1. Ubuntu Security Notices
  2. LSN-0081-1

LSN-0081-1: Kernel Live Patch Security Notice

Publication date

13 September 2021

Overview

Several security issues were fixed in the kernel.

Releases

Software description

  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • generic-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • gke – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033)
  • gke-4.15 – Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
  • gke-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
  • lowlatency-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • lowlatency-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • lowlatency-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • oem – Linux kernel for OEM systems - (>= 4.15.0-1063)
  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • generic-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • gke – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033)
  • gke-4.15 – Linux kernel for Google Container Engine (GKE) systems - (>= 4.15.0-1076)
  • gke-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
  • gkeop-5.4 – Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1007)
  • lowlatency-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-69)
  • lowlatency-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-168)
  • lowlatency-5.4 – Linux kernel - (>= 5.4.0-26, >= 5.4.0-26)
  • oem – Linux kernel for OEM systems - (>= 4.15.0-1063)

Details

Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)

Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor
implementation for AMD processors in the Linux kernel allowed a guest VM to
disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a
guest VM could use this to read or write portions of the host's physical
memory.(CVE-2021-3656)

Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(

Maxim Levitsky discovered that the KVM hypervisor implementation for AMD
processors in the Linux kernel did not properly prevent a guest VM from
enabling AVIC in nested guest VMs. An attacker in a guest VM could use this
to write to portions of the host's physical memory.(CVE-2021-3653)

Maxim Levitsky and Paolo Bonzini discovered that the KVM hypervisor
implementation for AMD processors in the Linux kernel allowed a guest VM to
disable restrictions on VMLOAD/VMSAVE in a nested guest. An attacker in a
guest VM could use this to read or write portions of the host's physical
memory.(CVE-2021-3656)

Andy Nguyen discovered that the netfilter subsystem in the Linux kernel
contained an out-of-bounds write in its setsockopt() implementation. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2021-22555)

It was discovered that the virtual file system implementation in the Linux
kernel contained an unsigned to signed integer conversion error. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code.(CVE-2021-33909)

Checking update status

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

The problem can be corrected in these Livepatch versions:

Kernel type 20.04 18.04 16.04 14.04
gcp 81.1
generic-4.15 81.1 81.1
generic-4.4 81.1 81.1
generic-5.4 81.1 81.1
gke 81.1
gke-4.15 81.1
gke-5.4 81.1
gkeop 81.1
gkeop-5.4 81.1
lowlatency-4.15 81.1 81.1
lowlatency-4.4 81.1 81.1
lowlatency-5.4 81.1 81.1
oem 81.1

References

Have additional questions?

Talk to a member of the team ›