LSN-0065-1: Kernel Live Patch Security Notice
9 April 2020
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.4.0-1098)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.0.0-1025, >= 4.15.0-1063)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.0.0-1025)
- generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
- generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
- lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
- lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168)
Details
Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual
Machine) emulated the IOAPIC. A privileged guest user could exploit
this flaw to read host memory or cause a denial of service (crash
the host). (CVE-2013-1798)
It was discovered that the KVM implementation in the Linux kernel,
when paravirtual TLB flushes are enabled in guests, the hypervisor in
some situations could miss deferred TLB flushes or otherwise mishandle
them. An attacker in a guest VM could use this to expose sensitive
information (read memory from another guest VM). (CVE-2019-3016)
Al Viro discovered that the vfs layer in the Linux kernel contained
a use- after-free vulnerability. A local attacker could use this to
cause a denial of service (system crash) or possibly expose sensitive
information (kernel memory). (CVE-2020-8428)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 18.04 | 16.04 | 14.04 |
|---|---|---|---|
| aws | — | 65.1 | — |
| azure | 65.1 | 65.1 | — |
| gcp | 65.1 | — | — |
| generic-4.15 | 65.1 | 65.1 | — |
| generic-4.4 | — | 65.1 | 65.1 |
| lowlatency-4.15 | 65.1 | 65.1 | — |
| lowlatency-4.4 | — | 65.1 | 65.1 |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status