SB2022082627 - openEuler 20.03 LTS SP1 update for kernel

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2022-26373)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to non-transparent sharing of return predictor targets between contexts in Intel CPU processors. A local user can bypass the expected architecture isolation between contexts and gain access to sensitive information on the system.

2) Double Free (CVE-ID: CVE-2022-2588)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a double free error within the network packet scheduler implementation in the route4_change() function in Linux kernel when removing all references to a route filter before freeing it. A local user can run a specially crafted program to crash the kernel or execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1864