Ubuntu update for linux

Published: 2023-09-20

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2023-20588 CVE-2023-40283 CVE-2023-4128
CWE-ID	CWE-369 CWE-416
Exploitation vector	Local
Public exploit	N/A
Vulnerable software Subscribe	Ubuntu Operating systems & Components / Operating system linux-image-xilinx-zynqmp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oracle-lts-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem-osp1 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-ibm-lts-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gkeop-5.4 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gkeop (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gcp-lts-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-azure-lts-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws-lts-20.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-163-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-163-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-163-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1116-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1113-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1110-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1109-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1099-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1077-gkeop (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1057-ibm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1030-xilinx-zynqmp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-5.4.0-1022-iot (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-snapdragon-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-hwe-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-ibm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oracle (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Division by zero

EUVDB-ID: #VU79239

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-20588

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a divide by zero error that can return speculative data. A local user can gain access to potentially sensitive information.

Mitigation

Update the affected package linux to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 20.04

linux-image-xilinx-zynqmp (Ubuntu package): before 5.4.0.1030.32

linux-image-virtual (Ubuntu package): before 5.4.0.163.160

linux-image-oracle-lts-20.04 (Ubuntu package): before 5.4.0.1109.102

linux-image-oem-osp1 (Ubuntu package): before Ubuntu Pro

linux-image-oem (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-lowlatency (Ubuntu package): before 5.4.0.163.160

linux-image-kvm (Ubuntu package): before 5.4.0.1099.94

linux-image-ibm-lts-20.04 (Ubuntu package): before 5.4.0.1057.86

linux-image-gkeop-5.4 (Ubuntu package): before 5.4.0.1077.75

linux-image-gkeop (Ubuntu package): before 5.4.0.1077.75

linux-image-generic-lpae (Ubuntu package): before 5.4.0.163.160

linux-image-generic (Ubuntu package): before 5.4.0.163.160

linux-image-gcp-lts-20.04 (Ubuntu package): before 5.4.0.1113.115

linux-image-azure-lts-20.04 (Ubuntu package): before 5.4.0.1116.109

linux-image-aws-lts-20.04 (Ubuntu package): before 5.4.0.1110.107

linux-image-5.4.0-163-lowlatency (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-163-generic-lpae (Ubuntu package): before 5.4.0-163.180

linux-image-5.4.0-163-generic (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1116-azure (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1113-gcp (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1110-aws (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1109-oracle (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1099-kvm (Ubuntu package): before 5.4.0-1099.105

linux-image-5.4.0-1077-gkeop (Ubuntu package): before 5.4.0-1077.81

linux-image-5.4.0-1057-ibm (Ubuntu package): before Ubuntu Pro

linux-image-5.4.0-1030-xilinx-zynqmp (Ubuntu package): before 5.4.0-1030.34

linux-image-5.4.0-1022-iot (Ubuntu package): before 5.4.0-1022.23

linux-image-lowlatency-hwe-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-virtual-hwe-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-snapdragon-hwe-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-generic-hwe-18.04 (Ubuntu package): before Ubuntu Pro

linux-image-ibm (Ubuntu package): before Ubuntu Pro

linux-image-aws (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-gcp (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-azure (Ubuntu package): before Ubuntu Pro (Infra-only)

linux-image-oracle (Ubuntu package): before Ubuntu Pro (Infra-only)

Fixed software versions

CPE2.3

cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*

External links

http://ubuntu.com/security/notices/USN-6387-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Use-after-free

EUVDB-ID: #VU79714

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-40283

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the l2cap_sock_release() function in net/bluetooth/l2cap_sock.c. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.