SUSE update for the Linux Kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2020-36310 CVE-2020-36312 CVE-2020-36322 CVE-2021-28950 CVE-2021-29155 CVE-2021-29650 CVE-2021-3444 |
| CWE-ID | CWE-835 CWE-401 CWE-404 CWE-834 CWE-125 CWE-119 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #5 is available. |
| Vulnerable software |
SUSE Linux Enterprise Server Operating systems & Components / Operating system kernel-syms-azure Operating systems & Components / Operating system package or component kernel-azure-devel Operating systems & Components / Operating system package or component kernel-azure-debugsource Operating systems & Components / Operating system package or component kernel-azure-debuginfo Operating systems & Components / Operating system package or component kernel-azure-base-debuginfo Operating systems & Components / Operating system package or component kernel-azure-base Operating systems & Components / Operating system package or component kernel-azure Operating systems & Components / Operating system package or component kernel-source-azure Operating systems & Components / Operating system package or component kernel-devel-azure Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Infinite loop
EUVDB-ID: #VU61272
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-36310
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in set_memory_region_test in arch/x86/kvm/svm/svm.c. A local user can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU67183
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-36312
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists in the KVM hypervisor of the Linux kernel. A local user can force the application to leak memory and perform denial of service attack.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Resource Shutdown or Release
EUVDB-ID: #VU59473
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-36322
CWE-ID:
CWE-404 - Improper Resource Shutdown or Release
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists in the FUSE filesystem implementation in the Linux kernel due to fuse_do_getattr() calls make_bad_inode() in inappropriate situations. A local user can run a specially crafted program to trigger kernel crash.
Note, the vulnerability exists due to incomplete fix for #VU58207 (CVE-2021-28950).
Update the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Excessive Iteration
EUVDB-ID: #VU58207
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-28950
CWE-ID:
CWE-834 - Excessive Iteration
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive iteration in fs/fuse/fuse_i.h in the Linux kernel. A local user can run a specially crafted program to perform a denial of service attack.
Update the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU67490
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2021-29155
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism. A local, special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Buffer overflow
EUVDB-ID: #VU56240
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-29650
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the netfilter subsystem in net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h. A local user can trigger memory corruption upon the assignment of a new table value and cause denial of service.
Update the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU90368
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-3444
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read error within the fixup_bpf_calls() function in kernel/bpf/verifier.c. A local user can execute arbitrary code.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP5
kernel-syms-azure: before 4.12.14-16.56.1
kernel-azure-devel: before 4.12.14-16.56.1
kernel-azure-debugsource: before 4.12.14-16.56.1
kernel-azure-debuginfo: before 4.12.14-16.56.1
kernel-azure-base-debuginfo: before 4.12.14-16.56.1
kernel-azure-base: before 4.12.14-16.56.1
kernel-azure: before 4.12.14-16.56.1
kernel-source-azure: before 4.12.14-16.56.1
kernel-devel-azure: before 4.12.14-16.56.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:*
- cpe:2.3:o:suse:kernel-syms-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-source-azure:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:o:suse:kernel-devel-azure:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2021/suse-su-20211572-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
