New Kernel Security Updates Patch 19 Security Vulnerabilities
Canonical released new kernel security updates on 19th April 2023 for patching 17 security vulnerabilities found in the Ubuntu kernels. These Ubuntu kernel security updates are available for Ubuntu 22.10, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS users. The security updates have fixed 17 flaws, with three vulnerabilities affecting all three Ubuntu releases.
Those three vulnerabilities are CVE-2023-1281, a use-after-free vulnerability found in the traffic-Control Index (TCINDEX) implementation, CVE-2022-47929, a null pointer dereference found in the network queuing discipline implementation, and CVE-2023-26545, which is a double-free vulnerability discovered in the MPLS implementation.
They affect Ubuntu 22.10’s Linux kernel 5.19, Ubuntu 22.04 LTS’s Linux kernel 5.15, and all Ubuntu 20.04 LTS systems running the Linux 5.15 HWE (Hardware Enablement) kernel and allow a local attacker to cause a denial of service (system crash) or possibly execute arbitrary code.
Ubuntu Gets New Kernel Security Updates
For Ubuntu 22.10, the new kernel security updates patch additional vulnerabilities such as CVE-2023-0468 and CVE-2023-1032, a race condition and double-free vulnerability found in the io_uring subsystem. Furthermore, the updates address CVE-2022-3424, a use-after-free vulnerability in the SGI URI driver, and CVE-2022-41218, a use-after-free vulnerability in the DVB Core driver by Hyunwoo Kim. These flaws can also result in a denial of service (system crash) or the execution of arbitrary code by a local attacker.
Ubuntu 22.04 LTS and Ubuntu 20.04 LTS systems using the Linux kernel 5.15 LTS also receive fixes for various security vulnerabilities. These include CVE-2023-0386, found in the OverlayFS implementation, and could enable a local attacker to gain elevated privileges. Additionally, CVE-2022-4129, a race condition in the Layer 2 Tunneling Protocol (L2TP) implementation, and CVE-2022-4842, a null pointer deference in the NTFS file system implementation, received patches in these updates, both of which could allow a local attacker to cause a denial of service (system crash).
Similarly, CVE-2023-26606, a security vulnerability identified in the NTFS file system implementation that causes an out-of-bounds read, can potentially result in a system crash or reveal confidential information if exploited by a local attacker. CVE-2023-28328, which involves a null pointer dereference discovered by Wei Chen in the DVB USB AZ6027 driver, and CVE-2023-22997, a flaw detected in the module decompression implementation, both enable a local attacker to launch a denial of service attack that could lead to system crashes.
Furthermore, Ubuntu 22.04 LTS and Ubuntu 20.04 LTS users who use the Linux kernel 5.15 LTS will also receive fixes for CVE-2023-0394, a NULL pointer deference vulnerability found by Kyle Zend in the IPv6 implementation, and CVE-2023-1073, a type confusion vulnerability discovered in the Human Interface Device (HID) support driver. Both vulnerabilities can potentially allow a local attacker to cause a denial of service (system crash).
CVE-2023-1074, a memory leak discovered in the SCTP protocol implementation, and CVE-2023-1652, a security flaw found in the NFS implementation, were also patched in these updates. The former vulnerability allows the local attacker to cause a denial of service (memory exhaustion), and the latter allows a local attacker to cause a denial of service (system crash) or disclose sensitive information (kernel memory).
Also, Canonical released new kernel security updates on 20th April for Ubuntu 20.04 LTS and Ubuntu 18.04 LTS users who use Linux kernel 5.4 LTS, as well as Ubuntu 18.04 LTS, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM systems running Linux kernel 4.15. Besides the above-mentioned vulnerabilities, these security updates address the CVE-2022-3903 and CVE-2022-3108 flaws.
The sources for this article include a story from 9to5Linux.com.