Eric Dumazet) \n- ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() (Eric Dumazet) \n- netlink: annotate data races around sk_state (Eric Dumazet) \n- netlink: annotate data races around dst_portid and dst_group (Eric Dumazet) \n- netlink: annotate data races around nlk->portid (Eric Dumazet) \n- netfilter: nft_set_rbtree: skip elements in transaction from garbage collection (Pablo Neira Ayuso) \n- net: fix UaF in netns ops registration error path (Paolo Abeni) \n- netlink: prevent potential spectre v1 gadgets (Eric Dumazet) \n- EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info (Manivannan Sadhasivam) \n- EDAC/device: Respect any driver-supplied workqueue polling value (Manivannan Sadhasivam) \n- ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment (Giulio Benetti) \n- thermal: intel: int340x: Protect trip temperature from concurrent updates (Srinivas Pandruvada) \n- KVM: x86/vmx: Do not skip segment attributes if unusable bit is set (Hendrik Borghorst) \n- cifs: Fix oops due to uncleared server->smbd_conn in reconnect (David Howells) \n- ftrace/scripts: Update the instructions for ftrace-bisect.sh (Steven Rostedt (Google)) \n- trace_events_hist: add check for return value of 'create_hist_field' (Natalia Petrova) \n- tracing: Make sure trace_printk() can output as soon as it can be used (Steven Rostedt (Google)) \n- module: Don't wait for GOING modules (Petr Pavlu) \n- scsi: hpsa: Fix allocation size for scsi_host_alloc() (Alexey V. Vissarionov) \n- Bluetooth: hci_sync: cancel cmd_timer if hci_open failed (Archie Pusaka) \n- Revert 'Revert 'xhci: Set HCD flag to defer primary roothub registration'' (Sasha Levin) \n- fs: reiserfs: remove useless new_opts in reiserfs_remount (Dongliang Mu) \n- mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting (Haibo Chen) \n- mmc: sdhci-esdhc-imx: disable the CMD CRC check for standard tuning (Haibo Chen) \n- mmc: sdhci-esdhc-imx: clear pending interrupt and halt cqhci (Haibo Chen) \n- lockref: stop doing cpu_relax in the cmpxchg loop (Mateusz Guzik) \n- platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK (Hans de Goede) \n- platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD (Michael Klein) \n- scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id (Yihang Li) \n- KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (Heiko Carstens) \n- spi: spidev: remove debug messages that access spidev->spi without locking (Bartosz Golaszewski) \n- ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets (Mark Brown) \n- ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 CODEC (Mark Brown) \n- cpufreq: armada-37xx: stop using 0 as NULL pointer (Miles Chen) \n- s390/debug: add _ASM_S390_ prefix to header guard (Niklas Schnelle) \n- drm: Add orientation quirk for Lenovo ideapad D330-10IGL (Patrick Thompson) \n- ASoC: fsl_micfil: Correct the number of steps on SX controls (Chancel Liu) \n- cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist (Sumit Gupta) \n- tcp: fix rate_app_limited to default to 1 (David Morley) \n- net: dsa: microchip: ksz9477: port map correction in ALU table entry register (Rakesh Sankaranarayanan) \n- driver core: Fix test_async_probe_init saves device in wrong array (Chen Zhongjin) \n- w1: fix WARNING after calling w1_process() (Yang Yingliang) \n- w1: fix deadloop in __w1_remove_master_device() (Yang Yingliang) \n- tcp: avoid the lookup process failing to get sk in ehash table (Jason Xing) \n- dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() (Liu Shixin) \n- dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling (Swati Agarwal) \n- dmaengine: xilinx_dma: use devm_platform_ioremap_resource() (Radhey Shyam Pandey) \n- HID: betop: check shape of output reports (Pietro Borrello) \n- net: macb: fix PTP TX timestamp failure due to packet padding (Robert Hancock) \n- dmaengine: Fix double increment of client_count in dma_chan_get() (Koba Ko) \n- drm/panfrost: fix GENERIC_ATOMIC64 dependency (Arnd Bergmann) \n- net: mlx5: eliminate anonymous module_init & module_exit (Randy Dunlap) \n- usb: gadget: f_fs: Ensure ep0req is dequeued before free_request (Udipto Goswami) \n- usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait (Udipto Goswami) \n- HID: revert CHERRY_MOUSE_000C quirk (Jiri Kosina) \n- net: stmmac: fix invalid call to mdiobus_get_phy() (Heiner Kallweit) \n- HID: check empty report_list in bigben_probe() (Pietro Borrello) \n- HID: check empty report_list in hid_validate_values() (Pietro Borrello) \n- net: mdio: validate parameter addr in mdiobus_get_phy() (Heiner Kallweit) \n- net: usb: sr9700: Handle negative len (Szymon Heidrich) \n- l2tp: Don't sleep and disable BH under writer-side sk_callback_lock (Jakub Sitnicki) \n- l2tp: Serialize access to sk_user_data with sk_callback_lock (Jakub Sitnicki) [Orabug: 34951575] {CVE-2022-4129}\n- net: fix a concurrency bug in l2tp_tunnel_register() (Gong, Sishuai) \n- net/sched: sch_taprio: fix possible use-after-free (Eric Dumazet) \n- wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid (Szymon Heidrich) [Orabug: 35037713] {CVE-2023-23559}\n- gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode (Marek Vasut) \n- net: wan: Add checks for NULL for utdm in undo_uhdlc_init and unmap_si_regs (Esina Ekaterina) \n- net: nfc: Fix use-after-free in local_cleanup() (Jisoo Jang) \n- phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() (Shang XiaoJing) \n- bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (Luis Gerhorst) \n- amd-xgbe: Delay AN timeout during KR training (Raju Rangoju) \n- amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent (Raju Rangoju) \n- affs: initialize fsdata in affs_truncate() (Alexander Potapenko) \n- IB/hfi1: Fix expected receive setup error exit issues (Dean Luick) \n- IB/hfi1: Reserve user expected TIDs (Dean Luick) \n- IB/hfi1: Reject a zero-length user expected buffer (Dean Luick) \n- RDMA/core: Fix ib block iterator counter overflow (Yonatan Nachum) \n- tomoyo: fix broken dependency on *.conf.default (Masahiro Yamada) \n- EDAC/highbank: Fix memory leak in highbank_mc_probe() (Miaoqian Lin) \n- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (Jiasheng Jiang) \n- ARM: imx: add missing of_node_put() (Dario Binacchi) \n- ARM: imx35: Retrieve the IIM base address from devicetree (Fabio Estevam) \n- ARM: imx31: Retrieve the IIM base address from devicetree (Fabio Estevam) \n- ARM: imx27: Retrieve the SYSCTRL base address from devicetree (Fabio Estevam) \n- ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' (Fabio Estevam) \n- memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() (Gaosheng Cui) \n- memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe() (Gaosheng Cui) \n- clk: Provide new devm_clk helpers for prepared and enabled clocks (Uwe Kleine-Konig) \n- clk: generalize devm_clk_get() a bit (Uwe Kleine-Konig)\n[5.4.17-2136.318.2]\n- iommu/amd: Increase kdump command sync timeout to 2secs (Joao Martins) [Orabug: 35117313]\n[5.4.17-2136.318.1]\n- uek-rpm: aarch64: embedded: Clean up T93 config file v2 (Henry Willard) [Orabug: 35029259] \n- uek-rpm: aarch64 embedded: make some modules built-in (Dave Kleikamp) [Orabug: 35029259] \n- uek-rpm: aarch64: pensando: config file update for January 2023 update (Dave Kleikamp) [Orabug: 35089950] \n- drivers/mtd/spi-nor: Winbond w25q02nw flash support. (Hiren Mehta) [Orabug: 35089950] \n- drivers/i2c: Reset Lattice RD1173 master for i2c_busy set. (Hiren Mehta) [Orabug: 35089950] \n- drivers/soc/pensando: boot_count to sysfs for kdump.log (Hiren Mehta) [Orabug: 35089950] \n- drivers/soc/pensando sbus driver (Hiren Mehta) [Orabug: 35089950] \n- drivers/reset: Add emmc hardware reset (Hiren Mehta) [Orabug: 35089950] \n- uek-rpm: Add missing dax_pmem_compat.ko to nano rpm (Somasundaram Krishnasamy) [Orabug: 35094871]", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-04-17T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3108", "CVE-2022-4129", "CVE-2023-23559"], "modified": "2023-04-17T00:00:00", "id": "ELSA-2023-12255", "href": "http://linux.oracle.com/errata/ELSA-2023-12255.html", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2023-06-05T18:25:05", "description": "## Releases\n\n * Ubuntu 22.04 LTS\n * Ubuntu 20.04 LTS\n\n## Packages\n\n * linux \\- Linux kernel\n * linux-aws \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-aws-5.15 \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-azure \\- Linux kernel for Microsoft Azure Cloud systems\n * linux-azure-5.15 \\- Linux kernel for Microsoft Azure cloud systems\n * linux-azure-fde \\- Linux kernel for Microsoft Azure CVM cloud systems\n * linux-azure-fde-5.15 \\- Linux kernel for Microsoft Azure CVM cloud systems\n * linux-hwe-5.15 \\- Linux hardware enablement (HWE) kernel\n * linux-ibm \\- Linux kernel for IBM cloud systems\n * linux-kvm \\- Linux kernel for cloud environments\n * linux-lowlatency \\- Linux low latency kernel\n * linux-lowlatency-hwe-5.15 \\- Linux low latency kernel\n * linux-oracle \\- Linux kernel for Oracle Cloud systems\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the Android Binder IPC subsystem in the Linux kernel \ndid not properly validate inputs in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-20938)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-16T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-16T00:00:00", "id": "USN-6080-1", "href": "https://ubuntu.com/security/notices/USN-6080-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:25:00", "description": "## Releases\n\n * Ubuntu 22.04 LTS\n\n## Packages\n\n * linux-raspi \\- Linux kernel for Raspberry Pi systems\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the Android Binder IPC subsystem in the Linux kernel \ndid not properly validate inputs in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-20938)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-17T00:00:00", "type": "ubuntu", "title": "Linux kernel (Raspberry Pi) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-17T00:00:00", "id": "USN-6085-1", "href": "https://ubuntu.com/security/notices/USN-6085-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:24:57", "description": "## Releases\n\n * Ubuntu 22.04 LTS\n * Ubuntu 20.04 LTS\n\n## Packages\n\n * linux-gcp \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-gcp-5.15 \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-gke \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-gke-5.15 \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-gkeop \\- Linux kernel for Google Container Engine (GKE) systems\n * linux-oracle-5.15 \\- Linux kernel for Oracle Cloud systems\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the Android Binder IPC subsystem in the Linux kernel \ndid not properly validate inputs in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-20938)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-18T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-05-18T00:00:00", "id": "USN-6090-1", "href": "https://ubuntu.com/security/notices/USN-6090-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:24:28", "description": "## Releases\n\n * Ubuntu 22.04 LTS\n\n## Packages\n\n * linux-intel-iotg \\- Linux kernel for Intel IoT platforms\n\nIt was discovered that the Traffic-Control Index (TCINDEX) implementation \nin the Linux kernel did not properly perform filter deactivation in some \nsituations. A local attacker could possibly use this to gain elevated \nprivileges. Please note that with the fix for this CVE, kernel support for \nthe TCINDEX classifier has been removed. (CVE-2023-1829)\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that a race condition existed in the io_uring subsystem \nin the Linux kernel, leading to a use-after-free vulnerability. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2023-1872)\n\nIt was discovered that the Android Binder IPC subsystem in the Linux kernel \ndid not properly validate inputs in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-20938)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-01T00:00:00", "type": "ubuntu", "title": "Linux kernel (Intel IoTG) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2023-0459", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1829", "CVE-2023-1872", "CVE-2023-20938", "CVE-2023-2162", "CVE-2023-32269"], "modified": "2023-06-01T00:00:00", "id": "USN-6133-1", "href": "https://ubuntu.com/security/notices/USN-6133-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T20:26:17", "description": "## Releases\n\n * Ubuntu 22.04 LTS\n\n## Packages\n\n * linux-oem-6.1 \\- Linux kernel for OEM systems\n\nIt was discovered that the Traffic-Control Index (TCINDEX) implementation \nin the Linux kernel contained a use-after-free vulnerability. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2023-1281)\n\nIt was discovered that the KVM VMX implementation in the Linux kernel did \nnot properly handle indirect branch prediction isolation between L1 and L2 \nVMs. An attacker in a guest VM could use this to expose sensitive \ninformation from the host OS or other guest VMs. (CVE-2022-2196)\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nGerald Lee discovered that the USB Gadget file system implementation in the \nLinux kernel contained a race condition, leading to a use-after-free \nvulnerability in some situations. A local attacker could use this to cause \na denial of service (system crash) or possibly execute arbitrary code. \n(CVE-2022-4382)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel contained a null pointer dereference in some situations. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2022-4842)\n\nKyle Zeng discovered that the IPv6 implementation in the Linux kernel \ncontained a NULL pointer dereference vulnerability in certain situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2023-0394)\n\nIt was discovered that the Human Interface Device (HID) support driver in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1073)\n\nIt was discovered that a memory leak existed in the SCTP protocol \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (memory exhaustion). (CVE-2023-1074)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nIt was discovered that the RNDIS USB driver in the Linux kernel contained \nan integer overflow vulnerability. A local attacker with physical access \ncould plug in a malicious USB device to cause a denial of service (system \ncrash) or possibly execute arbitrary code. (CVE-2023-23559)\n\nLianhui Tang discovered that the MPLS implementation in the Linux kernel \ndid not properly handle certain sysctl allocation failure conditions, \nleading to a double-free vulnerability. An attacker could use this to cause \na denial of service or possibly execute arbitrary code. (CVE-2023-26545)\n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-27T00:00:00", "type": "ubuntu", "title": "Linux kernel (OEM) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-4382", "CVE-2022-4842", "CVE-2023-0394", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1281", "CVE-2023-23559", "CVE-2023-26545"], "modified": "2023-03-27T00:00:00", "id": "USN-5978-1", "href": "https://ubuntu.com/security/notices/USN-5978-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:25:07", "description": "## Releases\n\n * Ubuntu 22.10 \n * Ubuntu 22.04 LTS\n\n## Packages\n\n * linux \\- Linux kernel\n * linux-aws \\- Linux kernel for Amazon Web Services (AWS) systems\n * linux-azure \\- Linux kernel for Microsoft Azure Cloud systems\n * linux-azure-5.19 \\- Linux kernel for Microsoft Azure cloud systems\n * linux-kvm \\- Linux kernel for cloud environments\n * linux-lowlatency \\- Linux low latency kernel\n * linux-raspi \\- Linux kernel for Raspberry Pi systems\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZiming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux \nkernel contained an out-of-bounds write vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2022-36280)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nHaowei Yan discovered that a race condition existed in the Layer 2 \nTunneling Protocol (L2TP) implementation in the Linux kernel. A local \nattacker could possibly use this to cause a denial of service (system \ncrash). (CVE-2022-4129)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel contained a null pointer dereference in some situations. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2022-4842)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds write vulnerability. A local attacker could use this to \ncause a denial of service (system crash). (CVE-2022-48423)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds read vulnerability. A local attacker could possibly use \nthis to expose sensitive information (kernel memory). (CVE-2022-48424)\n\nIt was discovered that the KSMBD implementation in the Linux kernel did not \nproperly validate buffer lengths, leading to a heap-based buffer overflow. \nA remote attacker could possibly use this to cause a denial of service \n(system crash). (CVE-2023-0210)\n\nKyle Zeng discovered that the IPv6 implementation in the Linux kernel \ncontained a NULL pointer dereference vulnerability in certain situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2023-0394)\n\nJordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the \ndo_prlimit() function in the Linux kernel did not properly handle \nspeculative execution barriers. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2023-0458)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the Human Interface Device (HID) support driver in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1073)\n\nIt was discovered that a memory leak existed in the SCTP protocol \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (memory exhaustion). (CVE-2023-1074)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the NFS implementation in the Linux kernel did not \nproperly handle pending tasks in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or expose sensitive \ninformation (kernel memory). (CVE-2023-1652)\n\nIt was discovered that the ARM64 EFI runtime services implementation in the \nLinux kernel did not properly manage concurrency calls. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2023-21102)\n\nIt was discovered that a race condition existed in Adreno GPU DRM driver in \nthe Linux kernel, leading to a double-free vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2023-21106)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nKyle Zeng discovered that the class-based queuing discipline implementation \nin the Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23454)\n\nKyle Zeng discovered that the ATM VC queuing discipline implementation in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23455)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate the size of attributes when parsing MFT. A \nlocal attacker could possibly use this to cause a denial of service (system \ncrash) or expose sensitive information (kernel memory). (CVE-2023-26544)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-16T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-16T00:00:00", "id": "USN-6079-1", "href": "https://ubuntu.com/security/notices/USN-6079-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T18:24:54", "description": "## Releases\n\n * Ubuntu 22.10 \n * Ubuntu 22.04 LTS\n\n## Packages\n\n * linux-gcp \\- Linux kernel for Google Cloud Platform (GCP) systems\n * linux-hwe-5.19 \\- Linux hardware enablement (HWE) kernel\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZiming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux \nkernel contained an out-of-bounds write vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2022-36280)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nHaowei Yan discovered that a race condition existed in the Layer 2 \nTunneling Protocol (L2TP) implementation in the Linux kernel. A local \nattacker could possibly use this to cause a denial of service (system \ncrash). (CVE-2022-4129)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel contained a null pointer dereference in some situations. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2022-4842)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds write vulnerability. A local attacker could use this to \ncause a denial of service (system crash). (CVE-2022-48423)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds read vulnerability. A local attacker could possibly use \nthis to expose sensitive information (kernel memory). (CVE-2022-48424)\n\nIt was discovered that the KSMBD implementation in the Linux kernel did not \nproperly validate buffer lengths, leading to a heap-based buffer overflow. \nA remote attacker could possibly use this to cause a denial of service \n(system crash). (CVE-2023-0210)\n\nKyle Zeng discovered that the IPv6 implementation in the Linux kernel \ncontained a NULL pointer dereference vulnerability in certain situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2023-0394)\n\nJordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the \ndo_prlimit() function in the Linux kernel did not properly handle \nspeculative execution barriers. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2023-0458)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the Human Interface Device (HID) support driver in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1073)\n\nIt was discovered that a memory leak existed in the SCTP protocol \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (memory exhaustion). (CVE-2023-1074)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the NFS implementation in the Linux kernel did not \nproperly handle pending tasks in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or expose sensitive \ninformation (kernel memory). (CVE-2023-1652)\n\nIt was discovered that the ARM64 EFI runtime services implementation in the \nLinux kernel did not properly manage concurrency calls. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2023-21102)\n\nIt was discovered that a race condition existed in Adreno GPU DRM driver in \nthe Linux kernel, leading to a double-free vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2023-21106)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nKyle Zeng discovered that the class-based queuing discipline implementation \nin the Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23454)\n\nKyle Zeng discovered that the ATM VC queuing discipline implementation in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23455)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate the size of attributes when parsing MFT. A \nlocal attacker could possibly use this to cause a denial of service (system \ncrash) or expose sensitive information (kernel memory). (CVE-2023-26544)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-22T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-22T00:00:00", "id": "USN-6096-1", "href": "https://ubuntu.com/security/notices/USN-6096-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T18:24:57", "description": "## Releases\n\n * Ubuntu 22.10 \n\n## Packages\n\n * linux-ibm \\- Linux kernel for IBM cloud systems\n * linux-oracle \\- Linux kernel for Oracle Cloud systems\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZiming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux \nkernel contained an out-of-bounds write vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2022-36280)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nHaowei Yan discovered that a race condition existed in the Layer 2 \nTunneling Protocol (L2TP) implementation in the Linux kernel. A local \nattacker could possibly use this to cause a denial of service (system \ncrash). (CVE-2022-4129)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel contained a null pointer dereference in some situations. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2022-4842)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds write vulnerability. A local attacker could use this to \ncause a denial of service (system crash). (CVE-2022-48423)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate attributes in certain situations, leading \nto an out-of-bounds read vulnerability. A local attacker could possibly use \nthis to expose sensitive information (kernel memory). (CVE-2022-48424)\n\nIt was discovered that the KSMBD implementation in the Linux kernel did not \nproperly validate buffer lengths, leading to a heap-based buffer overflow. \nA remote attacker could possibly use this to cause a denial of service \n(system crash). (CVE-2023-0210)\n\nKyle Zeng discovered that the IPv6 implementation in the Linux kernel \ncontained a NULL pointer dereference vulnerability in certain situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2023-0394)\n\nJordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the \ndo_prlimit() function in the Linux kernel did not properly handle \nspeculative execution barriers. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2023-0458)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the Human Interface Device (HID) support driver in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1073)\n\nIt was discovered that a memory leak existed in the SCTP protocol \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (memory exhaustion). (CVE-2023-1074)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the NFS implementation in the Linux kernel did not \nproperly handle pending tasks in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or expose sensitive \ninformation (kernel memory). (CVE-2023-1652)\n\nIt was discovered that the ARM64 EFI runtime services implementation in the \nLinux kernel did not properly manage concurrency calls. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2023-21102)\n\nIt was discovered that a race condition existed in Adreno GPU DRM driver in \nthe Linux kernel, leading to a double-free vulnerability. A local attacker \ncould use this to cause a denial of service (system crash). \n(CVE-2023-21106)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nKyle Zeng discovered that the class-based queuing discipline implementation \nin the Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23454)\n\nKyle Zeng discovered that the ATM VC queuing discipline implementation in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. An attacker could use this to cause a denial of service (system \ncrash). (CVE-2023-23455)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel did not properly validate the size of attributes when parsing MFT. A \nlocal attacker could possibly use this to cause a denial of service (system \ncrash) or expose sensitive information (kernel memory). (CVE-2023-26544)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-18T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-36280", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4842", "CVE-2022-48423", "CVE-2022-48424", "CVE-2023-0210", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-21102", "CVE-2023-21106", "CVE-2023-2162", "CVE-2023-23454", "CVE-2023-23455", "CVE-2023-26544", "CVE-2023-32269"], "modified": "2023-05-18T00:00:00", "id": "USN-6091-1", "href": "https://ubuntu.com/security/notices/USN-6091-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-06-05T18:25:01", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n\n## Packages\n\n * linux-intel-iotg-5.15 \\- Linux kernel for Intel IoT platforms\n\nIt was discovered that the Traffic-Control Index (TCINDEX) implementation \nin the Linux kernel did not properly perform filter deactivation in some \nsituations. A local attacker could possibly use this to gain elevated \nprivileges. Please note that with the fix for this CVE, kernel support for \nthe TCINDEX classifier has been removed. (CVE-2023-1829)\n\nIt was discovered that the Traffic-Control Index (TCINDEX) implementation \nin the Linux kernel contained a use-after-free vulnerability. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2023-1281)\n\nIt was discovered that the OverlayFS implementation in the Linux kernel did \nnot properly handle copy up operation in some conditions. A local attacker \ncould possibly use this to gain elevated privileges. (CVE-2023-0386)\n\nIt was discovered that some AMD x86-64 processors with SMT enabled could \nspeculatively execute instructions using a return address from a sibling \nthread. A local attacker could possibly use this to expose sensitive \ninformation. (CVE-2022-27672)\n\nZheng Wang discovered that the Intel i915 graphics driver in the Linux \nkernel did not properly handle certain error conditions, leading to a \ndouble-free. A local attacker could possibly use this to cause a denial of \nservice (system crash). (CVE-2022-3707)\n\nHaowei Yan discovered that a race condition existed in the Layer 2 \nTunneling Protocol (L2TP) implementation in the Linux kernel. A local \nattacker could possibly use this to cause a denial of service (system \ncrash). (CVE-2022-4129)\n\nIt was discovered that the network queuing discipline implementation in the \nLinux kernel contained a null pointer dereference in some situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2022-47929)\n\nIt was discovered that the NTFS file system implementation in the Linux \nkernel contained a null pointer dereference in some situations. A local \nattacker could use this to cause a denial of service (system crash). \n(CVE-2022-4842)\n\nKyle Zeng discovered that the IPv6 implementation in the Linux kernel \ncontained a NULL pointer dereference vulnerability in certain situations. A \nlocal attacker could use this to cause a denial of service (system crash). \n(CVE-2023-0394)\n\nJordy Zomer and Alexandra Sandulescu discovered that syscalls invoking the \ndo_prlimit() function in the Linux kernel did not properly handle \nspeculative execution barriers. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2023-0458)\n\nJordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did \nnot properly implement speculative execution barriers in usercopy functions \nin certain situations. A local attacker could use this to expose sensitive \ninformation (kernel memory). (CVE-2023-0459)\n\nIt was discovered that the Human Interface Device (HID) support driver in \nthe Linux kernel contained a type confusion vulnerability in some \nsituations. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1073)\n\nIt was discovered that a memory leak existed in the SCTP protocol \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (memory exhaustion). (CVE-2023-1074)\n\nIt was discovered that the TLS subsystem in the Linux kernel contained a \ntype confusion vulnerability in some situations. A local attacker could use \nthis to cause a denial of service (system crash) or possibly expose \nsensitive information. (CVE-2023-1075)\n\nIt was discovered that the Reliable Datagram Sockets (RDS) protocol \nimplementation in the Linux kernel contained a type confusion vulnerability \nin some situations. An attacker could use this to cause a denial of service \n(system crash). (CVE-2023-1078)\n\nXingyuan Mo discovered that the x86 KVM implementation in the Linux kernel \ndid not properly initialize some data structures. A local attacker could \nuse this to expose sensitive information (kernel memory). (CVE-2023-1513)\n\nIt was discovered that the NFS implementation in the Linux kernel did not \nproperly handle pending tasks in some situations. A local attacker could \nuse this to cause a denial of service (system crash) or expose sensitive \ninformation (kernel memory). (CVE-2023-1652)\n\nIt was discovered that a race condition existed in the io_uring subsystem \nin the Linux kernel, leading to a use-after-free vulnerability. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2023-1872)\n\nIt was discovered that the Android Binder IPC subsystem in the Linux kernel \ndid not properly validate inputs in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-20938)\n\nIt was discovered that the ARM64 EFI runtime services implementation in the \nLinux kernel did not properly manage concurrency calls. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2023-21102)\n\nIt was discovered that a use-after-free vulnerability existed in the iSCSI \nTCP implementation in the Linux kernel. A local attacker could possibly use \nthis to cause a denial of service (system crash). (CVE-2023-2162)\n\nLianhui Tang discovered that the MPLS implementation in the Linux kernel \ndid not properly handle certain sysctl allocation failure conditions, \nleading to a double-free vulnerability. An attacker could use this to cause \na denial of service or possibly execute arbitrary code. (CVE-2023-26545)\n\nIt was discovered that the NET/ROM protocol implementation in the Linux \nkernel contained a race condition in some situations, leading to a use- \nafter-free vulnerability. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-32269)\n\nDuoming Zhou discovered that a race condition existed in the infrared \nreceiver/transceiver driver in the Linux kernel, leading to a use-after- \nfree vulnerability. A privileged attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2023-1118)\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-01T00:00:00", "type": "ubuntu", "title": "Linux kernel (Intel IoTG) vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-47929", "CVE-2022-4842", "CVE-2023-0386", "CVE-2023-0394", "CVE-2023-0458", "CVE-2023-0459", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1075", "CVE-2023-1078", "CVE-2023-1118", "CVE-2023-1281", "CVE-2023-1513", "CVE-2023-1652", "CVE-2023-1829", "CVE-2023-1872", "CVE-2023-20938", "CVE-2023-21102", "CVE-2023-2162", "CVE-2023-26545", "CVE-2023-32269"], "modified": "2023-06-01T00:00:00", "id": "USN-6134-1", "href": "https://ubuntu.com/security/notices/USN-6134-1", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2023-06-05T18:37:46", "description": "This kernel-linus update is based on upstream 5.15.98 and fixes atleast the following security issues: A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine (CVE-2022-2196). A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system (CVE-2022-3707). A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service (CVE-2022-4129). A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side (CVE-2022-4382). A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system (CVE-2022-4842). When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure (CVE-2022-27672). A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution (CVE-2023-0179). A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash (CVE-2023-0394). A memory corruption flaw was found in the Linux kernel\u2019s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system (CVE-2023-1073). A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service (CVE-2023-1074). rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078). An integer overflow flaw was found in the Linux kernel\u2019s wireless RNDIS USB device driver in how a user installs a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system (CVE-2023-23559). There is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device (CVE-2023-26545). For other upstream fixes in this update, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-11T19:00:39", "type": "mageia", "title": "Updated kernel-linus packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4382", "CVE-2022-4842", "CVE-2023-0179", "CVE-2023-0394", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1078", "CVE-2023-23559", "CVE-2023-26545"], "modified": "2023-03-11T19:00:39", "id": "MGASA-2023-0088", "href": "https://advisories.mageia.org/MGASA-2023-0088.html", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-05T18:37:46", "description": "This kernel update is based on upstream 5.15.98 and fixes atleast the following security issues: A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine (CVE-2022-2196). A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system (CVE-2022-3707). A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service (CVE-2022-4129). A use-after-free flaw caused by a race among the superblock operations in the gadgetfs Linux driver was found. It could be triggered by yanking out a device that is running the gadgetfs side (CVE-2022-4382). A flaw NULL Pointer Dereference in the Linux kernel NTFS3 driver function attr_punch_hole() was found. A local user could use this flaw to crash the system (CVE-2022-4842). When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure (CVE-2022-27672). A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution (CVE-2023-0179). A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash (CVE-2023-0394). A memory corruption flaw was found in the Linux kernel\u2019s human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system (CVE-2023-1073). A memory leak flaw was found in the Linux kernel's Stream Control Transmission Protocol. This issue may occur when a user starts a malicious networking service and someone connects to this service. This could allow a local user to starve resources, causing a denial of service (CVE-2023-1074). rds: rds_rm_zerocopy_callback() use list_first_entry() (CVE-2023-1078). An integer overflow flaw was found in the Linux kernel\u2019s wireless RNDIS USB device driver in how a user installs a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system (CVE-2023-23559). There is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device (CVE-2023-26545). For other upstream fixes in this update, see the referenced changelogs. \n", "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-11T19:00:39", "type": "mageia", "title": "Updated kernel packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2196", "CVE-2022-27672", "CVE-2022-3707", "CVE-2022-4129", "CVE-2022-4382", "CVE-2022-4842", "CVE-2023-0179", "CVE-2023-0394", "CVE-2023-1073", "CVE-2023-1074", "CVE-2023-1078", "CVE-2023-23559", "CVE-2023-26545"], "modified": "2023-03-11T19:00:39", "id": "MGASA-2023-0087", "href": "https://advisories.mageia.org/MGASA-2023-0087.html", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}]}