An update for kernel is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1637 Final 1.0 1.0 2023-09-15 Initial 2023-09-15 2023-09-15 openEuler SA Tool V1.0 2023-09-15 kernel security update An update for kernel is now available for openEuler-20.03-LTS-SP1. The Linux Kernel, the operating system core itself. Security Fix(es): A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. (CVE-2023-4206) A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207) A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. (CVE-2023-4208) A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622) An update for kernel is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1637 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-4206 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-4207 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-4208 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-4622 https://nvd.nist.gov/vuln/detail/CVE-2023-4206 https://nvd.nist.gov/vuln/detail/CVE-2023-4207 https://nvd.nist.gov/vuln/detail/CVE-2023-4208 https://nvd.nist.gov/vuln/detail/CVE-2023-4622 openEuler-20.03-LTS-SP1 kernel-debugsource-4.19.90-2309.3.0.0218.oe1.aarch64.rpm bpftool-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-tools-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm python3-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-tools-devel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-source-4.19.90-2309.3.0.0218.oe1.aarch64.rpm perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm bpftool-4.19.90-2309.3.0.0218.oe1.aarch64.rpm python2-perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm python2-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm python3-perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-tools-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-devel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm kernel-4.19.90-2309.3.0.0218.oe1.src.rpm python3-perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-tools-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-debugsource-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-devel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-tools-devel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm python2-perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-tools-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm python2-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm python3-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm bpftool-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-source-4.19.90-2309.3.0.0218.oe1.x86_64.rpm kernel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm bpftool-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm A use-after-free vulnerability in the Linux kernel s net/sched: cls_route component can be exploited to achieve local privilege escalation.When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. 2023-09-15 CVE-2023-4206 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1637 A use-after-free vulnerability in the Linux kernel s net/sched: cls_fw component can be exploited to achieve local privilege escalation.When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. 2023-09-15 CVE-2023-4207 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1637 A use-after-free vulnerability in the Linux kernel s net/sched: cls_u32 component can be exploited to achieve local privilege escalation.When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. 2023-09-15 CVE-2023-4208 openEuler-20.03-LTS-SP1 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1637 A use-after-free vulnerability in the Linux kernel s af_unix component can be exploited to achieve local privilege escalation.The unix_stream_sendpage() function tries to add data to the last skb in the peer s recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. 2023-09-15 CVE-2023-4622 openEuler-20.03-LTS-SP1 High 7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1637