SB2022030928 - Ubuntu update for linux

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-0001)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to non-transparent sharing of branch predictor selectors between contexts. A local user can gain unauthorized access to sensitive information on the system.

2) Information disclosure (CVE-ID: CVE-2022-0002)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to non-transparent sharing of branch predictor within a context. A local user can gain unauthorized access to sensitive information on the system.

3) Processor optimization removal or modification of security-critical code (CVE-ID: CVE-2022-23960)

The vulnerability allows a local user to obtain potentially sensitive information.

The vulnerability exists due to improper restrictions of cache speculation. A local user can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches and gain access to sensitive information.

The vulnerability was dubbed Spectre-BHB.

4) Heap-based buffer overflow (CVE-ID: CVE-2022-25636)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in net/netfilter/nf_dup_netdev.c in the Linux kernel, related to nf_tables_offload. A local user can trigger a heap-based buffer overflow and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://ubuntu.com/security/notices/USN-5318-1