Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2021-3493 CVE-2021-29154 |
CWE-ID | CWE-863 CWE-77 |
Exploitation vector | Local |
Public exploit | Vulnerability #1 is being exploited in the wild. |
Vulnerable software |
Ubuntu Operating systems & Components / Operating system linux-image-virtual-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-smp-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-emb-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-smp-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-e500mc-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae-lts-xenial (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1091-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-powerpc64-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-powerpc64-emb (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-powerpc-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-powerpc-e500mc (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-209-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1113-azure (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-snapdragon (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oracle-lts-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gcp-lts-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-dell300x (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-azure-lts-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws-lts-18.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-142-lowlatency (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-142-generic-lpae (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-142-generic (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1101-snapdragon (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1099-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1098-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1090-kvm (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1084-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1070-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.15.0-1017-dell300x (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-virtual-hwe-16.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc64-emb (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-smp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-powerpc-e500mc (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oracle (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-oem (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-lowlatency-hwe-16.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gke (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-lpae-hwe-16.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-generic-hwe-16.04 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-gcp (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-aws-hwe (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1155-snapdragon (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1151-raspi2 (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1127-aws (Ubuntu package) Operating systems & Components / Operating system package or component linux-image-4.4.0-1092-kvm (Ubuntu package) Operating systems & Components / Operating system package or component |
Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU92413
Risk: Low
CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2021-3493
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to incorrect authorization error within the validheader() and cap_convert_nscap() functions in security/commoncap.c, within the vfs_setxattr() and setxattr() functions in fs/xattr.c. A local user can execute arbitrary code.
MitigationUpdate the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 18.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc64-smp-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc64-emb-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc-smp-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc-e500mc-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-generic-lpae-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-4.4.0-1091-aws (Ubuntu package): before 4.4.0-1091.95
linux-image-azure (Ubuntu package): before 4.15.0.1113.86
linux-image-aws (Ubuntu package): before 4.4.0.1091.88
linux-image-4.4.0-209-powerpc64-smp (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc64-emb (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc-smp (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc-e500mc (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-lowlatency (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-generic-lpae (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-generic (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.15.0-1113-azure (Ubuntu package): before 4.15.0-1113.126~14.04.1
linux-image-virtual (Ubuntu package): before 4.4.0.209.215
linux-image-snapdragon (Ubuntu package): before 4.4.0.1155.147
linux-image-raspi2 (Ubuntu package): before 4.4.0.1151.151
linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1070.80
linux-image-lowlatency (Ubuntu package): before 4.4.0.209.215
linux-image-kvm (Ubuntu package): before 4.4.0.1092.90
linux-image-generic-lpae (Ubuntu package): before 4.4.0.209.215
linux-image-generic (Ubuntu package): before 4.4.0.209.215
linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1098.116
linux-image-dell300x (Ubuntu package): before 4.15.0.1017.19
linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1113.86
linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1099.102
linux-image-4.15.0-142-lowlatency (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-142-generic-lpae (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-142-generic (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-1101-snapdragon (Ubuntu package): before 4.15.0-1101.110
linux-image-4.15.0-1099-aws (Ubuntu package): before 4.15.0-1099.106~16.04.1
linux-image-4.15.0-1098-gcp (Ubuntu package): before 4.15.0-1098.111~16.04.1
linux-image-4.15.0-1090-kvm (Ubuntu package): before 4.15.0-1090.92
linux-image-4.15.0-1084-raspi2 (Ubuntu package): before 4.15.0-1084.89
linux-image-4.15.0-1070-oracle (Ubuntu package): before 4.15.0-1070.78~16.04.1
linux-image-4.15.0-1017-dell300x (Ubuntu package): before 4.15.0-1017.21
linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-powerpc64-smp (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc64-emb (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc-smp (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc-e500mc (Ubuntu package): before 4.4.0.209.215
linux-image-oracle (Ubuntu package): before 4.15.0.1070.58
linux-image-oem (Ubuntu package): before 4.15.0.142.137
linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-gke (Ubuntu package): before 4.15.0.1098.99
linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-gcp (Ubuntu package): before 4.15.0.1098.99
linux-image-aws-hwe (Ubuntu package): before 4.15.0.1099.92
linux-image-4.4.0-1155-snapdragon (Ubuntu package): before 4.4.0-1155.165
linux-image-4.4.0-1151-raspi2 (Ubuntu package): before 4.4.0-1151.162
linux-image-4.4.0-1127-aws (Ubuntu package): before 4.4.0-1127.141
linux-image-4.4.0-1092-kvm (Ubuntu package): before 4.4.0-1092.101
CPE2.3https://ubuntu.com/security/notices/USN-4916-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU56241
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-29154
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect computation of branch displacements within the BPF JIT compilers in the Linux kernel in arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. A local user can inject and execute arbitrary commands with elevated privileges.
Update the affected package linux to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 18.04
linux-image-virtual-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc64-smp-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc64-emb-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc-smp-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-powerpc-e500mc-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-lowlatency-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-generic-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-generic-lpae-lts-xenial (Ubuntu package): before 4.4.0.209.182
linux-image-4.4.0-1091-aws (Ubuntu package): before 4.4.0-1091.95
linux-image-azure (Ubuntu package): before 4.15.0.1113.86
linux-image-aws (Ubuntu package): before 4.4.0.1091.88
linux-image-4.4.0-209-powerpc64-smp (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc64-emb (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc-smp (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-powerpc-e500mc (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-lowlatency (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-generic-lpae (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.4.0-209-generic (Ubuntu package): before 4.4.0-209.241~14.04.1
linux-image-4.15.0-1113-azure (Ubuntu package): before 4.15.0-1113.126~14.04.1
linux-image-virtual (Ubuntu package): before 4.4.0.209.215
linux-image-snapdragon (Ubuntu package): before 4.4.0.1155.147
linux-image-raspi2 (Ubuntu package): before 4.4.0.1151.151
linux-image-oracle-lts-18.04 (Ubuntu package): before 4.15.0.1070.80
linux-image-lowlatency (Ubuntu package): before 4.4.0.209.215
linux-image-kvm (Ubuntu package): before 4.4.0.1092.90
linux-image-generic-lpae (Ubuntu package): before 4.4.0.209.215
linux-image-generic (Ubuntu package): before 4.4.0.209.215
linux-image-gcp-lts-18.04 (Ubuntu package): before 4.15.0.1098.116
linux-image-dell300x (Ubuntu package): before 4.15.0.1017.19
linux-image-azure-lts-18.04 (Ubuntu package): before 4.15.0.1113.86
linux-image-aws-lts-18.04 (Ubuntu package): before 4.15.0.1099.102
linux-image-4.15.0-142-lowlatency (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-142-generic-lpae (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-142-generic (Ubuntu package): before 4.15.0-142.146~16.04.1
linux-image-4.15.0-1101-snapdragon (Ubuntu package): before 4.15.0-1101.110
linux-image-4.15.0-1099-aws (Ubuntu package): before 4.15.0-1099.106~16.04.1
linux-image-4.15.0-1098-gcp (Ubuntu package): before 4.15.0-1098.111~16.04.1
linux-image-4.15.0-1090-kvm (Ubuntu package): before 4.15.0-1090.92
linux-image-4.15.0-1084-raspi2 (Ubuntu package): before 4.15.0-1084.89
linux-image-4.15.0-1070-oracle (Ubuntu package): before 4.15.0-1070.78~16.04.1
linux-image-4.15.0-1017-dell300x (Ubuntu package): before 4.15.0-1017.21
linux-image-virtual-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-powerpc64-smp (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc64-emb (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc-smp (Ubuntu package): before 4.4.0.209.215
linux-image-powerpc-e500mc (Ubuntu package): before 4.4.0.209.215
linux-image-oracle (Ubuntu package): before 4.15.0.1070.58
linux-image-oem (Ubuntu package): before 4.15.0.142.137
linux-image-lowlatency-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-gke (Ubuntu package): before 4.15.0.1098.99
linux-image-generic-lpae-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-generic-hwe-16.04 (Ubuntu package): before 4.15.0.142.137
linux-image-gcp (Ubuntu package): before 4.15.0.1098.99
linux-image-aws-hwe (Ubuntu package): before 4.15.0.1099.92
linux-image-4.4.0-1155-snapdragon (Ubuntu package): before 4.4.0-1155.165
linux-image-4.4.0-1151-raspi2 (Ubuntu package): before 4.4.0-1151.162
linux-image-4.4.0-1127-aws (Ubuntu package): before 4.4.0-1127.141
linux-image-4.4.0-1092-kvm (Ubuntu package): before 4.4.0-1092.101
CPE2.3https://ubuntu.com/security/notices/USN-4916-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.