Issued:

2023-09-19

Updated:

2023-09-19

RHSA-2023:5255 - Important: kernel-rt security and bug fix update

Synopsis

Important: kernel-rt security and bug fix update

Type/Severity

Security Advisory Important

Topic

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.

'Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine- tuning for systems with extremely high determinism requirements.

Security Fix(es):

• kernel: bluetooth: Unauthorized management command execution (CVE-2023-2002)

• kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

• kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() (CVE-2023-35788)

• hw: amd: Cross-Process Information Leak (CVE-2023-20593,zenbleed)

• kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)

• kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001,ZDI-CAN-20721)

• kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)

• kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove() (CVE-2023-4004)

Bug Fix(es):

• kernel-rt: update RT source tree to the RHEL-8.8.z3 source tree (BZ#2227068)

• pods get restarted due to failed probes (BZ#2227238)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

Affected Products

Updated Packages

• kernel-rt-core-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-modules-extra-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-kvm-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-modules-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-core-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-kvm-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debuginfo-common-x86_64-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-modules-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-modules-extra-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debuginfo-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-debuginfo-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-debug-devel-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm
• kernel-rt-4.18.0-477.27.1.rt7.290.el8_8.src.rpm
• kernel-rt-devel-4.18.0-477.27.1.rt7.290.el8_8.x86_64.rpm

Fixes

• This content is not included.BZ - 2187308
• This content is not included.BZ - 2213260
• This content is not included.BZ - 2215768
• This content is not included.BZ - 2217845
• This content is not included.BZ - 2218672
• This content is not included.BZ - 2220892
• This content is not included.BZ - 2225097
• This content is not included.BZ - 2225275

CVEs

• CVE-2023-1637
• CVE-2023-2002
• CVE-2023-3090
• CVE-2023-3390
• CVE-2023-3776
• CVE-2023-4004
• CVE-2023-20593
• CVE-2023-35001
• CVE-2023-35788

References

• https://access.redhat.com/security/updates/classification/#important

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.