Important kernel security update: Virtuozzo ReadyKernel patch 80.0 for Virtuozzo 7.0.6 and 7.0.6 HF3

Issue date: 2019-06-03

Applies to: Virtuozzo 7.0, Virtuozzo Infrastructure Platform 2.5

Virtuozzo Advisory ID: VZA-2019-045

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to the kernels 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6) and 3.10.0-693.11.6.vz7.40.4 (Virtuozzo 7.0.6 HF3). NOTE: No more patches are planned for kernel 3.10.0-693.1.1.vz7.37.30, support for which ends with this update.

2. Security Fixes

• [Important] A use-after-free vulnerability was found in the way KVM implements its device control API. When a device is created via kvm_ioctl_create_device(), it holds a reference to a VM object. This reference is transferred to file descriptor table of the caller. If such file descriptor was closed, reference count to the VM object could become zero, which could lead to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-6974)
• [Important] A use-after-free vulnerability was found in the way KVM emulates a preemption timer for L2 guests when nested virtualization is enabled. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. (CVE-2019-7221)
• [Moderate] It was discovered that a certain sequence of operations related to IPv4 routing could trigger a kernel memory leak. An attacker could potentially exploit that from a container to cause a denial of service. (PSBM-94535)

3. Bug Fixes

• It was discovered that inode tables created during online resize of an ext4 filesystem were not zeroed after that. This could potentially result in lower performance of the file system. (PSBM-93988)
• ploop: kernel crash in ploop_congested(). (PSBM-94270)
• ploop: ‘pcompact’ could hang if run simultaneously with ‘ploop-balloon status’. (PSBM-94727)

4. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

5. References

• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-7221
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-6974

The JSON file with the list of new and updated packages is available at JSON file.