SB2022090609 - SUSE update for the Linux Kernel (Live Patch 1 for SLE 15 SP4)
Published: September 6, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-36516)
The vulnerability allows a remote attacker to perform a denial of service (DoS) or MitM attacks.
The vulnerability exists due to an error in the mixed IPID assignment method with the hash-based IPID assignment policy in Linux kernel. A remote attacker can inject data into a victim's TCP session or terminate that session.
2) Use-after-free (CVE-ID: CVE-2021-39698)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in Linux kernel. A local user can run a specially crafted program to trigger the use-after-free error and execute arbitrary code with elevated privileges.
3) Resource management error (CVE-ID: CVE-2022-2585)
The vulnerability allows a local user to perform a denial of service (DoS) attack or escalate privileges on the system.
The vulnerability exists due to improper management of internal resources in POSIX CPU timers when handling death of a process. A local user can crash the kernel or execute arbitrary code.
4) Input validation error (CVE-ID: CVE-2022-36946)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the nfqnl_mangle() function in net/netfilter/nfnetlink_queue.c in the Linux kernel when processing IPv6 packets. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.