SB2024070404 - Ubuntu update for linux

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-0001)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to non-transparent sharing of branch predictor selectors between contexts. A local user can gain unauthorized access to sensitive information on the system.

2) Processor optimization removal or modification of security-critical code (CVE-ID: CVE-2024-2201)

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to native branch history injection on x86 systems. A malicious guest can infer the contents of arbitrary host memory, including memory assigned to other guests and compromise the affected system.

3) Improper locking (CVE-ID: CVE-2024-26925)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __nf_tables_abort() and nf_tables_abort() functions in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.

4) Race condition (CVE-ID: CVE-2024-26643)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the nf_tables_unbind_set() function in net/netfilter/nf_tables_api.c. A local user can exploit the race and escalate privileges on the system.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-6868-1