SB2023102372 - Ubuntu update for linux-oem-6.1

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2023-4244)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the Linux kernel netfilter: nf_tables component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

2) Integer overflow (CVE-ID: CVE-2023-42752)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow within the __alloc_skb() function. A local user can trigger integer overflow and crash the kernel.

3) Out-of-bounds read (CVE-ID: CVE-2023-42755)

The vulnerability allows a local user to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the the IPv4 Resource Reservation Protocol (RSVP) classifier function in the Linux kernel. A local user can trigger an out-of-bounds read error and crash the Linux kernel.

4) Race condition (CVE-ID: CVE-2023-42756)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a race condition in the Netfilter subsystem. A local user can exploit the race  between IPSET_CMD_ADD and IPSET_CMD_SWAP and gain crash the kernel.

5) Use-after-free (CVE-ID: CVE-2023-5197)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within Linux kernel netfilter: nf_tables component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-6443-1