SB20231017125 - Red Hat Enterprise Linux 8 update for kernel-rt

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Information exposure through microarchitectural state after transient execution (CVE-ID: CVE-2023-1637)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due speculative execution behavior in the Linux kernel X86 CPU Power management options functionality. A local user can gain access to sensitive information.

2) Use-after-free (CVE-ID: CVE-2023-3609)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the the Linux kernel net/sched: cls_u32 component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

3) Use-after-free (CVE-ID: CVE-2023-3776)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the the Linux kernel's net/sched: cls_fw component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

4) Use-after-free (CVE-ID: CVE-2023-4128)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:5794