Announcing new releases Alpha 3717.0.0, Beta 3602.1.5, Stable 3510.2.7, LTS 3033.3.17

7 views
Skip to first unread message

Flatcar Container Linux User

unread,
Sep 6, 2023, 11:32:27 AM9/6/23
to Flatcar Container Linux User

Hello,
We are pleased to announce a new Flatcar Container Linux release for the Alpha, Beta, Stable, LTS channel.

New Alpha Release 3717.0.0

Changes since Alpha 3689.0.0

Security fixes:Bug fixes:
  • Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (Flatcar#1157)
Changes:
  • Change nvidia.service to type oneshot (from the default “simple”) so the subsequent services (configured with “Requires/After”) are executed after the driver installation is successfully finished (Flatcar#1136)
Updates:New Beta Release 3602.1.5

Changes since Beta 3602.1.4

Security fixes:Bug fixes:
  • Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (flatcar#1157)
Updates:New Stable Release 3510.2.7

Changes since Stable 3510.2.6

Security fixes:Bug fixes:
  • Fixed the restart of Systemd services when the main process is being killed by a SIGHUP signal (flatcar#1157)
Updates:New LTS Release 3033.3.17

Changes since LTS 3033.3.16

Security fixes:Updates:Detailed Security Report

Security fix: With the Alpha 3717.0.0, Beta 3602.1.5, Stable 3510.2.7, LTS 3033.3.17 releases we ship fixes for the CVEs listed below.

Alpha 3717.0.0

  • Linux

    • CVE-2022-40982 CVSSv3 score: n/a
      Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

    • CVE-2022-41804 CVSSv3 score: 6.7(Medium)
      Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

    • CVE-2023-20569 CVSSv3 score: 7.5(High)
      A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.

    • CVE-2023-20588 CVSSv3 score: 7.5(High)
      A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

    • CVE-2023-34319 CVSSv3 score: n/a

    • CVE-2023-3772 CVSSv3 score: 4.4(Medium)
      A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.

    • CVE-2023-3773 CVSSv3 score: 4.4(Medium)
      A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.

    • CVE-2023-40283 CVSSv3 score: 7.8(High)
      An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

    • CVE-2023-4128 CVSSv3 score: n/a
      A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

    • CVE-2023-4155 CVSSv3 score: n/a

    • CVE-2023-4273 CVSSv3 score: 6.7(Medium)
      A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

    • CVE-2023-23908 CVSSv3 score: 4.4(Medium)
      Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.

  • SDK: Rust

    • CVE-2023-38497 CVSSv3 score: 7.3(High)
      Cargo downloads the Rust project’s dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files writeable by any local user, another local user could exploit this to change the source code compiled and executed by the current user. To prevent existing cached extractions from being exploitable, the Cargo binary version 0.72.2 included in Rust 1.71.1 or later will purge caches generated by older Cargo versions automatically. As a workaround, configure one's system to prevent other local users from accessing the Cargo directory, usually located in ~/.cargo.

  • VMware: open-vm-tools

    • CVE-2023-20900 CVSSv3 score: n/a
      VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor with man-in-the-middle (MITM) network positioning in the virtual machine network may be able to bypass SAML token signature verification, to perform VMware Tools Guest Operations.

  • grub

    • CVE-2020-10713 CVSSv3 score: 8.2(High)
      A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2020-14372 CVSSv3 score: 7.5(High)
      A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.
    • CVE-2020-25632 CVSSv3 score: 8.2(High)
      A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2020-25647 CVSSv3 score: 7.6(High)
      A flaw was found in grub2 in versions prior to 2.06. During USB device initialization, descriptors are read with very little bounds checking and assumes the USB device is providing sane values. If properly exploited, an attacker could trigger memory corruption leading to arbitrary code execution allowing a bypass of the Secure Boot mechanism. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2020-27749 CVSSv3 score: 6.7(Medium)
      A flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2020-27779 CVSSv3 score: 7.5(High)
      A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2021-20225 CVSSv3 score: 6.7(Medium)
      A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2021-20233 CVSSv3 score: 8.2(High)
      A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
    • CVE-2021-3981 CVSSv3 score: 3.3(Low)
      A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.
    • CVE-2021-3695 CVSSv3 score: 4.5(Medium)
      A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads. This flaw affects grub2 versions prior grub-2.12.
    • CVE-2021-3696 CVSSv3 score: 4.5(Medium)
      A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.
    • CVE-2021-3697 CVSSv3 score: 7(High)
      A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.
    • CVE-2022-28733 CVSSv3 score: n/a
      Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.
    • CVE-2022-28734 CVSSv3 score: 9.8(Critical)
      Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.
    • CVE-2022-28735 CVSSv3 score: 7.8(High)
      The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.
    • CVE-2022-28736 CVSSv3 score: 7.8(High)
      There's a use-after-free vulnerability in grub_cmd_chainloader() function; The chainloader command is used to boot up operating systems that doesn't support multiboot and do not have direct support from GRUB2. When executing chainloader more than once a use-after-free vulnerability is triggered. If an attacker can control the GRUB2's memory allocation pattern sensitive data may be exposed and arbitrary code execution can be achieved.
    • CVE-2022-28737 CVSSv3 score: 7.8(High)
      There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables; The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario.
    • CVE-2022-2601 CVSSv3 score: 8.6(High)
      A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.
    • CVE-2022-3775 CVSSv3 score: 7.1(High)
      When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

  • intel-microcode

    • CVE-2022-40982 CVSSv3 score: n/a
      Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.
    • CVE-2022-41804 CVSSv3 score: 6.7(Medium)
      Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
    • CVE-2023-23908 CVSSv3 score: 4.4(Medium)
      Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.

  • qemu

    • CVE-2023-0330 CVSSv3 score: 6(Medium)
      A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.
    • CVE-2023-2861 CVSSv3 score: n/a

  • vim

    • CVE-2023-2609 CVSSv3 score: 5.5(Medium)
      NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.
    • CVE-2023-2610 CVSSv3 score: 7.8(High)
      Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.
Beta 3602.1.5
  • Linux
    • CVE-2022-40982 CVSSv3 score: n/a
      Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.
    • CVE-2022-41804 CVSSv3 score: 6.7(Medium)
      Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
    • CVE-2023-20569 CVSSv3 score: 7.5(High)
      A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.
    • CVE-2023-20588 CVSSv3 score: 7.5(High)
      A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
    • CVE-2023-40283 CVSSv3 score: 7.8(High)
      An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.
    • CVE-2023-4128 CVSSv3 score: n/a
      A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
    • CVE-2023-23908 CVSSv3 score: 4.4(Medium)
      Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.
Stable 3510.2.7
  • Linux
    • CVE-2022-40982 CVSSv3 score: n/a
      Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.
    • CVE-2022-41804 CVSSv3 score: 6.7(Medium)
      Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
    • CVE-2023-1206 CVSSv3 score: 5.7(Medium)
      A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.
    • CVE-2023-20569 CVSSv3 score: 7.5(High)
      A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.
    • CVE-2023-4004 CVSSv3 score: n/a
      A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.
    • CVE-2023-4147 CVSSv3 score: n/a
      A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    • CVE-2023-20569 CVSSv3 score: 7.5(High)
      A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.
    • CVE-2023-23908 CVSSv3 score: 4.4(Medium)
      Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.
LTS 3033.3.17
  • Linux

    • CVE-2022-40982 CVSSv3 score: n/a
      Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

    • CVE-2022-41804 CVSSv3 score: 6.7(Medium)
      Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

    • CVE-2023-20569 CVSSv3 score: 7.5(High)
      A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled?address, potentially leading to information disclosure.

    • CVE-2023-23908 CVSSv3 score: 4.4(Medium)
      Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.

    • CVE-2023-1206 CVSSv3 score: 5.7(Medium)
      A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.

    • CVE-2023-20588 CVSSv3 score: 7.5(High)
      A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

    • CVE-2023-40283 CVSSv3 score: 7.8(High)
      An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.

    • CVE-2023-4128 CVSSv3 score: n/a
      A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.

    • CVE-2023-4147 CVSSv3 score: n/a
      A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.

    • CVE-2023-4273 CVSSv3 score: 6.7(Medium)
      A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack.

Best,
The Flatcar Container Linux Maintainers

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages