Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.7 to 7.0.8

Issue date: 2019-06-03

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-046

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.17.1.vz7.43.10 (Virtuozzo 7.0.7), 3.10.0-693.21.1.vz7.46.7 (Virtuozzo 7.0.7 HF2), 3.10.0-693.21.1.vz7.48.2 (Virtuozzo 7.0.7 HF3), 3.10.0-862.9.1.vz7.63.3 (Virtuozzo 7.0.8).

2. Security Fixes

• [Important] A use-after-free vulnerability was found in the way KVM implements its device control API. When a device is created via kvm_ioctl_create_device(), it holds a reference to a VM object. This reference is transferred to file descriptor table of the caller. If such file descriptor was closed, reference count to the VM object could become zero, which could lead to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-6974)
• [Important] A use-after-free vulnerability was found in the way KVM emulates a preemption timer for L2 guests when nested virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)
• [Moderate] It was discovered that a certain sequence of operations related to IPv4 routing could trigger a kernel memory leak. An attacker could potentially exploit that from a container to cause a denial of service. (PSBM-94535)

3. Bug Fixes

• virtio_scsi: a race condition in the Linux block layer could cause certain I/O requests to hang. (PSBM-92312)
• It was discovered that inode tables created during online resize of an ext4 filesystem were not zeroed after that. This could potentially result in lower performance of the file system. (PSBM-93988)
• ploop: kernel crash in ploop_congested(). (PSBM-94270)
• It was found that if no PMU counters were exposed to guest, KVM skipped the whole remaining PMU-related initialization, including filling of LBR-related data. As it turned out, Windows Server 2016 Essentials tried to access these data during the installation and failed to install as a result. (PSBM-94429)
• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at JSON file.