LSN-0068-1: Kernel Live Patch Security Notice
Linux kernel vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
Summary
Several security issues were fixed in the kernel.
Software Description
- linux – Linux kernel
- linux-aws – Linux kernel for Amazon Web Services (AWS) systems
- linux-oem – Linux kernel for OEM systems
Special Notice for CVE-2020-0543
On June 9, Intel announced CVE-2020-0543, a CPU hardware issue known
as Special Register Buffer Data Sampling (SRBDS), which could result
in data leaks from random number generation instructions. The issue
affects a subset of Intel CPUs and is mitigated by a CPU microcode
update. This is a hardware issue and cannot be mitigated with a
livepatch.
The kernel update associated with the CVE provides the ability
to turn the mitigation on and off and to report the presence of the
mitigation in the microcode, and should be installed with the updated
microcode.
To determine if your Intel CPU is affected, consult
Intel’s list of affected processors.
Note that AMD processors, and architectures other than x86_64, are not
affected by this CVE.
Users affected by this issue should update their kernel and CPU microcode,
and reboot into the new kernel. Users not affected by CVE-2020-0543 may continue
to use livepatch updates without rebooting.
For more information about the CVE and our response, please consult the
Ubuntu SRBDS wiki page.
Details
It was discovered that the virtual terminal implementation in the Linux
kernel did not properly handle resize events. A local attacker could use
this to expose sensitive information. (CVE-2020-8647)
It was discovered that the virtual terminal implementation in the Linux
kernel contained a race condition. A local attacker could possibly use this
to cause a denial of service (system crash) or expose sensitive
information. (CVE-2020-8648)
It was discovered that the virtual terminal implementation in the Linux
kernel did not properly handle resize events. A local attacker could use
this to expose sensitive information. (CVE-2020-8649)
It was discovered that the Serial CAN interface driver in the Linux kernel
did not properly initialize data. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2020-11494)
Piotr Krysiuk discovered that race conditions existed in the file system
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2020-12114)
Update instructions
The problem can be corrected by updating your kernel livepatch to the following
versions:
- Ubuntu 18.04 LTS
- aws – 68.1
- generic – 68.1
- lowlatency – 68.1
- oem – 68.1
- Ubuntu 16.04 LTS
- aws – 68.1
- generic – 67.1
- generic – 68.1
- lowlatency – 67.1
- lowlatency – 68.1
- Ubuntu 14.04 ESM
- generic – 66.1
- lowlatency – 66.1
Support Information
Kernels older than the levels listed below do not receive livepatch
updates. If you are running a kernel version earlier than the one listed
below, please upgrade your kernel as soon as possible.
- Ubuntu 18.04 LTS
- linux – 4.15.0-69
- linux-aws – 4.15.0-1054
- linux-azure – 5.0.0-1025
- linux-gcp – 5.0.0-1025
- linux-oem – 4.15.0-1063
- Ubuntu 20.04 LTS
- linux – 5.4.0-26
- linux-aws – 5.4.0-1009
- linux-azure – 5.4.0-1010
- linux-gcp – 5.4.0-1009
- linux-oem – 5.4.0-26
- Ubuntu 16.04 LTS
- linux – 4.4.0-168
- linux-aws – 4.4.0-1098
- linux-azure – 4.15.0-1063
- linux-hwe – 4.15.0-69
- Ubuntu 14.04 ESM
- linux-lts-xenial – 4.4.0-168