SUSE-SU-2021:3073-1

Опубликовано: 16 сент. 2021

Источник: suse-cvrf

Описание

Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3)

This update for the Linux Kernel 5.3.18-59_19 fixes several issues.

The following security issues were fixed:

CVE-2021-3653: Fixed missing validation of the KVM int_ctl VMCB field that would have allowed a malicious L1 guest to enable AVIC support for the L2 guest (bsc#1189420).
CVE-2021-3656: Fixed KVM nSVM nested VMLOAD/VMSAVE interception (bsc#1189418).
CVE-2021-38198: Fixed KVM MMU to use the correct inherited permissions to get shadow page (bsc#1189278).

Список пакетов

SUSE Linux Enterprise Live Patching 12 SP4

kgraft-patch-4_12_14-95_60-default-14-2.2

kgraft-patch-4_12_14-95_65-default-11-2.2

kgraft-patch-4_12_14-95_68-default-10-2.2

kgraft-patch-4_12_14-95_71-default-9-2.2

kgraft-patch-4_12_14-95_74-default-6-2.2

kgraft-patch-4_12_14-95_77-default-5-2.2

kgraft-patch-4_12_14-95_80-default-3-2.2

SUSE Linux Enterprise Live Patching 12 SP5

kgraft-patch-4_12_14-122_37-default-16-2.2

kgraft-patch-4_12_14-122_41-default-15-2.2

kgraft-patch-4_12_14-122_46-default-13-2.2

kgraft-patch-4_12_14-122_51-default-13-2.2

kgraft-patch-4_12_14-122_54-default-11-2.2

kgraft-patch-4_12_14-122_57-default-11-2.2

kgraft-patch-4_12_14-122_60-default-10-2.2

kgraft-patch-4_12_14-122_63-default-9-2.2

kgraft-patch-4_12_14-122_66-default-7-2.2

kgraft-patch-4_12_14-122_71-default-6-2.2

kgraft-patch-4_12_14-122_74-default-4-2.2

kgraft-patch-4_12_14-122_77-default-4-2.2

kgraft-patch-4_12_14-122_80-default-3-2.2

kgraft-patch-4_12_14-122_83-default-2-2.2

SUSE Linux Enterprise Live Patching 15

kernel-livepatch-4_12_14-150_58-default-14-2.2

kernel-livepatch-4_12_14-150_63-default-12-2.2

kernel-livepatch-4_12_14-150_66-default-10-2.3

kernel-livepatch-4_12_14-150_69-default-9-2.2

kernel-livepatch-4_12_14-150_72-default-6-2.2

kernel-livepatch-4_12_14-150_75-default-3-2.2

SUSE Linux Enterprise Live Patching 15 SP1

kernel-livepatch-4_12_14-197_56-default-14-2.2

kernel-livepatch-4_12_14-197_61-default-13-2.2

kernel-livepatch-4_12_14-197_64-default-12-2.2

kernel-livepatch-4_12_14-197_67-default-12-2.2

kernel-livepatch-4_12_14-197_72-default-11-2.2

kernel-livepatch-4_12_14-197_75-default-11-2.2

kernel-livepatch-4_12_14-197_78-default-11-2.2

kernel-livepatch-4_12_14-197_83-default-10-2.2

kernel-livepatch-4_12_14-197_86-default-9-2.2

kernel-livepatch-4_12_14-197_89-default-6-2.2

kernel-livepatch-4_12_14-197_92-default-5-2.2

kernel-livepatch-4_12_14-197_99-default-3-2.2

SUSE Linux Enterprise Live Patching 15 SP2

kernel-livepatch-5_3_18-24_15-default-14-2.3

kernel-livepatch-5_3_18-24_24-default-14-2.3

kernel-livepatch-5_3_18-24_29-default-12-2.3

kernel-livepatch-5_3_18-24_34-default-12-2.3

kernel-livepatch-5_3_18-24_37-default-12-2.3

kernel-livepatch-5_3_18-24_43-default-11-2.3

kernel-livepatch-5_3_18-24_46-default-11-2.3

kernel-livepatch-5_3_18-24_49-default-10-2.3

kernel-livepatch-5_3_18-24_52-default-9-2.3

kernel-livepatch-5_3_18-24_61-default-6-2.3

kernel-livepatch-5_3_18-24_64-default-6-2.3

kernel-livepatch-5_3_18-24_67-default-4-2.3

kernel-livepatch-5_3_18-24_53_4-default-4-2.3

kernel-livepatch-5_3_18-24_70-default-4-2.3

kernel-livepatch-5_3_18-24_75-default-3-2.3

kernel-livepatch-5_3_18-24_78-default-2-2.3

SUSE Linux Enterprise Live Patching 15 SP3

kernel-livepatch-5_3_18-57-default-6-3.2

kernel-livepatch-5_3_18-59_5-default-4-2.3

kernel-livepatch-5_3_18-59_10-default-4-2.3

kernel-livepatch-5_3_18-59_13-default-4-2.3

kernel-livepatch-5_3_18-59_16-default-3-2.3

kernel-livepatch-5_3_18-59_19-default-2-2.3

Ссылки

https://www.suse.com/support/update/announcement/2021/suse-su-20213073-1/
Link for SUSE-SU-2021:3073-1
https://lists.suse.com/pipermail/sle-security-updates/2021-September/009450.html
E-Mail link for SUSE-SU-2021:3073-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1189278
SUSE Bug 1189278
https://bugzilla.suse.com/1189418
SUSE Bug 1189418
https://bugzilla.suse.com/1189420
SUSE Bug 1189420
https://www.suse.com/security/cve/CVE-2021-3653/
SUSE CVE CVE-2021-3653 page
https://www.suse.com/security/cve/CVE-2021-3656/
SUSE CVE CVE-2021-3656 page
https://www.suse.com/security/cve/CVE-2021-38198/
SUSE CVE CVE-2021-38198 page

Описание

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "int_ctl" field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_60-default-14-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_65-default-11-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_68-default-10-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_71-default-9-2.2

Ссылки

https://www.suse.com/security/cve/CVE-2021-3653.html
CVE-2021-3653
https://bugzilla.suse.com/1189399
SUSE Bug 1189399
https://bugzilla.suse.com/1189420
SUSE Bug 1189420
https://bugzilla.suse.com/1196914
SUSE Bug 1196914

Описание

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_60-default-14-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_65-default-11-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_68-default-10-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_71-default-9-2.2

Ссылки

https://www.suse.com/security/cve/CVE-2021-3656.html
CVE-2021-3656
https://bugzilla.suse.com/1189400
SUSE Bug 1189400
https://bugzilla.suse.com/1189418
SUSE Bug 1189418

Описание

arch/x86/kvm/mmu/paging_tmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_60-default-14-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_65-default-11-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_68-default-10-2.2

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_71-default-9-2.2

Ссылки

https://www.suse.com/security/cve/CVE-2021-38198.html
CVE-2021-38198
https://bugzilla.suse.com/1189262
SUSE Bug 1189262
https://bugzilla.suse.com/1189278
SUSE Bug 1189278
https://bugzilla.suse.com/1196914
SUSE Bug 1196914

SUSE-SU-2021:3073-1

Описание

Список пакетов

SUSE Linux Enterprise Live Patching 12 SP4

SUSE Linux Enterprise Live Patching 12 SP5

SUSE Linux Enterprise Live Patching 15

SUSE Linux Enterprise Live Patching 15 SP1

SUSE Linux Enterprise Live Patching 15 SP2

SUSE Linux Enterprise Live Patching 15 SP3

Ссылки

Уязвимость: CVE-2021-3653

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-3656

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-38198

Описание

Затронутые продукты

Ссылки