SB2021041395 - Ubuntu update for linux

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Memory corruption (CVE-ID: CVE-2021-20239)

The vulnerability allows a local user to gain access to sensitive information.

A flaw was found in the Linux kernel in versions before 5.4.92 in the BPF protocol. This flaw allows an attacker with a local account to leak information about kernel internal addresses. The highest threat from this vulnerability is to confidentiality.

2) Input validation error (CVE-ID: CVE-2021-20268)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. A local user can crash the system or escalate privileges on the system.

3) Use-after-free (CVE-ID: CVE-2021-3347)

The vulnerability allows a local user to elevate privileges on the system.

The vulnerability exists due to a use-after-free error when handling PI futexes. A local user can run a specially crafted program to trigger a use-after-free error and execute arbitrary code with elevated privileges.

4) Use-after-free (CVE-ID: CVE-2021-3348)

The vulnerability allows a local authenticated user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the nbd_add_socket in drivers/block/nbd.c. A local authenticated user can trigger a use-after-free error and escalate privileges on the system.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-4910-1