Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.5

Issue date: 2017-12-11

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-110

1. Overview

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).

2. Security Fixes

• [Important] dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges. (CVE-2017-8824)
• [Important] The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system. (CVE-2017-16939)
• [Important] A flaw was found in the patches used to fix the ‘Dirty COW’ vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)
• [Moderate] A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS. (CVE-2017-1000407)

3. Bug Fixes

• memcgroup: potential deadlocks and soft lockups. (PSBM-76011)
• Many of the issues that BUG_ON()s were supposed to catch in tcache were not serious enough to crash the kernel. A warning will now be output in such cases instead. (PSBM-77154)
• When there were more than two users of a page, __tcache_page_tree_delete() failed to freeze it. The page would never be invalidated and tcache_node->nr_pages would never be decremented. A kernel warning would be output as a result. (PSBM-78354)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-39.1-2.vl7/
• https://access.redhat.com/security/cve/CVE-2017-8824
• https://access.redhat.com/security/cve/CVE-2017-16939
• https://access.redhat.com/security/cve/CVE-2017-1000405
• https://access.redhat.com/security/cve/CVE-2017-1000407

The JSON file with the list of new and updated packages is available at JSON file.